formbook | f3ddd84b590f6579c2bb685fa8bb486564c0ba53ff5619565feba5b79aba251a

General

Target

a5c131c279492a7c4faf41aeb9d74df3.exe
Size

225KB
MD5

a5c131c279492a7c4faf41aeb9d74df3
SHA1

b9682208bfd207f5ba509841babfc373abfb32a0
SHA256

f3ddd84b590f6579c2bb685fa8bb486564c0ba53ff5619565feba5b79aba251a
SHA512

9431ccddf09aac7f7c02acb501533f4892a3c5d65f999bcbdd0afaa02ab57af8542007064c1516ab8538a062288092c0e18686a34300a92dd918120e3fc2bb77
SSDEEP

3072:qUJoFfWzzl+cSMJysmAtGiTAumzXrz8FTE/CmDp9h4fP8oojb/fQE1a0oDmeWqH4:qweEp1wiTATO41hos/o0oYCoc7zd4Gi

Score

10^/10

formbook f4ca rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

hpljh.exehpljh.exe

pid process

936 hpljh.exe
1608 hpljh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

hpljh.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation hpljh.exe
Loads dropped DLL 3 IoCs

Processes:

a5c131c279492a7c4faf41aeb9d74df3.exehpljh.exemsdt.exe

pid process

1104 a5c131c279492a7c4faf41aeb9d74df3.exe
936 hpljh.exe
1492 msdt.exe

pid	process
936	hpljh.exe
1608	hpljh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	hpljh.exe

pid	process
1104	a5c131c279492a7c4faf41aeb9d74df3.exe
936	hpljh.exe
1492	msdt.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

hpljh.exehpljh.exemsdt.exe

description	pid	process	target process
PID 936 set thread context of 1608	936	hpljh.exe	hpljh.exe
PID 1608 set thread context of 1360	1608	hpljh.exe	Explorer.EXE
PID 1492 set thread context of 1360	1492	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

hpljh.exemsdt.exe

pid	process
1608	hpljh.exe
1608	hpljh.exe
1608	hpljh.exe
1608	hpljh.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

hpljh.exehpljh.exemsdt.exe

pid process

936 hpljh.exe
1608 hpljh.exe
1608 hpljh.exe
1608 hpljh.exe
1492 msdt.exe
1492 msdt.exe
1492 msdt.exe
1492 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hpljh.exemsdt.exe

description pid process

Token: SeDebugPrivilege 1608 hpljh.exe
Token: SeDebugPrivilege 1492 msdt.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
1360 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
1360 Explorer.EXE

pid	process
1360	Explorer.EXE

pid	process
936	hpljh.exe
1608	hpljh.exe
1608	hpljh.exe
1608	hpljh.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe
1492	msdt.exe

description	pid	process
Token: SeDebugPrivilege	1608	hpljh.exe
Token: SeDebugPrivilege	1492	msdt.exe

pid	process
1360	Explorer.EXE
1360	Explorer.EXE

pid	process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

a5c131c279492a7c4faf41aeb9d74df3.exehpljh.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 1104 wrote to memory of 936	1104	a5c131c279492a7c4faf41aeb9d74df3.exe	hpljh.exe
PID 1104 wrote to memory of 936	1104	a5c131c279492a7c4faf41aeb9d74df3.exe	hpljh.exe
PID 1104 wrote to memory of 936	1104	a5c131c279492a7c4faf41aeb9d74df3.exe	hpljh.exe
PID 1104 wrote to memory of 936	1104	a5c131c279492a7c4faf41aeb9d74df3.exe	hpljh.exe
PID 936 wrote to memory of 1608	936	hpljh.exe	hpljh.exe
PID 936 wrote to memory of 1608	936	hpljh.exe	hpljh.exe
PID 936 wrote to memory of 1608	936	hpljh.exe	hpljh.exe
PID 936 wrote to memory of 1608	936	hpljh.exe	hpljh.exe
PID 936 wrote to memory of 1608	936	hpljh.exe	hpljh.exe
PID 1360 wrote to memory of 1492	1360	Explorer.EXE	msdt.exe
PID 1360 wrote to memory of 1492	1360	Explorer.EXE	msdt.exe
PID 1360 wrote to memory of 1492	1360	Explorer.EXE	msdt.exe
PID 1360 wrote to memory of 1492	1360	Explorer.EXE	msdt.exe
PID 1492 wrote to memory of 2008	1492	msdt.exe	Firefox.exe
PID 1492 wrote to memory of 2008	1492	msdt.exe	Firefox.exe
PID 1492 wrote to memory of 2008	1492	msdt.exe	Firefox.exe
PID 1492 wrote to memory of 2008	1492	msdt.exe	Firefox.exe
PID 1492 wrote to memory of 2008	1492	msdt.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\a5c131c279492a7c4faf41aeb9d74df3.exe
"C:\Users\Admin\AppData\Local\Temp\a5c131c279492a7c4faf41aeb9d74df3.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\hpljh.exe
"C:\Users\Admin\AppData\Local\Temp\hpljh.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Local\Temp\hpljh.exe
"C:\Users\Admin\AppData\Local\Temp\hpljh.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hpljh.exe
Filesize
7KB

MD5
ace05960243c6e7aaf5781461abe17cb

SHA1
47685952a9f8fa378e646b486554f40783480d23

SHA256
b6db1550533e56708aef093cc94bc003f3ed669b2674fd32ad3235f55dbac2e0

SHA512
7a2ea5d897c96026dd910300b330808740445f89d2ec0b4008522b3f578eea7080eed1763adf15e03b58854476f4d17dd2eacec583bff287e2d9ebf74c16c9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpljh.exe
Filesize
7KB

MD5
ace05960243c6e7aaf5781461abe17cb

SHA1
47685952a9f8fa378e646b486554f40783480d23

SHA256
b6db1550533e56708aef093cc94bc003f3ed669b2674fd32ad3235f55dbac2e0

SHA512
7a2ea5d897c96026dd910300b330808740445f89d2ec0b4008522b3f578eea7080eed1763adf15e03b58854476f4d17dd2eacec583bff287e2d9ebf74c16c9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpljh.exe
Filesize
7KB

MD5
ace05960243c6e7aaf5781461abe17cb

SHA1
47685952a9f8fa378e646b486554f40783480d23

SHA256
b6db1550533e56708aef093cc94bc003f3ed669b2674fd32ad3235f55dbac2e0

SHA512
7a2ea5d897c96026dd910300b330808740445f89d2ec0b4008522b3f578eea7080eed1763adf15e03b58854476f4d17dd2eacec583bff287e2d9ebf74c16c9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwjcnqk.ucy
Filesize
5KB

MD5
54e0e76113007819985eaddacf9981e0

SHA1
e2817c8a079ed3fe23b4e7cc20ac216cab5f71df

SHA256
8879822873d43a514773a7cdd8d9621cea35dbda5254921e4cdd3852f2fb7a70

SHA512
a61df458c27886a23737732617361fe4f5445a2b82da827150a07bb4cff76071ad778d87348d6b8b17fd8e6f93e426254cb62d6f8ce389b0f89570ca68f2dd9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwwjuoxw.x
Filesize
185KB

MD5
ee3288ffe86a657552d2c9c8464de868

SHA1
bb8289bbb5746bb655b661bcea180e9c7188399a

SHA256
bf839e9f2f3ca0858aefb5a7c337e9f5672208f54a69df7b373e59788c213a0b

SHA512
feab7269b99e8a0e149313c244e1d2d1b27c0d6ee87ec72752c87bf6c6152324600e6f1b085397b8a7860811eb391f2e8e622c552aceeae4bca1a2b6548bb71e

Download Submit
\Users\Admin\AppData\Local\Temp\hpljh.exe
Filesize
7KB

MD5
ace05960243c6e7aaf5781461abe17cb

SHA1
47685952a9f8fa378e646b486554f40783480d23

SHA256
b6db1550533e56708aef093cc94bc003f3ed669b2674fd32ad3235f55dbac2e0

SHA512
7a2ea5d897c96026dd910300b330808740445f89d2ec0b4008522b3f578eea7080eed1763adf15e03b58854476f4d17dd2eacec583bff287e2d9ebf74c16c9a8

Download Submit
\Users\Admin\AppData\Local\Temp\hpljh.exe
Filesize
7KB

MD5
ace05960243c6e7aaf5781461abe17cb

SHA1
47685952a9f8fa378e646b486554f40783480d23

SHA256
b6db1550533e56708aef093cc94bc003f3ed669b2674fd32ad3235f55dbac2e0

SHA512
7a2ea5d897c96026dd910300b330808740445f89d2ec0b4008522b3f578eea7080eed1763adf15e03b58854476f4d17dd2eacec583bff287e2d9ebf74c16c9a8

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
1.0MB

MD5
ce5c15b5092877974d5b6476ad1cb2d7

SHA1
76a6fc307d1524081cba1886d312df97c9dd658f

SHA256
1f1a186ea26bd2462ea2a9cf35a816b92caf0897fdf332af3a61569e0ba97b24

SHA512
bb9ced38c63d2a29e18c38f60020cfdf0161384cd4ad6328352626643becdf49f6b4bef47012391720344fdd8ad520aa802dcbbed15b5026d27eb93b0a839c90

Download Submit
memory/936-56-0x0000000000000000-mapping.dmp

Download
memory/1104-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1360-68-0x00000000070A0000-0x0000000007224000-memory.dmp

Filesize
1.5MB

Download
memory/1360-77-0x0000000007230000-0x00000000073B5000-memory.dmp

Filesize
1.5MB

Download
memory/1360-75-0x0000000007230000-0x00000000073B5000-memory.dmp

Filesize
1.5MB

Download
memory/1492-73-0x00000000023F0000-0x00000000026F3000-memory.dmp

Filesize
3.0MB

Download
memory/1492-69-0x0000000000000000-mapping.dmp

Download
memory/1492-71-0x0000000000D60000-0x0000000000E54000-memory.dmp

Filesize
976KB

Download
memory/1492-72-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1492-74-0x0000000000AC0000-0x0000000000B4F000-memory.dmp

Filesize
572KB

Download
memory/1492-76-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1608-67-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1608-66-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download
memory/1608-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1608-65-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1608-62-0x00000000004012B0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads