formbook | f3ddd84b590f6579c2bb685fa8bb486564c0ba53ff5619565feba5b79aba251a

General

Target

tmp.exe
Size

225KB
MD5

a5c131c279492a7c4faf41aeb9d74df3
SHA1

b9682208bfd207f5ba509841babfc373abfb32a0
SHA256

f3ddd84b590f6579c2bb685fa8bb486564c0ba53ff5619565feba5b79aba251a
SHA512

9431ccddf09aac7f7c02acb501533f4892a3c5d65f999bcbdd0afaa02ab57af8542007064c1516ab8538a062288092c0e18686a34300a92dd918120e3fc2bb77
SSDEEP

3072:qUJoFfWzzl+cSMJysmAtGiTAumzXrz8FTE/CmDp9h4fP8oojb/fQE1a0oDmeWqH4:qweEp1wiTATO41hos/o0oYCoc7zd4Gi

Score

10^/10

formbook f4ca rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

hpljh.exehpljh.exe

pid process

968 hpljh.exe
1844 hpljh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

hpljh.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation hpljh.exe
Loads dropped DLL 3 IoCs

Processes:

tmp.exehpljh.execmmon32.exe

pid process

1672 tmp.exe
968 hpljh.exe
1096 cmmon32.exe

pid	process
968	hpljh.exe
1844	hpljh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	hpljh.exe

pid	process
1672	tmp.exe
968	hpljh.exe
1096	cmmon32.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

hpljh.exehpljh.execmmon32.exe

description	pid	process	target process
PID 968 set thread context of 1844	968	hpljh.exe	hpljh.exe
PID 1844 set thread context of 1260	1844	hpljh.exe	Explorer.EXE
PID 1844 set thread context of 1260	1844	hpljh.exe	Explorer.EXE
PID 1096 set thread context of 1260	1096	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmmon32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmmon32.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

hpljh.execmmon32.exe

pid	process
1844	hpljh.exe
1844	hpljh.exe
1844	hpljh.exe
1844	hpljh.exe
1844	hpljh.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

hpljh.exehpljh.execmmon32.exe

pid process

968 hpljh.exe
1844 hpljh.exe
1844 hpljh.exe
1844 hpljh.exe
1844 hpljh.exe
1096 cmmon32.exe
1096 cmmon32.exe
1096 cmmon32.exe
1096 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hpljh.execmmon32.exe

description pid process

Token: SeDebugPrivilege 1844 hpljh.exe
Token: SeDebugPrivilege 1096 cmmon32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
1260 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
1260 Explorer.EXE

pid	process
968	hpljh.exe
1844	hpljh.exe
1844	hpljh.exe
1844	hpljh.exe
1844	hpljh.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe
1096	cmmon32.exe

description	pid	process
Token: SeDebugPrivilege	1844	hpljh.exe
Token: SeDebugPrivilege	1096	cmmon32.exe

pid	process
1260	Explorer.EXE
1260	Explorer.EXE

pid	process
1260	Explorer.EXE
1260	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

tmp.exehpljh.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 1672 wrote to memory of 968	1672	tmp.exe	hpljh.exe
PID 1672 wrote to memory of 968	1672	tmp.exe	hpljh.exe
PID 1672 wrote to memory of 968	1672	tmp.exe	hpljh.exe
PID 1672 wrote to memory of 968	1672	tmp.exe	hpljh.exe
PID 968 wrote to memory of 1844	968	hpljh.exe	hpljh.exe
PID 968 wrote to memory of 1844	968	hpljh.exe	hpljh.exe
PID 968 wrote to memory of 1844	968	hpljh.exe	hpljh.exe
PID 968 wrote to memory of 1844	968	hpljh.exe	hpljh.exe
PID 968 wrote to memory of 1844	968	hpljh.exe	hpljh.exe
PID 1260 wrote to memory of 1096	1260	Explorer.EXE	cmmon32.exe
PID 1260 wrote to memory of 1096	1260	Explorer.EXE	cmmon32.exe
PID 1260 wrote to memory of 1096	1260	Explorer.EXE	cmmon32.exe
PID 1260 wrote to memory of 1096	1260	Explorer.EXE	cmmon32.exe
PID 1096 wrote to memory of 964	1096	cmmon32.exe	Firefox.exe
PID 1096 wrote to memory of 964	1096	cmmon32.exe	Firefox.exe
PID 1096 wrote to memory of 964	1096	cmmon32.exe	Firefox.exe
PID 1096 wrote to memory of 964	1096	cmmon32.exe	Firefox.exe
PID 1096 wrote to memory of 964	1096	cmmon32.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\hpljh.exe
"C:\Users\Admin\AppData\Local\Temp\hpljh.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Local\Temp\hpljh.exe
"C:\Users\Admin\AppData\Local\Temp\hpljh.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hpljh.exe
Filesize
7KB

MD5
ace05960243c6e7aaf5781461abe17cb

SHA1
47685952a9f8fa378e646b486554f40783480d23

SHA256
b6db1550533e56708aef093cc94bc003f3ed669b2674fd32ad3235f55dbac2e0

SHA512
7a2ea5d897c96026dd910300b330808740445f89d2ec0b4008522b3f578eea7080eed1763adf15e03b58854476f4d17dd2eacec583bff287e2d9ebf74c16c9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpljh.exe
Filesize
7KB

MD5
ace05960243c6e7aaf5781461abe17cb

SHA1
47685952a9f8fa378e646b486554f40783480d23

SHA256
b6db1550533e56708aef093cc94bc003f3ed669b2674fd32ad3235f55dbac2e0

SHA512
7a2ea5d897c96026dd910300b330808740445f89d2ec0b4008522b3f578eea7080eed1763adf15e03b58854476f4d17dd2eacec583bff287e2d9ebf74c16c9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpljh.exe
Filesize
7KB

MD5
ace05960243c6e7aaf5781461abe17cb

SHA1
47685952a9f8fa378e646b486554f40783480d23

SHA256
b6db1550533e56708aef093cc94bc003f3ed669b2674fd32ad3235f55dbac2e0

SHA512
7a2ea5d897c96026dd910300b330808740445f89d2ec0b4008522b3f578eea7080eed1763adf15e03b58854476f4d17dd2eacec583bff287e2d9ebf74c16c9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwjcnqk.ucy
Filesize
5KB

MD5
54e0e76113007819985eaddacf9981e0

SHA1
e2817c8a079ed3fe23b4e7cc20ac216cab5f71df

SHA256
8879822873d43a514773a7cdd8d9621cea35dbda5254921e4cdd3852f2fb7a70

SHA512
a61df458c27886a23737732617361fe4f5445a2b82da827150a07bb4cff76071ad778d87348d6b8b17fd8e6f93e426254cb62d6f8ce389b0f89570ca68f2dd9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwwjuoxw.x
Filesize
185KB

MD5
ee3288ffe86a657552d2c9c8464de868

SHA1
bb8289bbb5746bb655b661bcea180e9c7188399a

SHA256
bf839e9f2f3ca0858aefb5a7c337e9f5672208f54a69df7b373e59788c213a0b

SHA512
feab7269b99e8a0e149313c244e1d2d1b27c0d6ee87ec72752c87bf6c6152324600e6f1b085397b8a7860811eb391f2e8e622c552aceeae4bca1a2b6548bb71e

Download Submit
\Users\Admin\AppData\Local\Temp\hpljh.exe
Filesize
7KB

MD5
ace05960243c6e7aaf5781461abe17cb

SHA1
47685952a9f8fa378e646b486554f40783480d23

SHA256
b6db1550533e56708aef093cc94bc003f3ed669b2674fd32ad3235f55dbac2e0

SHA512
7a2ea5d897c96026dd910300b330808740445f89d2ec0b4008522b3f578eea7080eed1763adf15e03b58854476f4d17dd2eacec583bff287e2d9ebf74c16c9a8

Download Submit
\Users\Admin\AppData\Local\Temp\hpljh.exe
Filesize
7KB

MD5
ace05960243c6e7aaf5781461abe17cb

SHA1
47685952a9f8fa378e646b486554f40783480d23

SHA256
b6db1550533e56708aef093cc94bc003f3ed669b2674fd32ad3235f55dbac2e0

SHA512
7a2ea5d897c96026dd910300b330808740445f89d2ec0b4008522b3f578eea7080eed1763adf15e03b58854476f4d17dd2eacec583bff287e2d9ebf74c16c9a8

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
949KB

MD5
38a3e021eb32c9976adaf0b3372080fc

SHA1
68e02803c646be21007d90bec841c176b82211fd

SHA256
8cde0275d60da0d11954f73c7c8862cfc4b306f61bb8b1ce14abe4a193af2652

SHA512
b886cc112f2750e7300b66f7242850659fa49fdc97f75aed376cb9f5440875f303a143bf8b51068ec42674f1ebe1dfcc40534f3a7aed3cc4d20f9274b9a66d18

Download Submit
memory/968-56-0x0000000000000000-mapping.dmp

Download
memory/1096-75-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1096-71-0x0000000000000000-mapping.dmp

Download
memory/1096-79-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1096-77-0x00000000008C0000-0x000000000094F000-memory.dmp

Filesize
572KB

Download
memory/1096-76-0x0000000000B30000-0x0000000000E33000-memory.dmp

Filesize
3.0MB

Download
memory/1096-74-0x0000000000F20000-0x0000000000F2D000-memory.dmp

Filesize
52KB

Download
memory/1260-68-0x0000000004C90000-0x0000000004E17000-memory.dmp

Filesize
1.5MB

Download
memory/1260-70-0x0000000004E20000-0x0000000004F24000-memory.dmp

Filesize
1.0MB

Download
memory/1260-78-0x0000000004B70000-0x0000000004C6E000-memory.dmp

Filesize
1016KB

Download
memory/1260-81-0x0000000004B70000-0x0000000004C6E000-memory.dmp

Filesize
1016KB

Download
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1844-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-73-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1844-69-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/1844-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-67-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/1844-66-0x0000000000B20000-0x0000000000E23000-memory.dmp

Filesize
3.0MB

Download
memory/1844-65-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1844-62-0x00000000004012B0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads