formbook | bd8b30254ce1d23baba8b52511a03859a95e759af99a7786b5c9ad9da6d15da1

Resubmissions

18-11-2022 18:24

221118-w112ksbd44 10

18-11-2022 18:17

221118-wxa1zsfb2w 10

Analysis

max time kernel
149s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
18-11-2022 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

377KB
MD5

380689c77c0e774a6eacdc773283fece
SHA1

0ff5ecc5efbf9515f785b04b611a9f96e7647548
SHA256

bd8b30254ce1d23baba8b52511a03859a95e759af99a7786b5c9ad9da6d15da1
SHA512

25ef7f5670b93d4af0aaa55c0b3d639e4fab73984e97c615bca34024dccbabc9afae0be1a2267d111c8b82defb9178f95d79bb76723d0a5483589f558e5faa05
SSDEEP

6144:MEa0NRBZNlii7YmnVEXV6ZreY/lwPSiJQcodpV0RnVBnVH9Wej4KHb8Cayf+/mAq:XRBZNv7Y4VaVa/mP3SGVBfWywyfcpisU

Score

10^/10

formbook henz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

hdagc.exehdagc.exe

pid process

3832 hdagc.exe
1468 hdagc.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

hdagc.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\International\Geo\Nation hdagc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3832	hdagc.exe
1468	hdagc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\International\Geo\Nation	hdagc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

hdagc.exehdagc.execmstp.exe

description	pid	process	target process
PID 3832 set thread context of 1468	3832	hdagc.exe	hdagc.exe
PID 1468 set thread context of 1748	1468	hdagc.exe	Explorer.EXE
PID 3988 set thread context of 1748	3988	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2482096546-1136599444-1359412500-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

hdagc.execmstp.exe

pid	process
1468	hdagc.exe
1468	hdagc.exe
1468	hdagc.exe
1468	hdagc.exe
1468	hdagc.exe
1468	hdagc.exe
1468	hdagc.exe
1468	hdagc.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1748 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

hdagc.exehdagc.execmstp.exe

pid process

3832 hdagc.exe
1468 hdagc.exe
1468 hdagc.exe
1468 hdagc.exe
3988 cmstp.exe
3988 cmstp.exe
3988 cmstp.exe
3988 cmstp.exe

pid	process
1748	Explorer.EXE

pid	process
3832	hdagc.exe
1468	hdagc.exe
1468	hdagc.exe
1468	hdagc.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe
3988	cmstp.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

hdagc.execmstp.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1468	hdagc.exe
Token: SeDebugPrivilege	3988	cmstp.exe
Token: SeShutdownPrivilege	1748	Explorer.EXE
Token: SeCreatePagefilePrivilege	1748	Explorer.EXE
Token: SeShutdownPrivilege	1748	Explorer.EXE
Token: SeCreatePagefilePrivilege	1748	Explorer.EXE
Token: SeShutdownPrivilege	1748	Explorer.EXE
Token: SeCreatePagefilePrivilege	1748	Explorer.EXE
Token: SeShutdownPrivilege	1748	Explorer.EXE
Token: SeCreatePagefilePrivilege	1748	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

tmp.exehdagc.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 2176 wrote to memory of 3832	2176	tmp.exe	hdagc.exe
PID 2176 wrote to memory of 3832	2176	tmp.exe	hdagc.exe
PID 2176 wrote to memory of 3832	2176	tmp.exe	hdagc.exe
PID 3832 wrote to memory of 1468	3832	hdagc.exe	hdagc.exe
PID 3832 wrote to memory of 1468	3832	hdagc.exe	hdagc.exe
PID 3832 wrote to memory of 1468	3832	hdagc.exe	hdagc.exe
PID 3832 wrote to memory of 1468	3832	hdagc.exe	hdagc.exe
PID 1748 wrote to memory of 3988	1748	Explorer.EXE	cmstp.exe
PID 1748 wrote to memory of 3988	1748	Explorer.EXE	cmstp.exe
PID 1748 wrote to memory of 3988	1748	Explorer.EXE	cmstp.exe
PID 3988 wrote to memory of 4436	3988	cmstp.exe	Firefox.exe
PID 3988 wrote to memory of 4436	3988	cmstp.exe	Firefox.exe
PID 3988 wrote to memory of 4436	3988	cmstp.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\hdagc.exe
"C:\Users\Admin\AppData\Local\Temp\hdagc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3832

C:\Users\Admin\AppData\Local\Temp\hdagc.exe
"C:\Users\Admin\AppData\Local\Temp\hdagc.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4552

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hdagc.exe
Filesize
350KB

MD5
e6be16d56c855b6aa848ddfb4b76b607

SHA1
2339afccd15ef2af9384ec45f6a6a8e85b7bcb9b

SHA256
b5134e849ccca9a7cd7705aad5b03ebd676409382fa2c65d09c6d9a15a41fedb

SHA512
a793b4ed326705eebd8971f165f181eec48e3b0ca9db9eee7fc751219b08f232905537e6e11bee9a2047c8d4655bd527de30886867b09667a9b43fb632efd81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdagc.exe
Filesize
350KB

MD5
e6be16d56c855b6aa848ddfb4b76b607

SHA1
2339afccd15ef2af9384ec45f6a6a8e85b7bcb9b

SHA256
b5134e849ccca9a7cd7705aad5b03ebd676409382fa2c65d09c6d9a15a41fedb

SHA512
a793b4ed326705eebd8971f165f181eec48e3b0ca9db9eee7fc751219b08f232905537e6e11bee9a2047c8d4655bd527de30886867b09667a9b43fb632efd81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdagc.exe
Filesize
350KB

MD5
e6be16d56c855b6aa848ddfb4b76b607

SHA1
2339afccd15ef2af9384ec45f6a6a8e85b7bcb9b

SHA256
b5134e849ccca9a7cd7705aad5b03ebd676409382fa2c65d09c6d9a15a41fedb

SHA512
a793b4ed326705eebd8971f165f181eec48e3b0ca9db9eee7fc751219b08f232905537e6e11bee9a2047c8d4655bd527de30886867b09667a9b43fb632efd81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogfdbyk.ab
Filesize
185KB

MD5
150c4ad580838de92e5d1075bec1a096

SHA1
26bfb3ee566194fc404ad412248f2d8a7087158d

SHA256
63bd9d497e41a00f1c7933f7e53265acf1d17a684cbcdfd58fa31509caea0312

SHA512
1a8c5e90a7ee2cc3d0d20af573d2f72f27f97b47b0c0377f2e2bc223cdb4325c7f6b323f4fba3d8e85c3b312dd26c5daa68721b7639bd335ccde1a3fc133a890

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdfzzcimpsq.pft
Filesize
5KB

MD5
f1b11b8dfbc4691f1bf708e418926be2

SHA1
15b20be48519bba3634de79d558f50a6b86d84e0

SHA256
7efc2b455ac90c4fbee3a90228e22f1784f37d05bbe0987ea40ebef19b1dee52

SHA512
6af21b1d0e0564b35a9bb8fdf74812537f45988d0dc6bd086b9949da48e6dccc18ba3a16ffa39dcf62d5349f82d1582442f21fac7438c4589538d5a1419d4ee1

Download Submit
memory/1468-232-0x0000000001300000-0x000000000144A000-memory.dmp

Filesize
1.3MB

Download
memory/1468-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-231-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1468-233-0x0000000000F10000-0x0000000000FBE000-memory.dmp

Filesize
696KB

Download
memory/1468-209-0x00000000004012B0-mapping.dmp

Download
memory/1748-234-0x0000000001380000-0x0000000001460000-memory.dmp

Filesize
896KB

Download
memory/1748-271-0x0000000001380000-0x0000000001460000-memory.dmp

Filesize
896KB

Download
memory/1748-274-0x00000000031E0000-0x000000000332B000-memory.dmp

Filesize
1.3MB

Download
memory/1748-295-0x00000000031E0000-0x000000000332B000-memory.dmp

Filesize
1.3MB

Download
memory/2176-146-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-155-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-136-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-137-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-139-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-138-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-140-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-141-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-143-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-142-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-144-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-145-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-132-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-147-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-148-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-150-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-149-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-151-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-152-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-153-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-154-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-135-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-157-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-156-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-159-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-158-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-160-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-120-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-133-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-134-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-131-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-130-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-128-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-129-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-127-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-126-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-125-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-124-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-123-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-122-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-121-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-163-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-178-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-175-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-174-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-173-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-179-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-167-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-165-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-184-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-186-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-185-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-183-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-182-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-181-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-180-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-177-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-176-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-172-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-171-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-170-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-168-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-164-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-161-0x0000000000000000-mapping.dmp

Download
memory/3832-166-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3988-268-0x0000000002B10000-0x0000000002B3D000-memory.dmp

Filesize
180KB

Download
memory/3988-269-0x0000000004790000-0x0000000004AB0000-memory.dmp

Filesize
3.1MB

Download
memory/3988-272-0x0000000004450000-0x00000000045EB000-memory.dmp

Filesize
1.6MB

Download
memory/3988-273-0x0000000002B10000-0x0000000002B3D000-memory.dmp

Filesize
180KB

Download
memory/3988-267-0x0000000000350000-0x0000000000366000-memory.dmp

Filesize
88KB

Download
memory/3988-275-0x0000000004450000-0x00000000045EB000-memory.dmp

Filesize
1.6MB

Download
memory/3988-235-0x0000000000000000-mapping.dmp

Download