formbook | 73a5f6c41cb4b4b5fb949c859ca58e8c6890c3accdc3e9d30e4b66d461890682

General

Target

HVTYUNB GH.exe
Size

286KB
MD5

9c9cdba4a31ce04352f53e163bd96e4c
SHA1

8df864893b78417f89bbfab5abc5b662c5000ac3
SHA256

73a5f6c41cb4b4b5fb949c859ca58e8c6890c3accdc3e9d30e4b66d461890682
SHA512

69136741e441b693ff6853549a69dd2e9aaa5a5b615c018b5dceeedbe8f978d418c8db771a88fad94ea31885be5fcf0e7b2b20a388d0ccc518e88d2c3da72bf6
SSDEEP

6144:GnVuMW0KvGua1XyT+u0sefecpCor7NPrcMlv3vfKk+10sU69:GuMW0VuQyKuFefe/o1jvXKkE0sUy

Score

10^/10

formbook tpd2 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

tpd2

Decoy

P83Fr0F3A2KiI+cW

Pp1caIMEnr/EFk6Eu415Y1M=

O5eVsiutrsnUK6kDF6El

wxvn/yutO1JimCRM5HI=

F+ahRJCkyfI4Xwoe

ozU8V7MKMIba4U98/3w=

b4GDF1u0P2p62t1Ka3o=

KomBjwSImCdhtq7eMmQ=

1zqJLbw2x46Z8Q==

lal5nLUpt9Fjqeo=

yifkCkmeS5Of5dXwSWlkCIsXZA==

fK2zUmVxp/I6q91Ka3o=

MQa3V3RrSpKT

TzYGjdgculPW3Qs+6XM=

dVgMubs7KzuD6A==

CSAuug6iPk1Wn5K/8lQ9mQ==

hBOyTXIs6TuX612tLW0=

onmqz912c5So4uYW

zLHGWnnDYrHrLixltY15Y1M=

9wcJlsgDO4rnN2F+tY15Y1M=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4208 set thread context of 4304	4208	HVTYUNB GH.exe	82
PID 4304 set thread context of 740	4304	Regsvcs.exe	49
PID 4304 set thread context of 740	4304	Regsvcs.exe	49
PID 3768 set thread context of 740	3768	WWAHost.exe	49

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	WWAHost.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4304	Regsvcs.exe
4304	Regsvcs.exe
4304	Regsvcs.exe
4304	Regsvcs.exe
4304	Regsvcs.exe
4304	Regsvcs.exe
4304	Regsvcs.exe
4304	Regsvcs.exe
4304	Regsvcs.exe
4304	Regsvcs.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
740	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4304	Regsvcs.exe
4304	Regsvcs.exe
4304	Regsvcs.exe
4304	Regsvcs.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe
3768	WWAHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	Regsvcs.exe
Token: SeDebugPrivilege	3768	WWAHost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
740	Explorer.EXE
740	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 4304	4208	HVTYUNB GH.exe	82
PID 4208 wrote to memory of 4304	4208	HVTYUNB GH.exe	82
PID 4208 wrote to memory of 4304	4208	HVTYUNB GH.exe	82
PID 4208 wrote to memory of 4304	4208	HVTYUNB GH.exe	82
PID 4208 wrote to memory of 4304	4208	HVTYUNB GH.exe	82
PID 4208 wrote to memory of 4304	4208	HVTYUNB GH.exe	82
PID 4304 wrote to memory of 3768	4304	Regsvcs.exe	86
PID 4304 wrote to memory of 3768	4304	Regsvcs.exe	86
PID 4304 wrote to memory of 3768	4304	Regsvcs.exe	86
PID 740 wrote to memory of 4268	740	Explorer.EXE	88
PID 740 wrote to memory of 4268	740	Explorer.EXE	88
PID 740 wrote to memory of 4268	740	Explorer.EXE	88
PID 740 wrote to memory of 2492	740	Explorer.EXE	84
PID 740 wrote to memory of 2492	740	Explorer.EXE	84
PID 740 wrote to memory of 2492	740	Explorer.EXE	84
PID 3768 wrote to memory of 4768	3768	WWAHost.exe	101
PID 3768 wrote to memory of 4768	3768	WWAHost.exe	101
PID 3768 wrote to memory of 4768	3768	WWAHost.exe	101

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Local\Temp\HVTYUNB GH.exe
  "C:\Users\Admin\AppData\Local\Temp\HVTYUNB GH.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\SysWOW64\WWAHost.exe
      "C:\Windows\SysWOW64\WWAHost.exe"
      4⤵
      Suspicious use of SetThreadContext
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3768
    - - C:\Program Files\Mozilla Firefox\Firefox.exe
        
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        5⤵
        
        PID:4768
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  PID:2492
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4004
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  PID:4268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-146-0x00000000089F0000-0x0000000008B37000-memory.dmp

Filesize
1.3MB

Download
memory/740-154-0x0000000003010000-0x00000000030F6000-memory.dmp

Filesize
920KB

Download
memory/740-153-0x0000000003010000-0x00000000030F6000-memory.dmp

Filesize
920KB

Download
memory/740-141-0x0000000008B60000-0x0000000008CDD000-memory.dmp

Filesize
1.5MB

Download
memory/3768-152-0x00000000014F0000-0x000000000157F000-memory.dmp

Filesize
572KB

Download
memory/3768-151-0x0000000000550000-0x000000000057D000-memory.dmp

Filesize
180KB

Download
memory/3768-150-0x0000000001610000-0x000000000195A000-memory.dmp

Filesize
3.3MB

Download
memory/3768-149-0x0000000000550000-0x000000000057D000-memory.dmp

Filesize
180KB

Download
memory/3768-148-0x00000000003E0000-0x00000000004BC000-memory.dmp

Filesize
880KB

Download
memory/3768-147-0x0000000000000000-mapping.dmp

Download
memory/4208-132-0x0000000000100000-0x0000000000150000-memory.dmp

Filesize
320KB

Download
memory/4304-139-0x0000000001770000-0x0000000001ABA000-memory.dmp

Filesize
3.3MB

Download
memory/4304-145-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/4304-144-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4304-143-0x0000000001480000-0x0000000001490000-memory.dmp

Filesize
64KB

Download
memory/4304-142-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4304-140-0x0000000000DF0000-0x0000000000E00000-memory.dmp

Filesize
64KB

Download
memory/4304-137-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/4304-136-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4304-133-0x0000000000000000-mapping.dmp

Download
memory/4304-134-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing