formbook | 40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c

General

Target

f5bea76ffac05afbe19274595801184e.exe
Size

278KB
MD5

f5bea76ffac05afbe19274595801184e
SHA1

93ef457bfcbc5f0860b1b7f6353ed6e9b0afd60e
SHA256

40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c
SHA512

3e1537258907bc3707c5cd0a54b4b5d35516e1ccb2443dfcfb493ecd931a734acf85bf2fb9aede36893b7dd12ee71baac7df48506117aee972bdab68e6a08ab3
SSDEEP

6144:QBn1RomeugRHbNAtHRgt/GVl9tSvOBFRQecwcwHa:gavFRy5Ot/OceFRbfHa

Score

10^/10

formbook henz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

febcldoukq.exefebcldoukq.exe

pid process

4552 febcldoukq.exe
4480 febcldoukq.exe

pid	process
4552	febcldoukq.exe
4480	febcldoukq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

febcldoukq.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	febcldoukq.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

febcldoukq.exefebcldoukq.execmstp.exe

description	pid	process	target process
PID 4552 set thread context of 4480	4552	febcldoukq.exe	febcldoukq.exe
PID 4480 set thread context of 1056	4480	febcldoukq.exe	Explorer.EXE
PID 4480 set thread context of 1056	4480	febcldoukq.exe	Explorer.EXE
PID 1332 set thread context of 1056	1332	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

febcldoukq.execmstp.exe

pid	process
4480	febcldoukq.exe
4480	febcldoukq.exe
4480	febcldoukq.exe
4480	febcldoukq.exe
4480	febcldoukq.exe
4480	febcldoukq.exe
4480	febcldoukq.exe
4480	febcldoukq.exe
4480	febcldoukq.exe
4480	febcldoukq.exe
1332	cmstp.exe
1332	cmstp.exe
1332	cmstp.exe
1332	cmstp.exe
1332	cmstp.exe
1332	cmstp.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

febcldoukq.exefebcldoukq.execmstp.exe

pid process

4552 febcldoukq.exe
4480 febcldoukq.exe
4480 febcldoukq.exe
4480 febcldoukq.exe
4480 febcldoukq.exe
1332 cmstp.exe
1332 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

febcldoukq.execmstp.exe

description pid process

Token: SeDebugPrivilege 4480 febcldoukq.exe
Token: SeDebugPrivilege 1332 cmstp.exe

pid	process
4552	febcldoukq.exe
4480	febcldoukq.exe
4480	febcldoukq.exe
4480	febcldoukq.exe
4480	febcldoukq.exe
1332	cmstp.exe
1332	cmstp.exe

description	pid	process
Token: SeDebugPrivilege	4480	febcldoukq.exe
Token: SeDebugPrivilege	1332	cmstp.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

f5bea76ffac05afbe19274595801184e.exefebcldoukq.exeExplorer.EXEfebcldoukq.exe

description	pid	process	target process
PID 3244 wrote to memory of 4552	3244	f5bea76ffac05afbe19274595801184e.exe	febcldoukq.exe
PID 3244 wrote to memory of 4552	3244	f5bea76ffac05afbe19274595801184e.exe	febcldoukq.exe
PID 3244 wrote to memory of 4552	3244	f5bea76ffac05afbe19274595801184e.exe	febcldoukq.exe
PID 4552 wrote to memory of 4480	4552	febcldoukq.exe	febcldoukq.exe
PID 4552 wrote to memory of 4480	4552	febcldoukq.exe	febcldoukq.exe
PID 4552 wrote to memory of 4480	4552	febcldoukq.exe	febcldoukq.exe
PID 4552 wrote to memory of 4480	4552	febcldoukq.exe	febcldoukq.exe
PID 1056 wrote to memory of 1108	1056	Explorer.EXE	cmmon32.exe
PID 1056 wrote to memory of 1108	1056	Explorer.EXE	cmmon32.exe
PID 1056 wrote to memory of 1108	1056	Explorer.EXE	cmmon32.exe
PID 4480 wrote to memory of 1332	4480	febcldoukq.exe	cmstp.exe
PID 4480 wrote to memory of 1332	4480	febcldoukq.exe	cmstp.exe
PID 4480 wrote to memory of 1332	4480	febcldoukq.exe	cmstp.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Local\Temp\f5bea76ffac05afbe19274595801184e.exe
"C:\Users\Admin\AppData\Local\Temp\f5bea76ffac05afbe19274595801184e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3244

C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe
"C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe" C:\Users\Admin\AppData\Local\Temp\uebzn.cef
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe
"C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe" C:\Users\Admin\AppData\Local\Temp\uebzn.cef
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
5⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe
Filesize
144KB

MD5
96e050f99502fe7c52fd9b0f10202578

SHA1
9ace01d602e21ff8bf364a3bb2f46bc7fd285a7b

SHA256
c7207f58e7a5bad6efc38c7ddfddbc3b32c28f6bba01d4251a44f6bbdabe4bc3

SHA512
e09edf0c05667fd2b684ad48f6938a0fb41c9b346197d5065fe828093789140b1a1f79279d8504428c9ba0b8049fad9d7242015c43b746c854688aa883898e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe
Filesize
144KB

MD5
96e050f99502fe7c52fd9b0f10202578

SHA1
9ace01d602e21ff8bf364a3bb2f46bc7fd285a7b

SHA256
c7207f58e7a5bad6efc38c7ddfddbc3b32c28f6bba01d4251a44f6bbdabe4bc3

SHA512
e09edf0c05667fd2b684ad48f6938a0fb41c9b346197d5065fe828093789140b1a1f79279d8504428c9ba0b8049fad9d7242015c43b746c854688aa883898e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe
Filesize
144KB

MD5
96e050f99502fe7c52fd9b0f10202578

SHA1
9ace01d602e21ff8bf364a3bb2f46bc7fd285a7b

SHA256
c7207f58e7a5bad6efc38c7ddfddbc3b32c28f6bba01d4251a44f6bbdabe4bc3

SHA512
e09edf0c05667fd2b684ad48f6938a0fb41c9b346197d5065fe828093789140b1a1f79279d8504428c9ba0b8049fad9d7242015c43b746c854688aa883898e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcibkfyfwn.yxq
Filesize
185KB

MD5
9929dd1c8831360c68c176adb59ca947

SHA1
6cb9f8d296878b31db696038ea01470613aeed9f

SHA256
5f3b667fa88aad6ba21374e37014e72c2aad0317ed1de2c1d6de839a61f9f541

SHA512
390d7426188347a9f64d9eea2a9b89807443bbdac1409db20532cd504a56637005b75b8fe23d29e5f8187d9d1deb238b10fe8734ed504c13ae9e5478667f0e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uebzn.cef
Filesize
5KB

MD5
28373e2b7e834278bbfc8597ea79a659

SHA1
674506b6d8c29d724529b2154d2edcabec4db4eb

SHA256
c8bd6b365ce4c504fd875cc967b7b498e8d79a27e877dbf1b3128ead638c1b57

SHA512
4b1cb1cfe3db15617511826351738010044db5742e2be522d3661d36aa532ef52cd59776a211c51bc58f118cf64b126adc0296d537aceece7e66e7d6d7034bde

Download Submit
memory/1056-143-0x00000000078B0000-0x00000000079BA000-memory.dmp

Filesize
1.0MB

Download
memory/1056-155-0x00000000029B0000-0x0000000002A73000-memory.dmp

Filesize
780KB

Download
memory/1056-153-0x00000000029B0000-0x0000000002A73000-memory.dmp

Filesize
780KB

Download
memory/1056-145-0x0000000007DD0000-0x0000000007F30000-memory.dmp

Filesize
1.4MB

Download
memory/1332-149-0x0000000000420000-0x0000000000436000-memory.dmp

Filesize
88KB

Download
memory/1332-150-0x0000000000960000-0x000000000098D000-memory.dmp

Filesize
180KB

Download
memory/1332-154-0x0000000000960000-0x000000000098D000-memory.dmp

Filesize
180KB

Download
memory/1332-152-0x0000000002860000-0x00000000028EF000-memory.dmp

Filesize
572KB

Download
memory/1332-151-0x00000000029C0000-0x0000000002D0A000-memory.dmp

Filesize
3.3MB

Download
memory/1332-146-0x0000000000000000-mapping.dmp

Download
memory/4480-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4480-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4480-147-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4480-142-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/4480-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4480-144-0x0000000001360000-0x0000000001370000-memory.dmp

Filesize
64KB

Download
memory/4480-141-0x0000000001390000-0x00000000016DA000-memory.dmp

Filesize
3.3MB

Download
memory/4480-137-0x0000000000000000-mapping.dmp

Download
memory/4552-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads