formbook | 85d6c9eac93fb8818d37dc15110ebd060b3e9df48043ee6bcf349df6aed047c5

General

Target

30571d64c9a9ed267159fa941a20840c.exe
Size

272KB
MD5

30571d64c9a9ed267159fa941a20840c
SHA1

bfb81d8a7c94781b3bd939bd17d500ae61b2ff70
SHA256

85d6c9eac93fb8818d37dc15110ebd060b3e9df48043ee6bcf349df6aed047c5
SHA512

5c8b708f3540b9347c36722934c8fc56098a94f8362688a8fa712da99e1b8c2564698eb0bed52e226cdfc40cf8b762e1860f6ea9928260e3f0f35bba9cfda82f
SSDEEP

6144:QBn10/UR088uiPuDtJWn42Isu/20+kfAZLrYdwMPTnDMiQH7oPo9:gWLuiPh4rZOH5ZL/MLn4REo9

Score

10^/10

formbook henz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

hvbvmxm.exehvbvmxm.exe

pid process

216 hvbvmxm.exe
4044 hvbvmxm.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

hvbvmxm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation hvbvmxm.exe

pid	process
216	hvbvmxm.exe
4044	hvbvmxm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	hvbvmxm.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

hvbvmxm.exehvbvmxm.exeraserver.exe

description	pid	process	target process
PID 216 set thread context of 4044	216	hvbvmxm.exe	hvbvmxm.exe
PID 4044 set thread context of 2596	4044	hvbvmxm.exe	Explorer.EXE
PID 4044 set thread context of 2596	4044	hvbvmxm.exe	Explorer.EXE
PID 4572 set thread context of 2596	4572	raserver.exe	Explorer.EXE
PID 4572 set thread context of 1236	4572	raserver.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

raserver.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

hvbvmxm.exeraserver.exe

pid	process
4044	hvbvmxm.exe
4044	hvbvmxm.exe
4044	hvbvmxm.exe
4044	hvbvmxm.exe
4044	hvbvmxm.exe
4044	hvbvmxm.exe
4044	hvbvmxm.exe
4044	hvbvmxm.exe
4044	hvbvmxm.exe
4044	hvbvmxm.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2596 Explorer.EXE
Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

hvbvmxm.exehvbvmxm.exeraserver.exe

pid process

216 hvbvmxm.exe
4044 hvbvmxm.exe
4044 hvbvmxm.exe
4044 hvbvmxm.exe
4044 hvbvmxm.exe
4572 raserver.exe
4572 raserver.exe
4572 raserver.exe
4572 raserver.exe

pid	process
2596	Explorer.EXE

pid	process
216	hvbvmxm.exe
4044	hvbvmxm.exe
4044	hvbvmxm.exe
4044	hvbvmxm.exe
4044	hvbvmxm.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe
4572	raserver.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

hvbvmxm.exeraserver.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4044	hvbvmxm.exe
Token: SeDebugPrivilege	4572	raserver.exe
Token: SeShutdownPrivilege	2596	Explorer.EXE
Token: SeCreatePagefilePrivilege	2596	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

30571d64c9a9ed267159fa941a20840c.exehvbvmxm.exeExplorer.EXE

description	pid	process	target process
PID 1272 wrote to memory of 216	1272	30571d64c9a9ed267159fa941a20840c.exe	hvbvmxm.exe
PID 1272 wrote to memory of 216	1272	30571d64c9a9ed267159fa941a20840c.exe	hvbvmxm.exe
PID 1272 wrote to memory of 216	1272	30571d64c9a9ed267159fa941a20840c.exe	hvbvmxm.exe
PID 216 wrote to memory of 4044	216	hvbvmxm.exe	hvbvmxm.exe
PID 216 wrote to memory of 4044	216	hvbvmxm.exe	hvbvmxm.exe
PID 216 wrote to memory of 4044	216	hvbvmxm.exe	hvbvmxm.exe
PID 216 wrote to memory of 4044	216	hvbvmxm.exe	hvbvmxm.exe
PID 2596 wrote to memory of 4572	2596	Explorer.EXE	raserver.exe
PID 2596 wrote to memory of 4572	2596	Explorer.EXE	raserver.exe
PID 2596 wrote to memory of 4572	2596	Explorer.EXE	raserver.exe
PID 2596 wrote to memory of 1236	2596	Explorer.EXE	explorer.exe
PID 2596 wrote to memory of 1236	2596	Explorer.EXE	explorer.exe
PID 2596 wrote to memory of 1236	2596	Explorer.EXE	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\30571d64c9a9ed267159fa941a20840c.exe
"C:\Users\Admin\AppData\Local\Temp\30571d64c9a9ed267159fa941a20840c.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe
"C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe" C:\Users\Admin\AppData\Local\Temp\ijamguwvje.h
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:216

C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe
"C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe" C:\Users\Admin\AppData\Local\Temp\ijamguwvje.h
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:1236

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe
Filesize
123KB

MD5
1eebbbd92b2c0c60f896ff8dcbcedcaa

SHA1
1291cc58a5664b1acd50d9fd8e0580c519190477

SHA256
01b2d4443c383f07ccf3ea521ae9502527eeedf352b92b90a382121b03992ec3

SHA512
67efa564f026094bec0a44aaf01fc8072412e6cdeff019631689254a996c8b06cd0ccccee64b3d70b847e9aca7c3dbcde327d0a822988cc5295847990a8d9215

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe
Filesize
123KB

MD5
1eebbbd92b2c0c60f896ff8dcbcedcaa

SHA1
1291cc58a5664b1acd50d9fd8e0580c519190477

SHA256
01b2d4443c383f07ccf3ea521ae9502527eeedf352b92b90a382121b03992ec3

SHA512
67efa564f026094bec0a44aaf01fc8072412e6cdeff019631689254a996c8b06cd0ccccee64b3d70b847e9aca7c3dbcde327d0a822988cc5295847990a8d9215

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe
Filesize
123KB

MD5
1eebbbd92b2c0c60f896ff8dcbcedcaa

SHA1
1291cc58a5664b1acd50d9fd8e0580c519190477

SHA256
01b2d4443c383f07ccf3ea521ae9502527eeedf352b92b90a382121b03992ec3

SHA512
67efa564f026094bec0a44aaf01fc8072412e6cdeff019631689254a996c8b06cd0ccccee64b3d70b847e9aca7c3dbcde327d0a822988cc5295847990a8d9215

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijamguwvje.h
Filesize
5KB

MD5
00815375b1b0aef8d5f1c54050813cf2

SHA1
e007f2c7d30fbd16a35a97e91b1b4719f46d28bb

SHA256
2c6c3495127ae142aaa4577d73b6c1ee3502b2c76bee20ebf54cea2c86404e63

SHA512
64edf14579c02ebe2b27ea06a19c5753f08aeea370e4c8bf93552086aa4ffb62ebf841e818d40ca091343bb789ad7f42a7fe2bfbb76fe870f19065a31aae2fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocoimqmpj.ep
Filesize
185KB

MD5
add9cd4eacd9591a07875b761c8d1640

SHA1
2047c17a31a7e83850def3ca6310572957e5d0b2

SHA256
0af1afda6f616beb76513577272e0e36efb99cf8a3718b7725d60c9d88dfbc0b

SHA512
132281dc01506d09d5c7106105338179a9db0d50309c94ffbc5e63a7fbf0e6d6dc5b31d26db93e51fb4c994da3f8d9b398d2c31f3cf8cf807f111bd9ccf761ac

Download Submit
memory/216-132-0x0000000000000000-mapping.dmp

Download
memory/1236-155-0x0000000000000000-mapping.dmp

Download
memory/2596-144-0x0000000008830000-0x0000000008948000-memory.dmp

Filesize
1.1MB

Download
memory/2596-153-0x0000000003820000-0x00000000039A7000-memory.dmp

Filesize
1.5MB

Download
memory/2596-147-0x0000000008FC0000-0x00000000090C8000-memory.dmp

Filesize
1.0MB

Download
memory/2596-156-0x0000000003820000-0x00000000039A7000-memory.dmp

Filesize
1.5MB

Download
memory/4044-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4044-142-0x0000000000960000-0x0000000000CAA000-memory.dmp

Filesize
3.3MB

Download
memory/4044-143-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/4044-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4044-145-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/4044-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4044-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4044-137-0x0000000000000000-mapping.dmp

Download
memory/4572-148-0x0000000000000000-mapping.dmp

Download
memory/4572-152-0x0000000002C30000-0x0000000002CBF000-memory.dmp

Filesize
572KB

Download
memory/4572-151-0x0000000002DE0000-0x000000000312A000-memory.dmp

Filesize
3.3MB

Download
memory/4572-154-0x0000000000E70000-0x0000000000E9D000-memory.dmp

Filesize
180KB

Download
memory/4572-149-0x0000000000FA0000-0x0000000000FBF000-memory.dmp

Filesize
124KB

Download
memory/4572-150-0x0000000000E70000-0x0000000000E9D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads