formbook | 40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c

General

Target

40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c.exe
Size

278KB
MD5

f5bea76ffac05afbe19274595801184e
SHA1

93ef457bfcbc5f0860b1b7f6353ed6e9b0afd60e
SHA256

40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c
SHA512

3e1537258907bc3707c5cd0a54b4b5d35516e1ccb2443dfcfb493ecd931a734acf85bf2fb9aede36893b7dd12ee71baac7df48506117aee972bdab68e6a08ab3
SSDEEP

6144:QBn1RomeugRHbNAtHRgt/GVl9tSvOBFRQecwcwHa:gavFRy5Ot/OceFRbfHa

Score

10^/10

formbook henz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

febcldoukq.exefebcldoukq.exe

pid process

3420 febcldoukq.exe
3604 febcldoukq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

febcldoukq.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	febcldoukq.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

febcldoukq.exefebcldoukq.exeNETSTAT.EXE

description	pid	process	target process
PID 3420 set thread context of 3604	3420	febcldoukq.exe	febcldoukq.exe
PID 3604 set thread context of 2732	3604	febcldoukq.exe	Explorer.EXE
PID 1776 set thread context of 2732	1776	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1776 NETSTAT.EXE

pid	process
1776	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

febcldoukq.exeNETSTAT.EXE

pid	process
3604	febcldoukq.exe
3604	febcldoukq.exe
3604	febcldoukq.exe
3604	febcldoukq.exe
3604	febcldoukq.exe
3604	febcldoukq.exe
3604	febcldoukq.exe
3604	febcldoukq.exe
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2732 Explorer.EXE

pid	process
2732	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

febcldoukq.exefebcldoukq.exeNETSTAT.EXE

pid	process
3420	febcldoukq.exe
3420	febcldoukq.exe
3604	febcldoukq.exe
3604	febcldoukq.exe
3604	febcldoukq.exe
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE
1776	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

febcldoukq.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 3604 febcldoukq.exe
Token: SeDebugPrivilege 1776 NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	3604	febcldoukq.exe
Token: SeDebugPrivilege	1776	NETSTAT.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c.exefebcldoukq.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 4288 wrote to memory of 3420	4288	40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c.exe	febcldoukq.exe
PID 4288 wrote to memory of 3420	4288	40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c.exe	febcldoukq.exe
PID 4288 wrote to memory of 3420	4288	40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c.exe	febcldoukq.exe
PID 3420 wrote to memory of 3604	3420	febcldoukq.exe	febcldoukq.exe
PID 3420 wrote to memory of 3604	3420	febcldoukq.exe	febcldoukq.exe
PID 3420 wrote to memory of 3604	3420	febcldoukq.exe	febcldoukq.exe
PID 3420 wrote to memory of 3604	3420	febcldoukq.exe	febcldoukq.exe
PID 2732 wrote to memory of 1776	2732	Explorer.EXE	NETSTAT.EXE
PID 2732 wrote to memory of 1776	2732	Explorer.EXE	NETSTAT.EXE
PID 2732 wrote to memory of 1776	2732	Explorer.EXE	NETSTAT.EXE
PID 1776 wrote to memory of 2800	1776	NETSTAT.EXE	Firefox.exe
PID 1776 wrote to memory of 2800	1776	NETSTAT.EXE	Firefox.exe
PID 1776 wrote to memory of 2800	1776	NETSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2732

C:\Users\Admin\AppData\Local\Temp\40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c.exe
"C:\Users\Admin\AppData\Local\Temp\40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe
"C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe" C:\Users\Admin\AppData\Local\Temp\uebzn.cef
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3420

C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe
"C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe" C:\Users\Admin\AppData\Local\Temp\uebzn.cef
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe
Filesize
144KB

MD5
96e050f99502fe7c52fd9b0f10202578

SHA1
9ace01d602e21ff8bf364a3bb2f46bc7fd285a7b

SHA256
c7207f58e7a5bad6efc38c7ddfddbc3b32c28f6bba01d4251a44f6bbdabe4bc3

SHA512
e09edf0c05667fd2b684ad48f6938a0fb41c9b346197d5065fe828093789140b1a1f79279d8504428c9ba0b8049fad9d7242015c43b746c854688aa883898e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe
Filesize
144KB

MD5
96e050f99502fe7c52fd9b0f10202578

SHA1
9ace01d602e21ff8bf364a3bb2f46bc7fd285a7b

SHA256
c7207f58e7a5bad6efc38c7ddfddbc3b32c28f6bba01d4251a44f6bbdabe4bc3

SHA512
e09edf0c05667fd2b684ad48f6938a0fb41c9b346197d5065fe828093789140b1a1f79279d8504428c9ba0b8049fad9d7242015c43b746c854688aa883898e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe
Filesize
144KB

MD5
96e050f99502fe7c52fd9b0f10202578

SHA1
9ace01d602e21ff8bf364a3bb2f46bc7fd285a7b

SHA256
c7207f58e7a5bad6efc38c7ddfddbc3b32c28f6bba01d4251a44f6bbdabe4bc3

SHA512
e09edf0c05667fd2b684ad48f6938a0fb41c9b346197d5065fe828093789140b1a1f79279d8504428c9ba0b8049fad9d7242015c43b746c854688aa883898e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcibkfyfwn.yxq
Filesize
185KB

MD5
9929dd1c8831360c68c176adb59ca947

SHA1
6cb9f8d296878b31db696038ea01470613aeed9f

SHA256
5f3b667fa88aad6ba21374e37014e72c2aad0317ed1de2c1d6de839a61f9f541

SHA512
390d7426188347a9f64d9eea2a9b89807443bbdac1409db20532cd504a56637005b75b8fe23d29e5f8187d9d1deb238b10fe8734ed504c13ae9e5478667f0e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uebzn.cef
Filesize
5KB

MD5
28373e2b7e834278bbfc8597ea79a659

SHA1
674506b6d8c29d724529b2154d2edcabec4db4eb

SHA256
c8bd6b365ce4c504fd875cc967b7b498e8d79a27e877dbf1b3128ead638c1b57

SHA512
4b1cb1cfe3db15617511826351738010044db5742e2be522d3661d36aa532ef52cd59776a211c51bc58f118cf64b126adc0296d537aceece7e66e7d6d7034bde

Download Submit
memory/1776-144-0x0000000000000000-mapping.dmp

Download
memory/1776-149-0x0000000001570000-0x00000000015FF000-memory.dmp

Filesize
572KB

Download
memory/1776-148-0x0000000000D90000-0x0000000000DBD000-memory.dmp

Filesize
180KB

Download
memory/1776-147-0x0000000001850000-0x0000000001B9A000-memory.dmp

Filesize
3.3MB

Download
memory/1776-146-0x0000000000D90000-0x0000000000DBD000-memory.dmp

Filesize
180KB

Download
memory/1776-145-0x0000000000B30000-0x0000000000B3B000-memory.dmp

Filesize
44KB

Download
memory/2732-142-0x0000000008090000-0x0000000008224000-memory.dmp

Filesize
1.6MB

Download
memory/2732-150-0x0000000008230000-0x00000000083B5000-memory.dmp

Filesize
1.5MB

Download
memory/2732-151-0x0000000008230000-0x00000000083B5000-memory.dmp

Filesize
1.5MB

Download
memory/3420-132-0x0000000000000000-mapping.dmp

Download
memory/3604-143-0x0000000000580000-0x00000000005AF000-memory.dmp

Filesize
188KB

Download
memory/3604-141-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/3604-140-0x0000000000BE0000-0x0000000000F2A000-memory.dmp

Filesize
3.3MB

Download
memory/3604-139-0x0000000000580000-0x00000000005AF000-memory.dmp

Filesize
188KB

Download
memory/3604-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads