formbook | 85d6c9eac93fb8818d37dc15110ebd060b3e9df48043ee6bcf349df6aed047c5

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30571d64c9a9ed267159fa941a20840c.exe
Size

272KB
MD5

30571d64c9a9ed267159fa941a20840c
SHA1

bfb81d8a7c94781b3bd939bd17d500ae61b2ff70
SHA256

85d6c9eac93fb8818d37dc15110ebd060b3e9df48043ee6bcf349df6aed047c5
SHA512

5c8b708f3540b9347c36722934c8fc56098a94f8362688a8fa712da99e1b8c2564698eb0bed52e226cdfc40cf8b762e1860f6ea9928260e3f0f35bba9cfda82f
SSDEEP

6144:QBn10/UR088uiPuDtJWn42Isu/20+kfAZLrYdwMPTnDMiQH7oPo9:gWLuiPh4rZOH5ZL/MLn4REo9

Score

10^/10

formbook henz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

hvbvmxm.exehvbvmxm.exe

pid process

3064 hvbvmxm.exe
4764 hvbvmxm.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

hvbvmxm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation hvbvmxm.exe

pid	process
3064	hvbvmxm.exe
4764	hvbvmxm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	hvbvmxm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

hvbvmxm.exehvbvmxm.exesystray.exe

description	pid	process	target process
PID 3064 set thread context of 4764	3064	hvbvmxm.exe	hvbvmxm.exe
PID 4764 set thread context of 2056	4764	hvbvmxm.exe	Explorer.EXE
PID 3668 set thread context of 2056	3668	systray.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

systray.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

hvbvmxm.exesystray.exe

pid	process
4764	hvbvmxm.exe
4764	hvbvmxm.exe
4764	hvbvmxm.exe
4764	hvbvmxm.exe
4764	hvbvmxm.exe
4764	hvbvmxm.exe
4764	hvbvmxm.exe
4764	hvbvmxm.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2056 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

hvbvmxm.exehvbvmxm.exesystray.exe

pid process

3064 hvbvmxm.exe
4764 hvbvmxm.exe
4764 hvbvmxm.exe
4764 hvbvmxm.exe
3668 systray.exe
3668 systray.exe
3668 systray.exe
3668 systray.exe

pid	process
2056	Explorer.EXE

pid	process
3064	hvbvmxm.exe
4764	hvbvmxm.exe
4764	hvbvmxm.exe
4764	hvbvmxm.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe
3668	systray.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

hvbvmxm.exesystray.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4764	hvbvmxm.exe
Token: SeDebugPrivilege	3668	systray.exe
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

30571d64c9a9ed267159fa941a20840c.exehvbvmxm.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 3548 wrote to memory of 3064	3548	30571d64c9a9ed267159fa941a20840c.exe	hvbvmxm.exe
PID 3548 wrote to memory of 3064	3548	30571d64c9a9ed267159fa941a20840c.exe	hvbvmxm.exe
PID 3548 wrote to memory of 3064	3548	30571d64c9a9ed267159fa941a20840c.exe	hvbvmxm.exe
PID 3064 wrote to memory of 4764	3064	hvbvmxm.exe	hvbvmxm.exe
PID 3064 wrote to memory of 4764	3064	hvbvmxm.exe	hvbvmxm.exe
PID 3064 wrote to memory of 4764	3064	hvbvmxm.exe	hvbvmxm.exe
PID 3064 wrote to memory of 4764	3064	hvbvmxm.exe	hvbvmxm.exe
PID 2056 wrote to memory of 3668	2056	Explorer.EXE	systray.exe
PID 2056 wrote to memory of 3668	2056	Explorer.EXE	systray.exe
PID 2056 wrote to memory of 3668	2056	Explorer.EXE	systray.exe
PID 3668 wrote to memory of 360	3668	systray.exe	Firefox.exe
PID 3668 wrote to memory of 360	3668	systray.exe	Firefox.exe
PID 3668 wrote to memory of 360	3668	systray.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Local\Temp\30571d64c9a9ed267159fa941a20840c.exe
"C:\Users\Admin\AppData\Local\Temp\30571d64c9a9ed267159fa941a20840c.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe
"C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe" C:\Users\Admin\AppData\Local\Temp\ijamguwvje.h
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe
"C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe" C:\Users\Admin\AppData\Local\Temp\ijamguwvje.h
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe
Filesize
123KB

MD5
1eebbbd92b2c0c60f896ff8dcbcedcaa

SHA1
1291cc58a5664b1acd50d9fd8e0580c519190477

SHA256
01b2d4443c383f07ccf3ea521ae9502527eeedf352b92b90a382121b03992ec3

SHA512
67efa564f026094bec0a44aaf01fc8072412e6cdeff019631689254a996c8b06cd0ccccee64b3d70b847e9aca7c3dbcde327d0a822988cc5295847990a8d9215

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe
Filesize
123KB

MD5
1eebbbd92b2c0c60f896ff8dcbcedcaa

SHA1
1291cc58a5664b1acd50d9fd8e0580c519190477

SHA256
01b2d4443c383f07ccf3ea521ae9502527eeedf352b92b90a382121b03992ec3

SHA512
67efa564f026094bec0a44aaf01fc8072412e6cdeff019631689254a996c8b06cd0ccccee64b3d70b847e9aca7c3dbcde327d0a822988cc5295847990a8d9215

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvbvmxm.exe
Filesize
123KB

MD5
1eebbbd92b2c0c60f896ff8dcbcedcaa

SHA1
1291cc58a5664b1acd50d9fd8e0580c519190477

SHA256
01b2d4443c383f07ccf3ea521ae9502527eeedf352b92b90a382121b03992ec3

SHA512
67efa564f026094bec0a44aaf01fc8072412e6cdeff019631689254a996c8b06cd0ccccee64b3d70b847e9aca7c3dbcde327d0a822988cc5295847990a8d9215

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijamguwvje.h
Filesize
5KB

MD5
00815375b1b0aef8d5f1c54050813cf2

SHA1
e007f2c7d30fbd16a35a97e91b1b4719f46d28bb

SHA256
2c6c3495127ae142aaa4577d73b6c1ee3502b2c76bee20ebf54cea2c86404e63

SHA512
64edf14579c02ebe2b27ea06a19c5753f08aeea370e4c8bf93552086aa4ffb62ebf841e818d40ca091343bb789ad7f42a7fe2bfbb76fe870f19065a31aae2fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocoimqmpj.ep
Filesize
185KB

MD5
add9cd4eacd9591a07875b761c8d1640

SHA1
2047c17a31a7e83850def3ca6310572957e5d0b2

SHA256
0af1afda6f616beb76513577272e0e36efb99cf8a3718b7725d60c9d88dfbc0b

SHA512
132281dc01506d09d5c7106105338179a9db0d50309c94ffbc5e63a7fbf0e6d6dc5b31d26db93e51fb4c994da3f8d9b398d2c31f3cf8cf807f111bd9ccf761ac

Download Submit
memory/2056-180-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-164-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-182-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-224-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/2056-223-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-222-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-221-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-220-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-219-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-218-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-217-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-149-0x0000000002D00000-0x0000000002DB7000-memory.dmp

Filesize
732KB

Download
memory/2056-216-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/2056-215-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-152-0x00000000081B0000-0x000000000833B000-memory.dmp

Filesize
1.5MB

Download
memory/2056-153-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-154-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-155-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-156-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-183-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-159-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-161-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-160-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/2056-162-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-163-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-184-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-165-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-166-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-167-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-168-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-169-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-170-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-171-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-172-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-173-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-174-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/2056-175-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/2056-176-0x00000000081B0000-0x000000000833B000-memory.dmp

Filesize
1.5MB

Download
memory/2056-177-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/2056-178-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/2056-179-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-143-0x0000000002D00000-0x0000000002DB7000-memory.dmp

Filesize
732KB

Download
memory/2056-157-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-214-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-225-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-185-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-181-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-190-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-191-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-193-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-192-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-194-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-189-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-188-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-187-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-186-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-195-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-198-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-197-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-196-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-199-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/2056-202-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-201-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-200-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-203-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-204-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-205-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-206-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-207-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-208-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-209-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-210-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-212-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-211-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-213-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/3064-132-0x0000000000000000-mapping.dmp

Download
memory/3668-146-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/3668-151-0x0000000000990000-0x00000000009BD000-memory.dmp

Filesize
180KB

Download
memory/3668-150-0x0000000002930000-0x00000000029BF000-memory.dmp

Filesize
572KB

Download
memory/3668-148-0x0000000000990000-0x00000000009BD000-memory.dmp

Filesize
180KB

Download
memory/3668-147-0x0000000002B00000-0x0000000002E4A000-memory.dmp

Filesize
3.3MB

Download
memory/3668-144-0x0000000000000000-mapping.dmp

Download
memory/4764-142-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/4764-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4764-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4764-137-0x0000000000000000-mapping.dmp

Download
memory/4764-141-0x0000000000A10000-0x0000000000D5A000-memory.dmp

Filesize
3.3MB

Download
memory/4764-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download