formbook | 4aba8fe16a25f04df115b34a57b6fff9782664c208348cf57d921d12f158c8b1

General

Target

DHL INVOICE#-002834.exe
Size

306KB
MD5

9564349d362fe854594e13217800ea9f
SHA1

5067b33410d6a859f96e07d7fa006446b5e3abdb
SHA256

4aba8fe16a25f04df115b34a57b6fff9782664c208348cf57d921d12f158c8b1
SHA512

d919fbc75fd973ddd8e425b728d3ab7c251b5671493517d4eb8e825f6b26a4b5f36d70468b171a336bafcc6c8eaf9deea3c31af7ba26b9ba1aee9649b0b5a1ca
SSDEEP

6144:NBn0JAr0W067hhLsgQfQIRHWGdEzFgu+sdIEOZz9Kgzl:EerA67sF9Hj2RzEkql

Score

10^/10

formbook codp rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

codp

Decoy

WLwbp9IgDF0DRbuq

oNQ7DHBzVHVMTxxxFCORk65Z5w==

eKyDm2P0S8i8tXrGSRxyN/GB+g==

DWLDupksnDvfKi7Q7PI=

JAaYbOFx1G0f4pcM36gDB3YaG796

KWQ71Z4U7+2Nv8K72OXED5M9oe8=

YJpvEHW5TU/wL02R9TiN0A==

tpQX78fPprFMi7ocSgXfUNYKpTq33Icp

a9Z0eju3FKFA/YBy+MQfG3QaG796

uQzt58fSssDUenxacQCY2g==

vijGzYPYOfi2gxZLhlbA

kZfzlQg7IGPxc29BJA==

dcQu+blQlxGyZu7qw5P4L6s=

TTIXAcXMr85yqqvxWBMqdrw=

xZb/tyGC8sOjIS7Q7PI=

KnzenvO+cXkVS3biKfRDwJ9Q5Q==

ZqZvDt9+yYxqh1Si

vZD8CtVZigY/cqnmLA==

QJy2dd/p0MO1Ji7Q7PI=

l+Hmoea3jsiAcqnmLA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

nwbaihgld.exenwbaihgld.exe

pid process

4232 nwbaihgld.exe
3504 nwbaihgld.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

nwbaihgld.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation nwbaihgld.exe

pid	process
4232	nwbaihgld.exe
3504	nwbaihgld.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	nwbaihgld.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

nwbaihgld.exenwbaihgld.exemsiexec.exe

description	pid	process	target process
PID 4232 set thread context of 3504	4232	nwbaihgld.exe	nwbaihgld.exe
PID 3504 set thread context of 3044	3504	nwbaihgld.exe	Explorer.EXE
PID 4948 set thread context of 3044	4948	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msiexec.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

nwbaihgld.exemsiexec.exe

pid	process
3504	nwbaihgld.exe
3504	nwbaihgld.exe
3504	nwbaihgld.exe
3504	nwbaihgld.exe
3504	nwbaihgld.exe
3504	nwbaihgld.exe
3504	nwbaihgld.exe
3504	nwbaihgld.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3044 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

nwbaihgld.exenwbaihgld.exemsiexec.exe

pid process

4232 nwbaihgld.exe
3504 nwbaihgld.exe
3504 nwbaihgld.exe
3504 nwbaihgld.exe
4948 msiexec.exe
4948 msiexec.exe
4948 msiexec.exe
4948 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

nwbaihgld.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 3504 nwbaihgld.exe
Token: SeDebugPrivilege 4948 msiexec.exe

pid	process
3044	Explorer.EXE

pid	process
4232	nwbaihgld.exe
3504	nwbaihgld.exe
3504	nwbaihgld.exe
3504	nwbaihgld.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe

description	pid	process
Token: SeDebugPrivilege	3504	nwbaihgld.exe
Token: SeDebugPrivilege	4948	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

DHL INVOICE#-002834.exenwbaihgld.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 2512 wrote to memory of 4232	2512	DHL INVOICE#-002834.exe	nwbaihgld.exe
PID 2512 wrote to memory of 4232	2512	DHL INVOICE#-002834.exe	nwbaihgld.exe
PID 2512 wrote to memory of 4232	2512	DHL INVOICE#-002834.exe	nwbaihgld.exe
PID 4232 wrote to memory of 3504	4232	nwbaihgld.exe	nwbaihgld.exe
PID 4232 wrote to memory of 3504	4232	nwbaihgld.exe	nwbaihgld.exe
PID 4232 wrote to memory of 3504	4232	nwbaihgld.exe	nwbaihgld.exe
PID 4232 wrote to memory of 3504	4232	nwbaihgld.exe	nwbaihgld.exe
PID 3044 wrote to memory of 4948	3044	Explorer.EXE	msiexec.exe
PID 3044 wrote to memory of 4948	3044	Explorer.EXE	msiexec.exe
PID 3044 wrote to memory of 4948	3044	Explorer.EXE	msiexec.exe
PID 4948 wrote to memory of 3612	4948	msiexec.exe	Firefox.exe
PID 4948 wrote to memory of 3612	4948	msiexec.exe	Firefox.exe
PID 4948 wrote to memory of 3612	4948	msiexec.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\DHL INVOICE#-002834.exe
"C:\Users\Admin\AppData\Local\Temp\DHL INVOICE#-002834.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe
"C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe" C:\Users\Admin\AppData\Local\Temp\xlpgzp.d
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4232

C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe
"C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lfpawsddp.vnb
Filesize
185KB

MD5
63197a586b382ba5464003f7275236e6

SHA1
f2073ba4af95098e71bbb384383a227aecce8f35

SHA256
d411c5620287a19b2e4c41e7e1ae4e459199feb864c292304e21be73ea9029e6

SHA512
ab02ec855769551f784a7ee6287519648e0302cd0b1ddb3135bf5c635231d175aa7fa97d8cd27045bb2408c438150375498eea25a43104e0c6458a0adff44eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe
Filesize
98KB

MD5
5a5ff44ad9dbf2ad128e94d9f2cd5932

SHA1
6b0a95040616a32343d812ddd5398b0139c6a5e8

SHA256
38ac98c631349cc33767e9e04a2c8be4d1126ccec77735b7e285ecd53d44a90f

SHA512
029ba785a6598c599933719883390d11b1e598367d1eed256a9b8b66da83fbe5ee38ec5a29cab53f2a103f626f48bbb3e896071efac7f127363def8f699382d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe
Filesize
98KB

MD5
5a5ff44ad9dbf2ad128e94d9f2cd5932

SHA1
6b0a95040616a32343d812ddd5398b0139c6a5e8

SHA256
38ac98c631349cc33767e9e04a2c8be4d1126ccec77735b7e285ecd53d44a90f

SHA512
029ba785a6598c599933719883390d11b1e598367d1eed256a9b8b66da83fbe5ee38ec5a29cab53f2a103f626f48bbb3e896071efac7f127363def8f699382d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe
Filesize
98KB

MD5
5a5ff44ad9dbf2ad128e94d9f2cd5932

SHA1
6b0a95040616a32343d812ddd5398b0139c6a5e8

SHA256
38ac98c631349cc33767e9e04a2c8be4d1126ccec77735b7e285ecd53d44a90f

SHA512
029ba785a6598c599933719883390d11b1e598367d1eed256a9b8b66da83fbe5ee38ec5a29cab53f2a103f626f48bbb3e896071efac7f127363def8f699382d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlpgzp.d
Filesize
5KB

MD5
d18c95ac432c99f8258833f63a5d2596

SHA1
68b4b9a95a574b05100c693b6f5a74ab2fd24351

SHA256
7a756c0994c7bd8ee13469088db0facaf20dac4b8ac46ad891cc9429af0c10c6

SHA512
23e49e410c676d8de243c90eed7e8ce97fa15a0ad617dc5cd3dd89e7492d28cd565dbdbbd367f428d85a0c4efb3ed28130ea1ae1d3e224cb9af42b0fbda992ac

Download Submit
memory/3044-143-0x00000000080B0000-0x0000000008166000-memory.dmp

Filesize
728KB

Download
memory/3044-152-0x0000000008170000-0x00000000082BC000-memory.dmp

Filesize
1.3MB

Download
memory/3044-150-0x0000000008170000-0x00000000082BC000-memory.dmp

Filesize
1.3MB

Download
memory/3044-148-0x00000000080B0000-0x0000000008166000-memory.dmp

Filesize
728KB

Download
memory/3504-137-0x0000000000000000-mapping.dmp

Download
memory/3504-141-0x0000000001950000-0x0000000001C9A000-memory.dmp

Filesize
3.3MB

Download
memory/3504-142-0x0000000001610000-0x0000000001620000-memory.dmp

Filesize
64KB

Download
memory/3504-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3504-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4232-132-0x0000000000000000-mapping.dmp

Download
memory/4948-144-0x0000000000000000-mapping.dmp

Download
memory/4948-145-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/4948-146-0x0000000000110000-0x000000000013D000-memory.dmp

Filesize
180KB

Download
memory/4948-147-0x00000000021C0000-0x000000000250A000-memory.dmp

Filesize
3.3MB

Download
memory/4948-149-0x0000000002050000-0x00000000020DF000-memory.dmp

Filesize
572KB

Download
memory/4948-151-0x0000000000110000-0x000000000013D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads