formbook | 523437805fcc7f3356f98479d5f7c268717886b41240a8b4466188fea8644f60

Analysis

max time kernel
150s
max time network
154s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
06-12-2022 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

523437805fcc7f3356f98479d5f7c268717886b41240a8b4466188fea8644f60.exe
Size

225KB
MD5

47a23aee342a69b3979d59f87d87f257
SHA1

be425b1bee70b0f65013e22a08f7e23b7bf39f98
SHA256

523437805fcc7f3356f98479d5f7c268717886b41240a8b4466188fea8644f60
SHA512

dd11ac67a0dc8f6db4c20b672e7b50cc0759c49ebf37ea823d1d6c9d48bd642e7b64e5bc07da8eb8213ad01dc592f07eb3d6d50691e32db971be415fdacd68fe
SSDEEP

6144:QBn1JHfQuipH5+jN4Zaen4dngz69VtVlz39YAd7:gdfQt5aNR6ctLz3v

Score

10^/10

formbook henz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

urvome.exeurvome.exe

pid process

4388 urvome.exe
768 urvome.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

urvome.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\International\Geo\Nation urvome.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4388	urvome.exe
768	urvome.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\International\Geo\Nation	urvome.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

urvome.exeurvome.execmd.exe

description	pid	process	target process
PID 4388 set thread context of 768	4388	urvome.exe	urvome.exe
PID 768 set thread context of 3024	768	urvome.exe	Explorer.EXE
PID 768 set thread context of 3024	768	urvome.exe	Explorer.EXE
PID 4264 set thread context of 3024	4264	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2368682536-4045190062-1465778271-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmd.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

urvome.execmd.exe

pid	process
768	urvome.exe
768	urvome.exe
768	urvome.exe
768	urvome.exe
768	urvome.exe
768	urvome.exe
768	urvome.exe
768	urvome.exe
768	urvome.exe
768	urvome.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE
Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

urvome.exeurvome.execmd.exe

pid process

4388 urvome.exe
768 urvome.exe
768 urvome.exe
768 urvome.exe
768 urvome.exe
4264 cmd.exe
4264 cmd.exe
4264 cmd.exe
4264 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

urvome.execmd.exe

description pid process

Token: SeDebugPrivilege 768 urvome.exe
Token: SeDebugPrivilege 4264 cmd.exe

pid	process
3024	Explorer.EXE

pid	process
4388	urvome.exe
768	urvome.exe
768	urvome.exe
768	urvome.exe
768	urvome.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe
4264	cmd.exe

description	pid	process
Token: SeDebugPrivilege	768	urvome.exe
Token: SeDebugPrivilege	4264	cmd.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

523437805fcc7f3356f98479d5f7c268717886b41240a8b4466188fea8644f60.exeurvome.exeurvome.execmd.exe

description	pid	process	target process
PID 3504 wrote to memory of 4388	3504	523437805fcc7f3356f98479d5f7c268717886b41240a8b4466188fea8644f60.exe	urvome.exe
PID 3504 wrote to memory of 4388	3504	523437805fcc7f3356f98479d5f7c268717886b41240a8b4466188fea8644f60.exe	urvome.exe
PID 3504 wrote to memory of 4388	3504	523437805fcc7f3356f98479d5f7c268717886b41240a8b4466188fea8644f60.exe	urvome.exe
PID 4388 wrote to memory of 768	4388	urvome.exe	urvome.exe
PID 4388 wrote to memory of 768	4388	urvome.exe	urvome.exe
PID 4388 wrote to memory of 768	4388	urvome.exe	urvome.exe
PID 4388 wrote to memory of 768	4388	urvome.exe	urvome.exe
PID 768 wrote to memory of 4264	768	urvome.exe	cmd.exe
PID 768 wrote to memory of 4264	768	urvome.exe	cmd.exe
PID 768 wrote to memory of 4264	768	urvome.exe	cmd.exe
PID 4264 wrote to memory of 4080	4264	cmd.exe	Firefox.exe
PID 4264 wrote to memory of 4080	4264	cmd.exe	Firefox.exe
PID 4264 wrote to memory of 4080	4264	cmd.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3024

C:\Users\Admin\AppData\Local\Temp\523437805fcc7f3356f98479d5f7c268717886b41240a8b4466188fea8644f60.exe
"C:\Users\Admin\AppData\Local\Temp\523437805fcc7f3356f98479d5f7c268717886b41240a8b4466188fea8644f60.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3504

C:\Users\Admin\AppData\Local\Temp\urvome.exe
"C:\Users\Admin\AppData\Local\Temp\urvome.exe" C:\Users\Admin\AppData\Local\Temp\drualqgndu.a
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\urvome.exe
"C:\Users\Admin\AppData\Local\Temp\urvome.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
5⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
6⤵
PID:4080

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drualqgndu.a
Filesize
5KB

MD5
00f3de26d2dfe17db7189de34de9e10c

SHA1
7c9cdcd7f76b9855ab8d38c2171496b498ce1b31

SHA256
5f99a87302f03cf7ae0fd4d5899a498634e7838f278928f81d27f5616f644243

SHA512
04d682eb6583486c7cae1594ba6662e2c460e046e13c04ca1582a51d0e5adc0ed666cad52233231047c2e1149b6768577c5fc36364f840495effa8647fedc526

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftatiernz.j
Filesize
185KB

MD5
8b7d9927165d6e675cb6462168d64efa

SHA1
7dd758d7109c5b752c76300ac25bc0c136f0bc06

SHA256
d2d461d60ae7f6483bbb7f684ee8197dcb67ce1c86f37800c6a5c64e859fabe7

SHA512
45b43645dc2bd12873cbdccb2fc503862840c1616561e570963dc1a22125a02d72e48e808d5b5a66e59bc56d68be0407c60535c56d6e61dd9fd4d1e5e22b15f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\urvome.exe
Filesize
11KB

MD5
b4525f356375ad3e3666b19b9a8c85ea

SHA1
4e6eb0bea549c9864019d1c7cfce4e3501dd57b9

SHA256
35675e18407e7b062785f7570f11569a6b06581fee803bc7d4286510ba9824bc

SHA512
98ea5ba34d2161dddc6cf937a7044579fbb9c3a776ef448abb0b6b68912fcd407972c56d38cba5135dd3153d43b1a5d7ac07c9e9b65564c46608b3197efc1b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\urvome.exe
Filesize
11KB

MD5
b4525f356375ad3e3666b19b9a8c85ea

SHA1
4e6eb0bea549c9864019d1c7cfce4e3501dd57b9

SHA256
35675e18407e7b062785f7570f11569a6b06581fee803bc7d4286510ba9824bc

SHA512
98ea5ba34d2161dddc6cf937a7044579fbb9c3a776ef448abb0b6b68912fcd407972c56d38cba5135dd3153d43b1a5d7ac07c9e9b65564c46608b3197efc1b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\urvome.exe
Filesize
11KB

MD5
b4525f356375ad3e3666b19b9a8c85ea

SHA1
4e6eb0bea549c9864019d1c7cfce4e3501dd57b9

SHA256
35675e18407e7b062785f7570f11569a6b06581fee803bc7d4286510ba9824bc

SHA512
98ea5ba34d2161dddc6cf937a7044579fbb9c3a776ef448abb0b6b68912fcd407972c56d38cba5135dd3153d43b1a5d7ac07c9e9b65564c46608b3197efc1b33

Download Submit
memory/768-238-0x0000000000ED0000-0x00000000011F0000-memory.dmp

Filesize
3.1MB

Download
memory/768-239-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/768-222-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/768-241-0x0000000000B30000-0x0000000000B40000-memory.dmp

Filesize
64KB

Download
memory/768-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-244-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/768-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-215-0x00000000004012B0-mapping.dmp

Download
memory/3024-240-0x00000000064F0000-0x0000000006686000-memory.dmp

Filesize
1.6MB

Download
memory/3024-242-0x0000000002E90000-0x0000000002F66000-memory.dmp

Filesize
856KB

Download
memory/3024-270-0x0000000005100000-0x00000000051B2000-memory.dmp

Filesize
712KB

Download
memory/3024-307-0x0000000005100000-0x00000000051B2000-memory.dmp

Filesize
712KB

Download
memory/3504-151-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-157-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-136-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-137-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-138-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-139-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-141-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-142-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-144-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-145-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-147-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-148-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-149-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-146-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-143-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-134-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-153-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-154-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-152-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-150-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-140-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-155-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-156-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-135-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-133-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-118-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-117-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-132-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-119-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-131-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-130-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-120-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-121-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-122-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-123-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-124-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-129-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-128-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-127-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-126-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-125-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4264-245-0x0000000000000000-mapping.dmp

Download
memory/4264-251-0x0000000000990000-0x00000000009E9000-memory.dmp

Filesize
356KB

Download
memory/4264-252-0x0000000002C10000-0x0000000002C3D000-memory.dmp

Filesize
180KB

Download
memory/4264-254-0x0000000002CC0000-0x0000000002E0A000-memory.dmp

Filesize
1.3MB

Download
memory/4264-269-0x00000000032B0000-0x000000000333F000-memory.dmp

Filesize
572KB

Download
memory/4264-271-0x0000000002C10000-0x0000000002C3D000-memory.dmp

Filesize
180KB

Download
memory/4264-272-0x0000000002CC0000-0x0000000002E0A000-memory.dmp

Filesize
1.3MB

Download
memory/4388-162-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-180-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-182-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-183-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-181-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-179-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-178-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-177-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-158-0x0000000000000000-mapping.dmp

Download
memory/4388-163-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-176-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-175-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-174-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-165-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-173-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-172-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-167-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-171-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-170-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-169-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-168-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-164-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-161-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4388-160-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download