formbook | 22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7

General

Target

22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7.exe
Size

225KB
MD5

f0a448d757645c4c8159d946be6cd741
SHA1

b91620ad9a0f0363bc2c1c853af4012966491706
SHA256

22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7
SHA512

0f02d99b5338c5869db540930f5b702a752ee7aa0ee3566f334c84783ce9bdd3c956f9f0073e4d11be7bd3e02c0b228c1761b9ee319f3739bcbdc8fd78d8163a
SSDEEP

3072:QEhKzShSycSMymlNbHD6OwfyAET17nwrmPRTFdyEOTwkBu8eg8HCRtFT+uwptnS2:QBn1yo5DXwfyA87nE04MEu6+uwXnp8Xm

Score

10^/10

formbook henz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

xdzkcooocd.exexdzkcooocd.exe

pid process

4692 xdzkcooocd.exe
4764 xdzkcooocd.exe

pid	process
4692	xdzkcooocd.exe
4764	xdzkcooocd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xdzkcooocd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	xdzkcooocd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

xdzkcooocd.exexdzkcooocd.exewlanext.exe

description	pid	process	target process
PID 4692 set thread context of 4764	4692	xdzkcooocd.exe	xdzkcooocd.exe
PID 4764 set thread context of 2348	4764	xdzkcooocd.exe	Explorer.EXE
PID 4556 set thread context of 2348	4556	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wlanext.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wlanext.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

xdzkcooocd.exewlanext.exe

pid	process
4764	xdzkcooocd.exe
4764	xdzkcooocd.exe
4764	xdzkcooocd.exe
4764	xdzkcooocd.exe
4764	xdzkcooocd.exe
4764	xdzkcooocd.exe
4764	xdzkcooocd.exe
4764	xdzkcooocd.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2348 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

xdzkcooocd.exexdzkcooocd.exewlanext.exe

pid process

4692 xdzkcooocd.exe
4764 xdzkcooocd.exe
4764 xdzkcooocd.exe
4764 xdzkcooocd.exe
4556 wlanext.exe
4556 wlanext.exe
4556 wlanext.exe
4556 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xdzkcooocd.exewlanext.exe

description pid process

Token: SeDebugPrivilege 4764 xdzkcooocd.exe
Token: SeDebugPrivilege 4556 wlanext.exe

pid	process
2348	Explorer.EXE

pid	process
4692	xdzkcooocd.exe
4764	xdzkcooocd.exe
4764	xdzkcooocd.exe
4764	xdzkcooocd.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe
4556	wlanext.exe

description	pid	process
Token: SeDebugPrivilege	4764	xdzkcooocd.exe
Token: SeDebugPrivilege	4556	wlanext.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7.exexdzkcooocd.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 3260 wrote to memory of 4692	3260	22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7.exe	xdzkcooocd.exe
PID 3260 wrote to memory of 4692	3260	22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7.exe	xdzkcooocd.exe
PID 3260 wrote to memory of 4692	3260	22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7.exe	xdzkcooocd.exe
PID 4692 wrote to memory of 4764	4692	xdzkcooocd.exe	xdzkcooocd.exe
PID 4692 wrote to memory of 4764	4692	xdzkcooocd.exe	xdzkcooocd.exe
PID 4692 wrote to memory of 4764	4692	xdzkcooocd.exe	xdzkcooocd.exe
PID 4692 wrote to memory of 4764	4692	xdzkcooocd.exe	xdzkcooocd.exe
PID 2348 wrote to memory of 4556	2348	Explorer.EXE	wlanext.exe
PID 2348 wrote to memory of 4556	2348	Explorer.EXE	wlanext.exe
PID 2348 wrote to memory of 4556	2348	Explorer.EXE	wlanext.exe
PID 4556 wrote to memory of 4724	4556	wlanext.exe	Firefox.exe
PID 4556 wrote to memory of 4724	4556	wlanext.exe	Firefox.exe
PID 4556 wrote to memory of 4724	4556	wlanext.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\Temp\22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7.exe
"C:\Users\Admin\AppData\Local\Temp\22d3aa3de84b7d01eccdf2471c93da8cbdbf39afc3a1c149d2109f2f9644f5d7.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3260

C:\Users\Admin\AppData\Local\Temp\xdzkcooocd.exe
"C:\Users\Admin\AppData\Local\Temp\xdzkcooocd.exe" C:\Users\Admin\AppData\Local\Temp\ciejdgh.ks
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Local\Temp\xdzkcooocd.exe
"C:\Users\Admin\AppData\Local\Temp\xdzkcooocd.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ciejdgh.ks
Filesize
5KB

MD5
95f94f6c0937426a27ffe4a6c0c1f1ac

SHA1
c7e7e326ba7ce106921de134e87bf4b58251e763

SHA256
45919c2c09661fb3b6ea8078c9e14dfb963fd5b4756508319b6914a4fbfc5169

SHA512
f772938ab6c24a18e455a99296050193f717cf064738d595000f7204589a4a9280e96bb3b64017cd05e2d12e83404cb21da62090e46aefb7e227260c064948fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljilba.ize
Filesize
185KB

MD5
9e9e2574d508f0b065ce631116acb491

SHA1
137d9d3b0ce32f643f8f3e9634d256d23d16e5cd

SHA256
fd536d04e6b8da9b8b52e50efaefe6aa430ab65dfb44f33c12a7c4f4097af822

SHA512
5bdcaedcb9681a910ef43cf2ba90f5322c2c5d81cd2f48b39d16206c171281267af2c180f0948ddcae5158cf00a3cb7f61badae8518ba4df61a8e48274f48f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdzkcooocd.exe
Filesize
11KB

MD5
ff87e63143afb855a2adbb4928a63dd7

SHA1
0dc06e5c93a4c756c421a9933593d7447e32a57b

SHA256
62cd6b74528739d323d14f14d31b142a6b1f7fc4540cfa3a9f387f84ee73b269

SHA512
3dc235c2d23ad12cafeca9f0ee8da566a427775780d1e153d871c4d584871c9fa74b2779a52a36e6cd92bc3e7a538d7b93aa676aab09a7ac24e8958ab5378360

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdzkcooocd.exe
Filesize
11KB

MD5
ff87e63143afb855a2adbb4928a63dd7

SHA1
0dc06e5c93a4c756c421a9933593d7447e32a57b

SHA256
62cd6b74528739d323d14f14d31b142a6b1f7fc4540cfa3a9f387f84ee73b269

SHA512
3dc235c2d23ad12cafeca9f0ee8da566a427775780d1e153d871c4d584871c9fa74b2779a52a36e6cd92bc3e7a538d7b93aa676aab09a7ac24e8958ab5378360

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdzkcooocd.exe
Filesize
11KB

MD5
ff87e63143afb855a2adbb4928a63dd7

SHA1
0dc06e5c93a4c756c421a9933593d7447e32a57b

SHA256
62cd6b74528739d323d14f14d31b142a6b1f7fc4540cfa3a9f387f84ee73b269

SHA512
3dc235c2d23ad12cafeca9f0ee8da566a427775780d1e153d871c4d584871c9fa74b2779a52a36e6cd92bc3e7a538d7b93aa676aab09a7ac24e8958ab5378360

Download Submit
memory/2348-153-0x00000000088F0000-0x0000000008A0E000-memory.dmp

Filesize
1.1MB

Download
memory/2348-152-0x00000000088F0000-0x0000000008A0E000-memory.dmp

Filesize
1.1MB

Download
memory/2348-143-0x0000000008400000-0x0000000008518000-memory.dmp

Filesize
1.1MB

Download
memory/4556-147-0x0000000000AC0000-0x0000000000AD7000-memory.dmp

Filesize
92KB

Download
memory/4556-151-0x0000000000EB0000-0x0000000000F3F000-memory.dmp

Filesize
572KB

Download
memory/4556-150-0x0000000000780000-0x00000000007AD000-memory.dmp

Filesize
180KB

Download
memory/4556-149-0x0000000000780000-0x00000000007AD000-memory.dmp

Filesize
180KB

Download
memory/4556-148-0x0000000001110000-0x000000000145A000-memory.dmp

Filesize
3.3MB

Download
memory/4556-144-0x0000000000000000-mapping.dmp

Download
memory/4692-132-0x0000000000000000-mapping.dmp

Download
memory/4764-137-0x0000000000000000-mapping.dmp

Download
memory/4764-146-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4764-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4764-142-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/4764-141-0x0000000001630000-0x000000000197A000-memory.dmp

Filesize
3.3MB

Download
memory/4764-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4764-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads