formbook | 523437805fcc7f3356f98479d5f7c268717886b41240a8b4466188fea8644f60

General

Target

47a23aee342a69b3979d59f87d87f257.exe
Size

225KB
MD5

47a23aee342a69b3979d59f87d87f257
SHA1

be425b1bee70b0f65013e22a08f7e23b7bf39f98
SHA256

523437805fcc7f3356f98479d5f7c268717886b41240a8b4466188fea8644f60
SHA512

dd11ac67a0dc8f6db4c20b672e7b50cc0759c49ebf37ea823d1d6c9d48bd642e7b64e5bc07da8eb8213ad01dc592f07eb3d6d50691e32db971be415fdacd68fe
SSDEEP

6144:QBn1JHfQuipH5+jN4Zaen4dngz69VtVlz39YAd7:gdfQt5aNR6ctLz3v

Score

10^/10

formbook henz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

urvome.exeurvome.exe

pid process

1108 urvome.exe
2024 urvome.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

urvome.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation urvome.exe
Loads dropped DLL 3 IoCs

Processes:

47a23aee342a69b3979d59f87d87f257.exeurvome.exemsdt.exe

pid process

1324 47a23aee342a69b3979d59f87d87f257.exe
1108 urvome.exe
1472 msdt.exe

pid	process
1108	urvome.exe
2024	urvome.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	urvome.exe

pid	process
1324	47a23aee342a69b3979d59f87d87f257.exe
1108	urvome.exe
1472	msdt.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

urvome.exeurvome.exemsdt.exe

description	pid	process	target process
PID 1108 set thread context of 2024	1108	urvome.exe	urvome.exe
PID 2024 set thread context of 1400	2024	urvome.exe	Explorer.EXE
PID 1472 set thread context of 1400	1472	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

urvome.exemsdt.exe

pid	process
2024	urvome.exe
2024	urvome.exe
2024	urvome.exe
2024	urvome.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1400 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

urvome.exeurvome.exemsdt.exe

pid process

1108 urvome.exe
2024 urvome.exe
2024 urvome.exe
2024 urvome.exe
1472 msdt.exe
1472 msdt.exe
1472 msdt.exe
1472 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

urvome.exemsdt.exe

description pid process

Token: SeDebugPrivilege 2024 urvome.exe
Token: SeDebugPrivilege 1472 msdt.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1400 Explorer.EXE
1400 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1400 Explorer.EXE
1400 Explorer.EXE

pid	process
1400	Explorer.EXE

pid	process
1108	urvome.exe
2024	urvome.exe
2024	urvome.exe
2024	urvome.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe
1472	msdt.exe

description	pid	process
Token: SeDebugPrivilege	2024	urvome.exe
Token: SeDebugPrivilege	1472	msdt.exe

pid	process
1400	Explorer.EXE
1400	Explorer.EXE

pid	process
1400	Explorer.EXE
1400	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

47a23aee342a69b3979d59f87d87f257.exeurvome.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 1324 wrote to memory of 1108	1324	47a23aee342a69b3979d59f87d87f257.exe	urvome.exe
PID 1324 wrote to memory of 1108	1324	47a23aee342a69b3979d59f87d87f257.exe	urvome.exe
PID 1324 wrote to memory of 1108	1324	47a23aee342a69b3979d59f87d87f257.exe	urvome.exe
PID 1324 wrote to memory of 1108	1324	47a23aee342a69b3979d59f87d87f257.exe	urvome.exe
PID 1108 wrote to memory of 2024	1108	urvome.exe	urvome.exe
PID 1108 wrote to memory of 2024	1108	urvome.exe	urvome.exe
PID 1108 wrote to memory of 2024	1108	urvome.exe	urvome.exe
PID 1108 wrote to memory of 2024	1108	urvome.exe	urvome.exe
PID 1108 wrote to memory of 2024	1108	urvome.exe	urvome.exe
PID 1400 wrote to memory of 1472	1400	Explorer.EXE	msdt.exe
PID 1400 wrote to memory of 1472	1400	Explorer.EXE	msdt.exe
PID 1400 wrote to memory of 1472	1400	Explorer.EXE	msdt.exe
PID 1400 wrote to memory of 1472	1400	Explorer.EXE	msdt.exe
PID 1472 wrote to memory of 988	1472	msdt.exe	Firefox.exe
PID 1472 wrote to memory of 988	1472	msdt.exe	Firefox.exe
PID 1472 wrote to memory of 988	1472	msdt.exe	Firefox.exe
PID 1472 wrote to memory of 988	1472	msdt.exe	Firefox.exe
PID 1472 wrote to memory of 988	1472	msdt.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\47a23aee342a69b3979d59f87d87f257.exe
"C:\Users\Admin\AppData\Local\Temp\47a23aee342a69b3979d59f87d87f257.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\urvome.exe
"C:\Users\Admin\AppData\Local\Temp\urvome.exe" C:\Users\Admin\AppData\Local\Temp\drualqgndu.a
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\urvome.exe
"C:\Users\Admin\AppData\Local\Temp\urvome.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drualqgndu.a
Filesize
5KB

MD5
00f3de26d2dfe17db7189de34de9e10c

SHA1
7c9cdcd7f76b9855ab8d38c2171496b498ce1b31

SHA256
5f99a87302f03cf7ae0fd4d5899a498634e7838f278928f81d27f5616f644243

SHA512
04d682eb6583486c7cae1594ba6662e2c460e046e13c04ca1582a51d0e5adc0ed666cad52233231047c2e1149b6768577c5fc36364f840495effa8647fedc526

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftatiernz.j
Filesize
185KB

MD5
8b7d9927165d6e675cb6462168d64efa

SHA1
7dd758d7109c5b752c76300ac25bc0c136f0bc06

SHA256
d2d461d60ae7f6483bbb7f684ee8197dcb67ce1c86f37800c6a5c64e859fabe7

SHA512
45b43645dc2bd12873cbdccb2fc503862840c1616561e570963dc1a22125a02d72e48e808d5b5a66e59bc56d68be0407c60535c56d6e61dd9fd4d1e5e22b15f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\urvome.exe
Filesize
11KB

MD5
b4525f356375ad3e3666b19b9a8c85ea

SHA1
4e6eb0bea549c9864019d1c7cfce4e3501dd57b9

SHA256
35675e18407e7b062785f7570f11569a6b06581fee803bc7d4286510ba9824bc

SHA512
98ea5ba34d2161dddc6cf937a7044579fbb9c3a776ef448abb0b6b68912fcd407972c56d38cba5135dd3153d43b1a5d7ac07c9e9b65564c46608b3197efc1b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\urvome.exe
Filesize
11KB

MD5
b4525f356375ad3e3666b19b9a8c85ea

SHA1
4e6eb0bea549c9864019d1c7cfce4e3501dd57b9

SHA256
35675e18407e7b062785f7570f11569a6b06581fee803bc7d4286510ba9824bc

SHA512
98ea5ba34d2161dddc6cf937a7044579fbb9c3a776ef448abb0b6b68912fcd407972c56d38cba5135dd3153d43b1a5d7ac07c9e9b65564c46608b3197efc1b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\urvome.exe
Filesize
11KB

MD5
b4525f356375ad3e3666b19b9a8c85ea

SHA1
4e6eb0bea549c9864019d1c7cfce4e3501dd57b9

SHA256
35675e18407e7b062785f7570f11569a6b06581fee803bc7d4286510ba9824bc

SHA512
98ea5ba34d2161dddc6cf937a7044579fbb9c3a776ef448abb0b6b68912fcd407972c56d38cba5135dd3153d43b1a5d7ac07c9e9b65564c46608b3197efc1b33

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
1.0MB

MD5
f1e5f58f9eb43ecec773acbdb410b888

SHA1
f1b8076b0bbde696694bbc0ab259a77893839464

SHA256
a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14

SHA512
0aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456

Download Submit
\Users\Admin\AppData\Local\Temp\urvome.exe
Filesize
11KB

MD5
b4525f356375ad3e3666b19b9a8c85ea

SHA1
4e6eb0bea549c9864019d1c7cfce4e3501dd57b9

SHA256
35675e18407e7b062785f7570f11569a6b06581fee803bc7d4286510ba9824bc

SHA512
98ea5ba34d2161dddc6cf937a7044579fbb9c3a776ef448abb0b6b68912fcd407972c56d38cba5135dd3153d43b1a5d7ac07c9e9b65564c46608b3197efc1b33

Download Submit
\Users\Admin\AppData\Local\Temp\urvome.exe
Filesize
11KB

MD5
b4525f356375ad3e3666b19b9a8c85ea

SHA1
4e6eb0bea549c9864019d1c7cfce4e3501dd57b9

SHA256
35675e18407e7b062785f7570f11569a6b06581fee803bc7d4286510ba9824bc

SHA512
98ea5ba34d2161dddc6cf937a7044579fbb9c3a776ef448abb0b6b68912fcd407972c56d38cba5135dd3153d43b1a5d7ac07c9e9b65564c46608b3197efc1b33

Download Submit
memory/1108-56-0x0000000000000000-mapping.dmp

Download
memory/1324-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1400-81-0x000007FEE4150000-0x000007FEE415A000-memory.dmp

Filesize
40KB

Download
memory/1400-80-0x000007FEF5D20000-0x000007FEF5E63000-memory.dmp

Filesize
1.3MB

Download
memory/1400-79-0x0000000006B00000-0x0000000006C50000-memory.dmp

Filesize
1.3MB

Download
memory/1400-76-0x0000000006B00000-0x0000000006C50000-memory.dmp

Filesize
1.3MB

Download
memory/1400-69-0x0000000003E40000-0x0000000003F30000-memory.dmp

Filesize
960KB

Download
memory/1472-74-0x00000000021E0000-0x00000000024E3000-memory.dmp

Filesize
3.0MB

Download
memory/1472-72-0x0000000000470000-0x0000000000564000-memory.dmp

Filesize
976KB

Download
memory/1472-73-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1472-70-0x0000000000000000-mapping.dmp

Download
memory/1472-75-0x0000000001FA0000-0x000000000202F000-memory.dmp

Filesize
572KB

Download
memory/1472-77-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/2024-68-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2024-67-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/2024-66-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2024-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-63-0x00000000004012B0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads