formbook | ec4741cb3671f0c7563788e27e03fd2cfae2b7470108cbf9e1603b138d034a11

General

Target

DHL AWB-5024310182_061222.exe
Size

788KB
MD5

4bc8ce54beb8016d78f09425034b3d03
SHA1

8a3f23548ac66a45a5fba76561757df9bb301c8b
SHA256

ec4741cb3671f0c7563788e27e03fd2cfae2b7470108cbf9e1603b138d034a11
SHA512

2f24cb9e3246826dd851723de0ecfcc561621c8ebe0111d509e1d42fa69967b49ad9f288d2e172a7b56744368d91344da0cacfc7bdfd8b568e20da56c94d6711
SSDEEP

24576:momxiPQFQNWbvquj44kgP6Y/mXYGAsjl:moKmQSNWbvn4hs/y

Score

10^/10

formbook d8ax rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

d8ax

Decoy

wQDD4HkJc+vErnk=

j7vdn039QTY5Gcs43SDb8R4gwLgFCI7s

ZqPN0enMl4As

kKK00fOMq6KZmHv6kZjEiTm3l1o=

CxCTti/0Dcs5qly/AVHoTg==

5TwVtD3wcevErnk=

/ieoWNXMl4As

caK67QvHGhmiEuKpidX2RA==

Bbyy3J6D1Qw=

LV5N2gOocvpbA/OB/w==

k7k2OMNsBY67libDOi4=

wuDokhS1jLo4mA==

RVGz6anMl4As

la40BCHFwoI/rpugbdoaWQ==

XmVnfY0nNACG5si5u8Ds6F79xw==

dpyQTuytl0/bShsFIYUaHRzIL4quYwxgTA==

yvmesDDPpTSrLhf5GlvvdaCZekhAsg==

obTEXhervaSWkSbDOi4=

ClZogXcOT1DcPyvgOKJM

Drlokv/cjLo4mA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DHL AWB-5024310182_061222.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DHL AWB-5024310182_061222.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

DHL AWB-5024310182_061222.exeDHL AWB-5024310182_061222.exehelp.exe

description	pid	process	target process
PID 3248 set thread context of 5008	3248	DHL AWB-5024310182_061222.exe	DHL AWB-5024310182_061222.exe
PID 5008 set thread context of 744	5008	DHL AWB-5024310182_061222.exe	Explorer.EXE
PID 4292 set thread context of 744	4292	help.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

help.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

DHL AWB-5024310182_061222.exehelp.exe

pid	process
5008	DHL AWB-5024310182_061222.exe
5008	DHL AWB-5024310182_061222.exe
5008	DHL AWB-5024310182_061222.exe
5008	DHL AWB-5024310182_061222.exe
5008	DHL AWB-5024310182_061222.exe
5008	DHL AWB-5024310182_061222.exe
5008	DHL AWB-5024310182_061222.exe
5008	DHL AWB-5024310182_061222.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

744 Explorer.EXE

pid	process
744	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

DHL AWB-5024310182_061222.exehelp.exe

pid	process
5008	DHL AWB-5024310182_061222.exe
5008	DHL AWB-5024310182_061222.exe
5008	DHL AWB-5024310182_061222.exe
4292	help.exe
4292	help.exe
4292	help.exe
4292	help.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DHL AWB-5024310182_061222.exehelp.exe

description pid process

Token: SeDebugPrivilege 5008 DHL AWB-5024310182_061222.exe
Token: SeDebugPrivilege 4292 help.exe

description	pid	process
Token: SeDebugPrivilege	5008	DHL AWB-5024310182_061222.exe
Token: SeDebugPrivilege	4292	help.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

DHL AWB-5024310182_061222.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 3248 wrote to memory of 5008	3248	DHL AWB-5024310182_061222.exe	DHL AWB-5024310182_061222.exe
PID 3248 wrote to memory of 5008	3248	DHL AWB-5024310182_061222.exe	DHL AWB-5024310182_061222.exe
PID 3248 wrote to memory of 5008	3248	DHL AWB-5024310182_061222.exe	DHL AWB-5024310182_061222.exe
PID 3248 wrote to memory of 5008	3248	DHL AWB-5024310182_061222.exe	DHL AWB-5024310182_061222.exe
PID 3248 wrote to memory of 5008	3248	DHL AWB-5024310182_061222.exe	DHL AWB-5024310182_061222.exe
PID 3248 wrote to memory of 5008	3248	DHL AWB-5024310182_061222.exe	DHL AWB-5024310182_061222.exe
PID 744 wrote to memory of 4292	744	Explorer.EXE	help.exe
PID 744 wrote to memory of 4292	744	Explorer.EXE	help.exe
PID 744 wrote to memory of 4292	744	Explorer.EXE	help.exe
PID 4292 wrote to memory of 3660	4292	help.exe	Firefox.exe
PID 4292 wrote to memory of 3660	4292	help.exe	Firefox.exe
PID 4292 wrote to memory of 3660	4292	help.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\DHL AWB-5024310182_061222.exe
"C:\Users\Admin\AppData\Local\Temp\DHL AWB-5024310182_061222.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3248

C:\Users\Admin\AppData\Local\Temp\DHL AWB-5024310182_061222.exe
"C:\Users\Admin\AppData\Local\Temp\DHL AWB-5024310182_061222.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-154-0x0000000007C80000-0x0000000007DDC000-memory.dmp

Filesize
1.4MB

Download
memory/744-146-0x0000000002B20000-0x0000000002BEE000-memory.dmp

Filesize
824KB

Download
memory/744-153-0x0000000007C80000-0x0000000007DDC000-memory.dmp

Filesize
1.4MB

Download
memory/3248-135-0x0000000004AA0000-0x0000000004AAA000-memory.dmp

Filesize
40KB

Download
memory/3248-136-0x000000000AA50000-0x000000000AAEC000-memory.dmp

Filesize
624KB

Download
memory/3248-132-0x0000000000030000-0x00000000000FA000-memory.dmp

Filesize
808KB

Download
memory/3248-134-0x0000000004AB0000-0x0000000004B42000-memory.dmp

Filesize
584KB

Download
memory/3248-133-0x0000000004FC0000-0x0000000005564000-memory.dmp

Filesize
5.6MB

Download
memory/4292-147-0x0000000000000000-mapping.dmp

Download
memory/4292-152-0x0000000001820000-0x00000000018AF000-memory.dmp

Filesize
572KB

Download
memory/4292-151-0x0000000000E70000-0x0000000000E9D000-memory.dmp

Filesize
180KB

Download
memory/4292-150-0x0000000000E70000-0x0000000000E9D000-memory.dmp

Filesize
180KB

Download
memory/4292-148-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/4292-149-0x00000000014D0000-0x000000000181A000-memory.dmp

Filesize
3.3MB

Download
memory/5008-137-0x0000000000000000-mapping.dmp

Download
memory/5008-145-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/5008-144-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/5008-142-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/5008-143-0x0000000001180000-0x00000000014CA000-memory.dmp

Filesize
3.3MB

Download
memory/5008-141-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5008-140-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5008-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads