formbook | f713783b78488d6997250029c2cc9c506b38c96a1198cd0fdc263fc1ed85d4ae

General

Target

d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe
Size

246KB
MD5

18f4957244bc049d56a80817e78da201
SHA1

a8dd8602f604e5b33b4e21c157cd23a084218d62
SHA256

d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a
SHA512

75ae534cca9e219288ff02b391b2995f9c49f82b406c86b3554a78cecaabed4c84b473137241ed08aea3894f25d6fc5d2a95a1d0766ba908ac42657adf5e5336
SSDEEP

6144:KEa0i0pnITU4I9GqwmJYb3IaNDTRovITs0ZVc+oD8oA+:aynmqwmeIQTR3Ts8VcHA+

Score

10^/10

formbook fkku rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

fkku

Decoy

ItLUfbYmkw6ODl8lnvwkR/8=

oUKMUSjydqzVWxG/CqjK3ngAhQ==

HB9lfRtFwT/XlJ9Lxw==

hBYXuorq7a3WwPq1NSezCMStlQ==

ciRqfQbLgwx/+e2rLqTZ8oMLc2LYY4o=

9vb76Nc8JzKlj4YEQyPAx2dx86U=

fB9041xJgwl1

ND8juoNyH6x5XqlZ2Q==

QEaot04y8XLjFOBp1Cg=

SG6vmdmmpmFmDosczg==

WWCorUT756r1F+aD3cd7Cij6nSFQ

Yl63zVL2NnFph44XcKkiP/k=

s2RfFNOd3fuBEJNZ2ig=

u1p6Ucr2uCketwGD

0vD8lFkSfRCHEJdebbrb

qzlqgxrsrDRmDosczg==

H5aTYXc2rHXjzQ==

S/pFbexYx0S+Ex7SN5rC

9kOIkRTWkA136nA2Ua/R

ojOElJ50E1N40ZNanCbEZw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

dztud.exedztud.exe

pid process

1496 dztud.exe
828 dztud.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

dztud.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation dztud.exe
Loads dropped DLL 3 IoCs

Processes:

d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exedztud.exewininit.exe

pid process

1316 d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe
1496 dztud.exe
268 wininit.exe

pid	process
1496	dztud.exe
828	dztud.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	dztud.exe

pid	process
1316	d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe
1496	dztud.exe
268	wininit.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dztud.exedztud.exewininit.exe

description	pid	process	target process
PID 1496 set thread context of 828	1496	dztud.exe	dztud.exe
PID 828 set thread context of 1232	828	dztud.exe	Explorer.EXE
PID 268 set thread context of 1232	268	wininit.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wininit.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wininit.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

dztud.exewininit.exe

pid	process
828	dztud.exe
828	dztud.exe
828	dztud.exe
828	dztud.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

dztud.exedztud.exewininit.exe

pid process

1496 dztud.exe
828 dztud.exe
828 dztud.exe
828 dztud.exe
268 wininit.exe
268 wininit.exe
268 wininit.exe
268 wininit.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

dztud.exewininit.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 828 dztud.exe
Token: SeDebugPrivilege 268 wininit.exe
Token: SeShutdownPrivilege 1232 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE

pid	process
1232	Explorer.EXE

pid	process
1496	dztud.exe
828	dztud.exe
828	dztud.exe
828	dztud.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe
268	wininit.exe

description	pid	process
Token: SeDebugPrivilege	828	dztud.exe
Token: SeDebugPrivilege	268	wininit.exe
Token: SeShutdownPrivilege	1232	Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exedztud.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 1316 wrote to memory of 1496	1316	d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe	dztud.exe
PID 1316 wrote to memory of 1496	1316	d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe	dztud.exe
PID 1316 wrote to memory of 1496	1316	d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe	dztud.exe
PID 1316 wrote to memory of 1496	1316	d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe	dztud.exe
PID 1496 wrote to memory of 828	1496	dztud.exe	dztud.exe
PID 1496 wrote to memory of 828	1496	dztud.exe	dztud.exe
PID 1496 wrote to memory of 828	1496	dztud.exe	dztud.exe
PID 1496 wrote to memory of 828	1496	dztud.exe	dztud.exe
PID 1496 wrote to memory of 828	1496	dztud.exe	dztud.exe
PID 1232 wrote to memory of 268	1232	Explorer.EXE	wininit.exe
PID 1232 wrote to memory of 268	1232	Explorer.EXE	wininit.exe
PID 1232 wrote to memory of 268	1232	Explorer.EXE	wininit.exe
PID 1232 wrote to memory of 268	1232	Explorer.EXE	wininit.exe
PID 268 wrote to memory of 1980	268	wininit.exe	Firefox.exe
PID 268 wrote to memory of 1980	268	wininit.exe	Firefox.exe
PID 268 wrote to memory of 1980	268	wininit.exe	Firefox.exe
PID 268 wrote to memory of 1980	268	wininit.exe	Firefox.exe
PID 268 wrote to memory of 1980	268	wininit.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe
"C:\Users\Admin\AppData\Local\Temp\d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\dztud.exe
"C:\Users\Admin\AppData\Local\Temp\dztud.exe" C:\Users\Admin\AppData\Local\Temp\foxlvd.azo
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\dztud.exe
"C:\Users\Admin\AppData\Local\Temp\dztud.exe" C:\Users\Admin\AppData\Local\Temp\foxlvd.azo
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dztud.exe
Filesize
30KB

MD5
61b3304d1d4f6a61d5ab92cbe4016910

SHA1
de5b55fe477b94299297996eff913f16fe38d9cd

SHA256
b3f72f6c6580f51b78b6bb90a4aaa7c8b13699bef94f3ff619f144b9bd1b6b40

SHA512
f4f429f63cdd355133e72bb1eb31963346e1f3055c6c4fb2ea1ff8943d8408524ba0f8c25f71cda970d70b346905b5fd7b8731f567db093fa317d1737f194d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\dztud.exe
Filesize
30KB

MD5
61b3304d1d4f6a61d5ab92cbe4016910

SHA1
de5b55fe477b94299297996eff913f16fe38d9cd

SHA256
b3f72f6c6580f51b78b6bb90a4aaa7c8b13699bef94f3ff619f144b9bd1b6b40

SHA512
f4f429f63cdd355133e72bb1eb31963346e1f3055c6c4fb2ea1ff8943d8408524ba0f8c25f71cda970d70b346905b5fd7b8731f567db093fa317d1737f194d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\dztud.exe
Filesize
30KB

MD5
61b3304d1d4f6a61d5ab92cbe4016910

SHA1
de5b55fe477b94299297996eff913f16fe38d9cd

SHA256
b3f72f6c6580f51b78b6bb90a4aaa7c8b13699bef94f3ff619f144b9bd1b6b40

SHA512
f4f429f63cdd355133e72bb1eb31963346e1f3055c6c4fb2ea1ff8943d8408524ba0f8c25f71cda970d70b346905b5fd7b8731f567db093fa317d1737f194d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\foxlvd.azo
Filesize
5KB

MD5
004294a9f4b51e40dbf7c4018524b9a7

SHA1
d7e0f3a18965d5729163471128cc6eb6e4d77409

SHA256
9eefab494a9bb92d08b0852f840e9f8c0882297e41e9c1201d5abc3cc9d643cf

SHA512
88c970982df5def42e97dd7e2f43157fd5c5018eb576c41c4c2d968bb134ae75143f587bfce49a902747168566cc64fb4285bd461b3a592ba9a9b7c5390c6c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytvko.u
Filesize
185KB

MD5
3f7fc6e065ed10355db4f53a3ec78f1b

SHA1
df6a08a214046eddb22748e4d4ab15e3f831e32d

SHA256
6fd28b913aadcd55aa8e03bdb3671517ea41789fbdd673eed390b314fd0fcf07

SHA512
feb54b32270f5df305d9cb5044a9729d9af765c6df543e522e8a9136cac3c16670b4246042fe55f0b6aa19f38e5c3aa67f9d1d9c0e0dc35f7b487d5718c135d1

Download Submit
\Users\Admin\AppData\Local\Temp\dztud.exe
Filesize
30KB

MD5
61b3304d1d4f6a61d5ab92cbe4016910

SHA1
de5b55fe477b94299297996eff913f16fe38d9cd

SHA256
b3f72f6c6580f51b78b6bb90a4aaa7c8b13699bef94f3ff619f144b9bd1b6b40

SHA512
f4f429f63cdd355133e72bb1eb31963346e1f3055c6c4fb2ea1ff8943d8408524ba0f8c25f71cda970d70b346905b5fd7b8731f567db093fa317d1737f194d91

Download Submit
\Users\Admin\AppData\Local\Temp\dztud.exe
Filesize
30KB

MD5
61b3304d1d4f6a61d5ab92cbe4016910

SHA1
de5b55fe477b94299297996eff913f16fe38d9cd

SHA256
b3f72f6c6580f51b78b6bb90a4aaa7c8b13699bef94f3ff619f144b9bd1b6b40

SHA512
f4f429f63cdd355133e72bb1eb31963346e1f3055c6c4fb2ea1ff8943d8408524ba0f8c25f71cda970d70b346905b5fd7b8731f567db093fa317d1737f194d91

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
770KB

MD5
65f6090dfb069aca962a59f6df9e6113

SHA1
879bad504dfcce1a591c97817f3ff1e63931cfd2

SHA256
32a302d8c235226d8cdda4d957f151df3e5736fdce7886e6c794f0648b2eb106

SHA512
4c0e5e1103749356dceaaaa312e853bda83ec14f2f12288e9020cdf42b6e80d4caaec03d1ef7f34d81ddf2da88e6160c0c711380c2a7d89012e660406cdbb987

Download Submit
memory/268-73-0x0000000001FF0000-0x00000000022F3000-memory.dmp

Filesize
3.0MB

Download
memory/268-70-0x0000000000000000-mapping.dmp

Download
memory/268-76-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/268-74-0x0000000000910000-0x000000000099F000-memory.dmp

Filesize
572KB

Download
memory/268-72-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/268-71-0x0000000000BD0000-0x0000000000BEA000-memory.dmp

Filesize
104KB

Download
memory/828-67-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/828-68-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/828-63-0x00000000004012B0-mapping.dmp

Download
memory/828-66-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/828-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1232-69-0x0000000004B50000-0x0000000004CB0000-memory.dmp

Filesize
1.4MB

Download
memory/1232-75-0x0000000004D60000-0x0000000004E99000-memory.dmp

Filesize
1.2MB

Download
memory/1232-77-0x0000000004D60000-0x0000000004E99000-memory.dmp

Filesize
1.2MB

Download
memory/1316-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1496-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads