formbook | 21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3

General

Target

21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3.exe
Size

270KB
MD5

54cb6b6a5eecc9c52283c1838a5a0d14
SHA1

0f9d660e95817a474cf866163d61ff6afde223fd
SHA256

21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3
SHA512

3308a4e8086948278daab24dea250dbf5b90df35466749fcc4126969132710beec581deed2c2fad1b99713016d232ec141675f1a3409bb92b177032bcebba72f
SSDEEP

6144:QBn1JYjUZI4r4lx3n5ssS0gVxdszEU0kXBgvsAZ/sEuRYSwq:gOiIblxXGsS00dszpXXqv/h+YSwq

Score

10^/10

formbook henz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

ammjvvdhd.exeammjvvdhd.exe

pid process

208 ammjvvdhd.exe
3244 ammjvvdhd.exe

pid	process
208	ammjvvdhd.exe
3244	ammjvvdhd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ammjvvdhd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ammjvvdhd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ammjvvdhd.exeammjvvdhd.exeipconfig.exe

description	pid	process	target process
PID 208 set thread context of 3244	208	ammjvvdhd.exe	ammjvvdhd.exe
PID 3244 set thread context of 2696	3244	ammjvvdhd.exe	Explorer.EXE
PID 1780 set thread context of 2696	1780	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1780 ipconfig.exe

pid	process
1780	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

ammjvvdhd.exeipconfig.exe

pid	process
3244	ammjvvdhd.exe
3244	ammjvvdhd.exe
3244	ammjvvdhd.exe
3244	ammjvvdhd.exe
3244	ammjvvdhd.exe
3244	ammjvvdhd.exe
3244	ammjvvdhd.exe
3244	ammjvvdhd.exe
1780	ipconfig.exe
1780	ipconfig.exe
1780	ipconfig.exe
1780	ipconfig.exe
1780	ipconfig.exe
1780	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2696 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

ammjvvdhd.exeammjvvdhd.exeipconfig.exe

pid process

208 ammjvvdhd.exe
3244 ammjvvdhd.exe
3244 ammjvvdhd.exe
3244 ammjvvdhd.exe
1780 ipconfig.exe
1780 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ammjvvdhd.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 3244 ammjvvdhd.exe
Token: SeDebugPrivilege 1780 ipconfig.exe

pid	process
2696	Explorer.EXE

pid	process
208	ammjvvdhd.exe
3244	ammjvvdhd.exe
3244	ammjvvdhd.exe
3244	ammjvvdhd.exe
1780	ipconfig.exe
1780	ipconfig.exe

description	pid	process
Token: SeDebugPrivilege	3244	ammjvvdhd.exe
Token: SeDebugPrivilege	1780	ipconfig.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3.exeammjvvdhd.exeExplorer.EXE

description	pid	process	target process
PID 1972 wrote to memory of 208	1972	21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3.exe	ammjvvdhd.exe
PID 1972 wrote to memory of 208	1972	21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3.exe	ammjvvdhd.exe
PID 1972 wrote to memory of 208	1972	21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3.exe	ammjvvdhd.exe
PID 208 wrote to memory of 3244	208	ammjvvdhd.exe	ammjvvdhd.exe
PID 208 wrote to memory of 3244	208	ammjvvdhd.exe	ammjvvdhd.exe
PID 208 wrote to memory of 3244	208	ammjvvdhd.exe	ammjvvdhd.exe
PID 208 wrote to memory of 3244	208	ammjvvdhd.exe	ammjvvdhd.exe
PID 2696 wrote to memory of 1780	2696	Explorer.EXE	ipconfig.exe
PID 2696 wrote to memory of 1780	2696	Explorer.EXE	ipconfig.exe
PID 2696 wrote to memory of 1780	2696	Explorer.EXE	ipconfig.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Temp\21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3.exe
"C:\Users\Admin\AppData\Local\Temp\21de76383c20f46e5991d16ecdccaf0f6ba0df011034e33ad17afc5cb7f1f6a3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\ammjvvdhd.exe
"C:\Users\Admin\AppData\Local\Temp\ammjvvdhd.exe" C:\Users\Admin\AppData\Local\Temp\qxmeck.qiv
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Local\Temp\ammjvvdhd.exe
"C:\Users\Admin\AppData\Local\Temp\ammjvvdhd.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ammjvvdhd.exe
Filesize
100KB

MD5
1572c37373db336490f960cdd9ac6e26

SHA1
2006e4fbc6f1e49e732d5d6edff96deab54efe6a

SHA256
fb9307d644d64ac3b23542e084ab40aed073c8ce54e940256c0e1d9e660630d1

SHA512
dd821678f553e34dfd0ceb9aee08ef5f2e96e7074cb8438881b6c495124dc8db2c9be053b163333d5f9b1e95a850257cb45d29f1725d03234eccc311996c4f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ammjvvdhd.exe
Filesize
100KB

MD5
1572c37373db336490f960cdd9ac6e26

SHA1
2006e4fbc6f1e49e732d5d6edff96deab54efe6a

SHA256
fb9307d644d64ac3b23542e084ab40aed073c8ce54e940256c0e1d9e660630d1

SHA512
dd821678f553e34dfd0ceb9aee08ef5f2e96e7074cb8438881b6c495124dc8db2c9be053b163333d5f9b1e95a850257cb45d29f1725d03234eccc311996c4f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ammjvvdhd.exe
Filesize
100KB

MD5
1572c37373db336490f960cdd9ac6e26

SHA1
2006e4fbc6f1e49e732d5d6edff96deab54efe6a

SHA256
fb9307d644d64ac3b23542e084ab40aed073c8ce54e940256c0e1d9e660630d1

SHA512
dd821678f553e34dfd0ceb9aee08ef5f2e96e7074cb8438881b6c495124dc8db2c9be053b163333d5f9b1e95a850257cb45d29f1725d03234eccc311996c4f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxmeck.qiv
Filesize
5KB

MD5
fa3c203168b337c44205f7e78543cba2

SHA1
794ca8f0aea521ae1b236d2885ad85cb3533faba

SHA256
2721620c2b16189ed94d8812ff62bc5ea5de60054f35abdc1be848989fe850d2

SHA512
21b16d731b92a3398057528322a3ca6f84535aea589148743bcec9fad42f67ead81ed9ac93ad4b708c5284bf5e5793ac84cefebc3a674db28d78a07db77fd1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sogmzi.yt
Filesize
185KB

MD5
24051f870b4d0f8249453b7b617fc013

SHA1
6a9ae68fde362eada8c57ca08dec8b24b58ae1a2

SHA256
adcac516b3d86b0112b61e5b691db019017463df4f6f50d0330daf345a9f7650

SHA512
c3f2958d8296d6c4c53e46224b88c9bd9ac849520a0e59d748654d2b4cf35fce9c47f5a217b181119711ebdafdec0be534a10e3525621462eebb0f4358353306

Download Submit
memory/208-132-0x0000000000000000-mapping.dmp

Download
memory/1780-151-0x0000000000BD0000-0x0000000000BFD000-memory.dmp

Filesize
180KB

Download
memory/1780-148-0x00000000015C0000-0x000000000190A000-memory.dmp

Filesize
3.3MB

Download
memory/1780-149-0x00000000013F0000-0x000000000147F000-memory.dmp

Filesize
572KB

Download
memory/1780-145-0x0000000000000000-mapping.dmp

Download
memory/1780-146-0x0000000000370000-0x000000000037B000-memory.dmp

Filesize
44KB

Download
memory/1780-147-0x0000000000BD0000-0x0000000000BFD000-memory.dmp

Filesize
180KB

Download
memory/2696-152-0x0000000008920000-0x0000000008A1D000-memory.dmp

Filesize
1012KB

Download
memory/2696-150-0x0000000008920000-0x0000000008A1D000-memory.dmp

Filesize
1012KB

Download
memory/2696-143-0x0000000008690000-0x000000000882B000-memory.dmp

Filesize
1.6MB

Download
memory/2696-144-0x0000000008690000-0x000000000882B000-memory.dmp

Filesize
1.6MB

Download
memory/3244-137-0x0000000000000000-mapping.dmp

Download
memory/3244-142-0x00000000011F0000-0x0000000001200000-memory.dmp

Filesize
64KB

Download
memory/3244-141-0x00000000017E0000-0x0000000001B2A000-memory.dmp

Filesize
3.3MB

Download
memory/3244-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3244-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads