formbook | 28dcfab7a0d5e305ef2c14bb3e0fc88d9fba7e38affd2a4fd89ab32c103add38

General

Target

338beb0d3fe9cf2946527108a44d24b8.exe
Size

601KB
MD5

338beb0d3fe9cf2946527108a44d24b8
SHA1

c2545a831bd37190ca8fe20e53346da6693a8d48
SHA256

28dcfab7a0d5e305ef2c14bb3e0fc88d9fba7e38affd2a4fd89ab32c103add38
SHA512

638d3d6d6a8c0ef9f97183c95aad8016ab791ea264a0717c86639c397eb4b90206893ec4d9ab43b18966cea771b614d604c3c9d8e7d1feb428f6657c31ae56a3
SSDEEP

12288:gRmlQghT+BJnaHG72c1KRkswZIIQe8z94vd2:gwge6JcCsmIIWwk

Score

10^/10

formbook elhb rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

elhb

Decoy

BxGzoacPQ3mFBGhbtixjHOm2l30=

dTRqRkWfuBbGMmsPJA==

Pix+zpOG6+Gk

N+3dNZ0ZjOtrRnnj

xUv06VOm45P441HWCmmfSum2l30=

Sx5JuwMfaRrJdK3r

cgU6nPNKa14KC4K40cp4wbkm/KpzfwM=

rV8A2UGJrlbYxa48P40=

Gz3szbYLIYI6l+4=

QU3ru637P+U4itwRQ3n7n2c=

DdkGzbEPU4Fy4h2bZLVXNzz0

QPUo8R5qn9KUnhRRtmVY8/Zp5Xw=

q+EX7juJsVR79msRSnsUxg==

/34eEpvsLS8lw7uom5U=

HEVrEXHlHMlNNp9IlsY+0Q==

KZ/SIWnI7eeog+pwY9uAw+PmmhfjXQ==

Kdn7YMcoXYWjHId+0jhkHem2l30=

R7lnYeAfO1MUHIWyz9c/aoIvHxSvQA==

P7ZYVqmG6+Gk

hlk7m1hdnb0=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

oodbofhab.exeoodbofhab.exe

pid process

1472 oodbofhab.exe
2348 oodbofhab.exe

pid	process
1472	oodbofhab.exe
2348	oodbofhab.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

oodbofhab.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	oodbofhab.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

oodbofhab.exeoodbofhab.execontrol.exe

description	pid	process	target process
PID 1472 set thread context of 2348	1472	oodbofhab.exe	oodbofhab.exe
PID 2348 set thread context of 1032	2348	oodbofhab.exe	Explorer.EXE
PID 4364 set thread context of 1032	4364	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

oodbofhab.execontrol.exe

pid	process
2348	oodbofhab.exe
2348	oodbofhab.exe
2348	oodbofhab.exe
2348	oodbofhab.exe
2348	oodbofhab.exe
2348	oodbofhab.exe
2348	oodbofhab.exe
2348	oodbofhab.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1032 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

oodbofhab.exeoodbofhab.execontrol.exe

pid process

1472 oodbofhab.exe
2348 oodbofhab.exe
2348 oodbofhab.exe
2348 oodbofhab.exe
4364 control.exe
4364 control.exe
4364 control.exe
4364 control.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

oodbofhab.execontrol.exe

description pid process

Token: SeDebugPrivilege 2348 oodbofhab.exe
Token: SeDebugPrivilege 4364 control.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

oodbofhab.exe

pid process

1472 oodbofhab.exe
1472 oodbofhab.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

oodbofhab.exe

pid process

1472 oodbofhab.exe
1472 oodbofhab.exe

pid	process
1032	Explorer.EXE

pid	process
1472	oodbofhab.exe
2348	oodbofhab.exe
2348	oodbofhab.exe
2348	oodbofhab.exe
4364	control.exe
4364	control.exe
4364	control.exe
4364	control.exe

description	pid	process
Token: SeDebugPrivilege	2348	oodbofhab.exe
Token: SeDebugPrivilege	4364	control.exe

pid	process
1472	oodbofhab.exe
1472	oodbofhab.exe

pid	process
1472	oodbofhab.exe
1472	oodbofhab.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

338beb0d3fe9cf2946527108a44d24b8.exeoodbofhab.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 2404 wrote to memory of 1472	2404	338beb0d3fe9cf2946527108a44d24b8.exe	oodbofhab.exe
PID 2404 wrote to memory of 1472	2404	338beb0d3fe9cf2946527108a44d24b8.exe	oodbofhab.exe
PID 2404 wrote to memory of 1472	2404	338beb0d3fe9cf2946527108a44d24b8.exe	oodbofhab.exe
PID 1472 wrote to memory of 2348	1472	oodbofhab.exe	oodbofhab.exe
PID 1472 wrote to memory of 2348	1472	oodbofhab.exe	oodbofhab.exe
PID 1472 wrote to memory of 2348	1472	oodbofhab.exe	oodbofhab.exe
PID 1472 wrote to memory of 2348	1472	oodbofhab.exe	oodbofhab.exe
PID 1032 wrote to memory of 4364	1032	Explorer.EXE	control.exe
PID 1032 wrote to memory of 4364	1032	Explorer.EXE	control.exe
PID 1032 wrote to memory of 4364	1032	Explorer.EXE	control.exe
PID 4364 wrote to memory of 4000	4364	control.exe	Firefox.exe
PID 4364 wrote to memory of 4000	4364	control.exe	Firefox.exe
PID 4364 wrote to memory of 4000	4364	control.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Local\Temp\338beb0d3fe9cf2946527108a44d24b8.exe
  "C:\Users\Admin\AppData\Local\Temp\338beb0d3fe9cf2946527108a44d24b8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\oodbofhab.exe
    "C:\Users\Admin\AppData\Local\Temp\oodbofhab.exe" "C:\Users\Admin\AppData\Local\Temp\jzxcvhdss.au3"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\oodbofhab.exe
      "C:\Users\Admin\AppData\Local\Temp\oodbofhab.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2348
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:4000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jzxcvhdss.au3

Filesize
6KB

MD5
63ba1c6a968a1cfeab47670db2025431

SHA1
8d7d5d3b3ec87b7beb587b2860b98d689c6e0534

SHA256
1d9573d2e106477fb16a4428bab972f20a5059017649d1f814e9d03fcb5b31dc

SHA512
4c06e4d475351a7fc926092c573662d1a826cbec8201a1437bc150e6232ca8e96bb8c8ee2cca44f1bd17fc3a9e20f52c2f434a258d603b5d7d1a09d60bb64782

Download Submit
C:\Users\Admin\AppData\Local\Temp\nofpurtiq.hx

Filesize
61KB

MD5
281e03b7c9e8a01cdbe97f67b2f306bc

SHA1
233310d4efb0d7f1f938820805df38b072b4ba02

SHA256
ba60f46e330d508b49b4ce5ab91d1e47e9368f23e93fd56490705e722de33aec

SHA512
59db343e276a289b189bd3cd2503e6fbe6d5490de9721f93a715ef2c139bf24dbfa27b36499c626ce3f6eee2bae9cec1aa73d674d72a3b9fc3daee2cb9529513

Download Submit
C:\Users\Admin\AppData\Local\Temp\oodbofhab.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oodbofhab.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oodbofhab.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcbtdjpcoxy.ksy

Filesize
185KB

MD5
e4375e51da7dc180f6a14918c8fbcd58

SHA1
a738fd596c59dfd1844f847c943aab9a8b4ed061

SHA256
a6e201672750badfb866b7c01a532598f8a92b4a014ca2090072242e1975b843

SHA512
741a54a686d2d61b6eaef82bc51839b7ee1565a99048e42ecb47aa267ad2e5a82ff8c11c7bc00ed8ad86e239e6fd54f9239a63660cdd8310dcfd1900d72a4732

Download Submit
memory/1032-153-0x0000000002E70000-0x0000000002F2C000-memory.dmp

Filesize
752KB

Download
memory/1032-151-0x0000000002E70000-0x0000000002F2C000-memory.dmp

Filesize
752KB

Download
memory/1032-144-0x00000000028C0000-0x00000000029EF000-memory.dmp

Filesize
1.2MB

Download
memory/1472-132-0x0000000000000000-mapping.dmp

Download
memory/2348-142-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/2348-143-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/2348-141-0x00000000012C0000-0x000000000160A000-memory.dmp

Filesize
3.3MB

Download
memory/2348-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2348-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-137-0x0000000000000000-mapping.dmp

Download
memory/4364-145-0x0000000000000000-mapping.dmp

Download
memory/4364-146-0x0000000000C50000-0x0000000000C77000-memory.dmp

Filesize
156KB

Download
memory/4364-147-0x0000000000120000-0x000000000014D000-memory.dmp

Filesize
180KB

Download
memory/4364-149-0x0000000002240000-0x000000000258A000-memory.dmp

Filesize
3.3MB

Download
memory/4364-150-0x0000000002180000-0x000000000220F000-memory.dmp

Filesize
572KB

Download
memory/4364-152-0x0000000000120000-0x000000000014D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads