formbook | 5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf

General

Target

5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exe
Size

344KB
MD5

4c81a87e0db78ea6a775bef1503d6ec0
SHA1

e11930e6e07c9c17aaa53512a28e63859545f486
SHA256

5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf
SHA512

66001fddb953d6bd178b780e23ccc0ac4f94b4c4157f028995d5b3e0c548982fcb285ec1968cb75a11d838494b34df431b6d7f9d63d7d50d17e42b40e85a184a
SSDEEP

6144:QBn1ARf0fEEreo2gSo66il6s6DZBvNhMwALYT5Eme/OqZbklOExYi6UZS/P:gAx4EECb3oCH6NBBoSA/OeQ/xK28P

Score

10^/10

formbook sdq4 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

sdq4

Decoy

M/NxSqNc5vEVvfXWWA==

X0Q2HDisLuzoYHfD/mIcqVDnOotmMQ==

rpEiJ3YmytzsKpdRm4BC7C+2Tw==

fm8cTFjP2FWL2pX5CMjb

5ZhWW5wmXtrmLgrzSjT6uhFBjJHnOQ==

x7J40079eC34LH47UXg5nQ==

ZP8X4tob2taHVprY6DY=

a1jaSE2/8CrzM/8SUXg5nQ==

f5NPHDH65GxGSnZkngvT

IgmQAMCztfqJvfXWWA==

g1+wuFVS/tReSfENUXg5nQ==

SivMIukaJaRo0q8C

LQ9gYduaQQzUE5rY6DY=

TwJTqpALLLkbSI8=

uGsh+xbSG/Cg0Eqd1i8=

p1gOxrnIf1QXDg==

6cuOoOaSRhDQEprY6DY=

nIVfX649g7xtvfXWWA==

RiWd3WQpq7DSGJrY6DY=

ESeuyPlUh40hEw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

dtdnnez.exedtdnnez.exe

pid process

1356 dtdnnez.exe
908 dtdnnez.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

dtdnnez.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation dtdnnez.exe
Loads dropped DLL 3 IoCs

Processes:

5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exedtdnnez.exesvchost.exe

pid process

1712 5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exe
1356 dtdnnez.exe
240 svchost.exe

pid	process
1356	dtdnnez.exe
908	dtdnnez.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	dtdnnez.exe

pid	process
1712	5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exe
1356	dtdnnez.exe
240	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dtdnnez.exedtdnnez.exesvchost.exe

description	pid	process	target process
PID 1356 set thread context of 908	1356	dtdnnez.exe	dtdnnez.exe
PID 908 set thread context of 1224	908	dtdnnez.exe	Explorer.EXE
PID 240 set thread context of 1224	240	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

dtdnnez.exesvchost.exe

pid	process
908	dtdnnez.exe
908	dtdnnez.exe
908	dtdnnez.exe
908	dtdnnez.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1224 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

dtdnnez.exedtdnnez.exesvchost.exe

pid process

1356 dtdnnez.exe
908 dtdnnez.exe
908 dtdnnez.exe
908 dtdnnez.exe
240 svchost.exe
240 svchost.exe
240 svchost.exe
240 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dtdnnez.exesvchost.exe

description pid process

Token: SeDebugPrivilege 908 dtdnnez.exe
Token: SeDebugPrivilege 240 svchost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1224 Explorer.EXE
1224 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1224 Explorer.EXE
1224 Explorer.EXE

pid	process
1224	Explorer.EXE

pid	process
1356	dtdnnez.exe
908	dtdnnez.exe
908	dtdnnez.exe
908	dtdnnez.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe
240	svchost.exe

description	pid	process
Token: SeDebugPrivilege	908	dtdnnez.exe
Token: SeDebugPrivilege	240	svchost.exe

pid	process
1224	Explorer.EXE
1224	Explorer.EXE

pid	process
1224	Explorer.EXE
1224	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exedtdnnez.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 1712 wrote to memory of 1356	1712	5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exe	dtdnnez.exe
PID 1712 wrote to memory of 1356	1712	5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exe	dtdnnez.exe
PID 1712 wrote to memory of 1356	1712	5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exe	dtdnnez.exe
PID 1712 wrote to memory of 1356	1712	5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exe	dtdnnez.exe
PID 1356 wrote to memory of 908	1356	dtdnnez.exe	dtdnnez.exe
PID 1356 wrote to memory of 908	1356	dtdnnez.exe	dtdnnez.exe
PID 1356 wrote to memory of 908	1356	dtdnnez.exe	dtdnnez.exe
PID 1356 wrote to memory of 908	1356	dtdnnez.exe	dtdnnez.exe
PID 1356 wrote to memory of 908	1356	dtdnnez.exe	dtdnnez.exe
PID 1224 wrote to memory of 240	1224	Explorer.EXE	svchost.exe
PID 1224 wrote to memory of 240	1224	Explorer.EXE	svchost.exe
PID 1224 wrote to memory of 240	1224	Explorer.EXE	svchost.exe
PID 1224 wrote to memory of 240	1224	Explorer.EXE	svchost.exe
PID 240 wrote to memory of 1964	240	svchost.exe	Firefox.exe
PID 240 wrote to memory of 1964	240	svchost.exe	Firefox.exe
PID 240 wrote to memory of 1964	240	svchost.exe	Firefox.exe
PID 240 wrote to memory of 1964	240	svchost.exe	Firefox.exe
PID 240 wrote to memory of 1964	240	svchost.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exe
  "C:\Users\Admin\AppData\Local\Temp\5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\dtdnnez.exe
    "C:\Users\Admin\AppData\Local\Temp\dtdnnez.exe" C:\Users\Admin\AppData\Local\Temp\lavnpsy.jlm
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\dtdnnez.exe
      "C:\Users\Admin\AppData\Local\Temp\dtdnnez.exe" C:\Users\Admin\AppData\Local\Temp\lavnpsy.jlm
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:908
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dtdnnez.exe

Filesize
333KB

MD5
df64c464192269fbec746ebb9ef88ce9

SHA1
6dfdadb32ba293930ef6212364754e730267d96e

SHA256
e51e409ff63f3e6f180763d52e535daf154abec7dafe6982c4d49d9e17f402d1

SHA512
74dec99727610dfc7577d04c0e47e49f7b327698d4c79307745bceae643abe88a881bbd29c829d4e6dfb5652a589f46def9bad070e460eb3500faab427fb7246

Download Submit
C:\Users\Admin\AppData\Local\Temp\dtdnnez.exe

Filesize
333KB

MD5
df64c464192269fbec746ebb9ef88ce9

SHA1
6dfdadb32ba293930ef6212364754e730267d96e

SHA256
e51e409ff63f3e6f180763d52e535daf154abec7dafe6982c4d49d9e17f402d1

SHA512
74dec99727610dfc7577d04c0e47e49f7b327698d4c79307745bceae643abe88a881bbd29c829d4e6dfb5652a589f46def9bad070e460eb3500faab427fb7246

Download Submit
C:\Users\Admin\AppData\Local\Temp\dtdnnez.exe

Filesize
333KB

MD5
df64c464192269fbec746ebb9ef88ce9

SHA1
6dfdadb32ba293930ef6212364754e730267d96e

SHA256
e51e409ff63f3e6f180763d52e535daf154abec7dafe6982c4d49d9e17f402d1

SHA512
74dec99727610dfc7577d04c0e47e49f7b327698d4c79307745bceae643abe88a881bbd29c829d4e6dfb5652a589f46def9bad070e460eb3500faab427fb7246

Download Submit
C:\Users\Admin\AppData\Local\Temp\lavnpsy.jlm

Filesize
5KB

MD5
e6228383b44bf8f604771c9f2d68f4ef

SHA1
5f9e76540ad0aae3b18cb75a11c8be337f839765

SHA256
d9d9bb5fa96aaff11017e83c19fdbf375e9166dabef083ad2f7f0c83e0b68033

SHA512
5e4293e9ca11189f3a420679c1b5756dab1a92d421c55d3e54c67af5d2286b5ce7e1f0a8f8a5946831c5dee3002e6e763b9372f60f8fda7d888ef378d02a5596

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmorjyhkxii.dgc

Filesize
185KB

MD5
2297b21230d08f23a727575368ae63f0

SHA1
ca08ff1317dadd6f18fecd54b0fcf5a0bfa40526

SHA256
58eff1e5eb40cc12791a15cfd868e155a38dd0e82d557201438476b3afb1592e

SHA512
87dedff248109066975899d676f7c0a5ea2175199da18af9b13ffb4091ae3a5166e5713d200b83363762a6dd23e932d599ce1e988ae2623e08437be4c3fefe80

Download Submit
\Users\Admin\AppData\Local\Temp\dtdnnez.exe

Filesize
333KB

MD5
df64c464192269fbec746ebb9ef88ce9

SHA1
6dfdadb32ba293930ef6212364754e730267d96e

SHA256
e51e409ff63f3e6f180763d52e535daf154abec7dafe6982c4d49d9e17f402d1

SHA512
74dec99727610dfc7577d04c0e47e49f7b327698d4c79307745bceae643abe88a881bbd29c829d4e6dfb5652a589f46def9bad070e460eb3500faab427fb7246

Download Submit
\Users\Admin\AppData\Local\Temp\dtdnnez.exe

Filesize
333KB

MD5
df64c464192269fbec746ebb9ef88ce9

SHA1
6dfdadb32ba293930ef6212364754e730267d96e

SHA256
e51e409ff63f3e6f180763d52e535daf154abec7dafe6982c4d49d9e17f402d1

SHA512
74dec99727610dfc7577d04c0e47e49f7b327698d4c79307745bceae643abe88a881bbd29c829d4e6dfb5652a589f46def9bad070e460eb3500faab427fb7246

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
810KB

MD5
c6ec991471d42128268ea10236d9cdb8

SHA1
d569350d02db6a118136220da8de40a9973084f1

SHA256
1b755cc3093dd45a0df857854aedfeb3c8f3622cff5bc491f2d492ebfa3ef8e0

SHA512
a67ed46547b9270c8a5a7a947b375cb6baf3211072f90170aae2bb6ce9c4fe9d7be3e9d782420dcfdbc19a1f232b3be561ca503b80e8dc3e036a62c54cad5b57

Download Submit
memory/240-73-0x0000000000780000-0x0000000000A83000-memory.dmp

Filesize
3.0MB

Download
memory/240-70-0x0000000000000000-mapping.dmp

Download
memory/240-76-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/240-74-0x00000000004B0000-0x000000000053F000-memory.dmp

Filesize
572KB

Download
memory/240-72-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/240-71-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/908-67-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/908-68-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/908-63-0x00000000004012B0-mapping.dmp

Download
memory/908-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/908-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1224-69-0x0000000003E50000-0x0000000003F03000-memory.dmp

Filesize
716KB

Download
memory/1224-75-0x0000000004A80000-0x0000000004BDC000-memory.dmp

Filesize
1.4MB

Download
memory/1224-78-0x0000000004A80000-0x0000000004BDC000-memory.dmp

Filesize
1.4MB

Download
memory/1356-56-0x0000000000000000-mapping.dmp

Download
memory/1712-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads