formbook | 5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf

General

Target

5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exe
Size

344KB
MD5

4c81a87e0db78ea6a775bef1503d6ec0
SHA1

e11930e6e07c9c17aaa53512a28e63859545f486
SHA256

5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf
SHA512

66001fddb953d6bd178b780e23ccc0ac4f94b4c4157f028995d5b3e0c548982fcb285ec1968cb75a11d838494b34df431b6d7f9d63d7d50d17e42b40e85a184a
SSDEEP

6144:QBn1ARf0fEEreo2gSo66il6s6DZBvNhMwALYT5Eme/OqZbklOExYi6UZS/P:gAx4EECb3oCH6NBBoSA/OeQ/xK28P

Score

10^/10

formbook sdq4 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

sdq4

Decoy

M/NxSqNc5vEVvfXWWA==

X0Q2HDisLuzoYHfD/mIcqVDnOotmMQ==

rpEiJ3YmytzsKpdRm4BC7C+2Tw==

fm8cTFjP2FWL2pX5CMjb

5ZhWW5wmXtrmLgrzSjT6uhFBjJHnOQ==

x7J40079eC34LH47UXg5nQ==

ZP8X4tob2taHVprY6DY=

a1jaSE2/8CrzM/8SUXg5nQ==

f5NPHDH65GxGSnZkngvT

IgmQAMCztfqJvfXWWA==

g1+wuFVS/tReSfENUXg5nQ==

SivMIukaJaRo0q8C

LQ9gYduaQQzUE5rY6DY=

TwJTqpALLLkbSI8=

uGsh+xbSG/Cg0Eqd1i8=

p1gOxrnIf1QXDg==

6cuOoOaSRhDQEprY6DY=

nIVfX649g7xtvfXWWA==

RiWd3WQpq7DSGJrY6DY=

ESeuyPlUh40hEw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

dtdnnez.exedtdnnez.exe

pid process

560 dtdnnez.exe
1788 dtdnnez.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

dtdnnez.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation dtdnnez.exe

pid	process
560	dtdnnez.exe
1788	dtdnnez.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dtdnnez.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dtdnnez.exedtdnnez.exeWWAHost.exe

description	pid	process	target process
PID 560 set thread context of 1788	560	dtdnnez.exe	dtdnnez.exe
PID 1788 set thread context of 900	1788	dtdnnez.exe	Explorer.EXE
PID 4792 set thread context of 900	4792	WWAHost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

WWAHost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	WWAHost.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

dtdnnez.exeWWAHost.exe

pid	process
1788	dtdnnez.exe
1788	dtdnnez.exe
1788	dtdnnez.exe
1788	dtdnnez.exe
1788	dtdnnez.exe
1788	dtdnnez.exe
1788	dtdnnez.exe
1788	dtdnnez.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

900 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

dtdnnez.exedtdnnez.exeWWAHost.exe

pid process

560 dtdnnez.exe
1788 dtdnnez.exe
1788 dtdnnez.exe
1788 dtdnnez.exe
4792 WWAHost.exe
4792 WWAHost.exe
4792 WWAHost.exe
4792 WWAHost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dtdnnez.exeWWAHost.exe

description pid process

Token: SeDebugPrivilege 1788 dtdnnez.exe
Token: SeDebugPrivilege 4792 WWAHost.exe

pid	process
900	Explorer.EXE

pid	process
560	dtdnnez.exe
1788	dtdnnez.exe
1788	dtdnnez.exe
1788	dtdnnez.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe
4792	WWAHost.exe

description	pid	process
Token: SeDebugPrivilege	1788	dtdnnez.exe
Token: SeDebugPrivilege	4792	WWAHost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exedtdnnez.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 3516 wrote to memory of 560	3516	5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exe	dtdnnez.exe
PID 3516 wrote to memory of 560	3516	5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exe	dtdnnez.exe
PID 3516 wrote to memory of 560	3516	5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exe	dtdnnez.exe
PID 560 wrote to memory of 1788	560	dtdnnez.exe	dtdnnez.exe
PID 560 wrote to memory of 1788	560	dtdnnez.exe	dtdnnez.exe
PID 560 wrote to memory of 1788	560	dtdnnez.exe	dtdnnez.exe
PID 560 wrote to memory of 1788	560	dtdnnez.exe	dtdnnez.exe
PID 900 wrote to memory of 4792	900	Explorer.EXE	WWAHost.exe
PID 900 wrote to memory of 4792	900	Explorer.EXE	WWAHost.exe
PID 900 wrote to memory of 4792	900	Explorer.EXE	WWAHost.exe
PID 4792 wrote to memory of 5036	4792	WWAHost.exe	Firefox.exe
PID 4792 wrote to memory of 5036	4792	WWAHost.exe	Firefox.exe
PID 4792 wrote to memory of 5036	4792	WWAHost.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exe
  "C:\Users\Admin\AppData\Local\Temp\5b0ad70962c30c5d8121d9952c0115449253afc64eee634b73ef544692d1dddf.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\dtdnnez.exe
    "C:\Users\Admin\AppData\Local\Temp\dtdnnez.exe" C:\Users\Admin\AppData\Local\Temp\lavnpsy.jlm
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Users\Admin\AppData\Local\Temp\dtdnnez.exe
      "C:\Users\Admin\AppData\Local\Temp\dtdnnez.exe" C:\Users\Admin\AppData\Local\Temp\lavnpsy.jlm
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1788
- C:\Windows\SysWOW64\WWAHost.exe
  "C:\Windows\SysWOW64\WWAHost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:5036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dtdnnez.exe

Filesize
333KB

MD5
df64c464192269fbec746ebb9ef88ce9

SHA1
6dfdadb32ba293930ef6212364754e730267d96e

SHA256
e51e409ff63f3e6f180763d52e535daf154abec7dafe6982c4d49d9e17f402d1

SHA512
74dec99727610dfc7577d04c0e47e49f7b327698d4c79307745bceae643abe88a881bbd29c829d4e6dfb5652a589f46def9bad070e460eb3500faab427fb7246

Download Submit
C:\Users\Admin\AppData\Local\Temp\dtdnnez.exe

Filesize
333KB

MD5
df64c464192269fbec746ebb9ef88ce9

SHA1
6dfdadb32ba293930ef6212364754e730267d96e

SHA256
e51e409ff63f3e6f180763d52e535daf154abec7dafe6982c4d49d9e17f402d1

SHA512
74dec99727610dfc7577d04c0e47e49f7b327698d4c79307745bceae643abe88a881bbd29c829d4e6dfb5652a589f46def9bad070e460eb3500faab427fb7246

Download Submit
C:\Users\Admin\AppData\Local\Temp\dtdnnez.exe

Filesize
333KB

MD5
df64c464192269fbec746ebb9ef88ce9

SHA1
6dfdadb32ba293930ef6212364754e730267d96e

SHA256
e51e409ff63f3e6f180763d52e535daf154abec7dafe6982c4d49d9e17f402d1

SHA512
74dec99727610dfc7577d04c0e47e49f7b327698d4c79307745bceae643abe88a881bbd29c829d4e6dfb5652a589f46def9bad070e460eb3500faab427fb7246

Download Submit
C:\Users\Admin\AppData\Local\Temp\lavnpsy.jlm

Filesize
5KB

MD5
e6228383b44bf8f604771c9f2d68f4ef

SHA1
5f9e76540ad0aae3b18cb75a11c8be337f839765

SHA256
d9d9bb5fa96aaff11017e83c19fdbf375e9166dabef083ad2f7f0c83e0b68033

SHA512
5e4293e9ca11189f3a420679c1b5756dab1a92d421c55d3e54c67af5d2286b5ce7e1f0a8f8a5946831c5dee3002e6e763b9372f60f8fda7d888ef378d02a5596

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmorjyhkxii.dgc

Filesize
185KB

MD5
2297b21230d08f23a727575368ae63f0

SHA1
ca08ff1317dadd6f18fecd54b0fcf5a0bfa40526

SHA256
58eff1e5eb40cc12791a15cfd868e155a38dd0e82d557201438476b3afb1592e

SHA512
87dedff248109066975899d676f7c0a5ea2175199da18af9b13ffb4091ae3a5166e5713d200b83363762a6dd23e932d599ce1e988ae2623e08437be4c3fefe80

Download Submit
memory/560-132-0x0000000000000000-mapping.dmp

Download
memory/900-151-0x0000000008670000-0x000000000874B000-memory.dmp

Filesize
876KB

Download
memory/900-149-0x0000000008670000-0x000000000874B000-memory.dmp

Filesize
876KB

Download
memory/900-143-0x0000000008570000-0x000000000866C000-memory.dmp

Filesize
1008KB

Download
memory/1788-141-0x0000000000AB0000-0x0000000000DFA000-memory.dmp

Filesize
3.3MB

Download
memory/1788-142-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1788-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1788-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1788-137-0x0000000000000000-mapping.dmp

Download
memory/4792-144-0x0000000000000000-mapping.dmp

Download
memory/4792-145-0x00000000000B0000-0x000000000018C000-memory.dmp

Filesize
880KB

Download
memory/4792-146-0x0000000001240000-0x000000000126D000-memory.dmp

Filesize
180KB

Download
memory/4792-147-0x0000000001DC0000-0x000000000210A000-memory.dmp

Filesize
3.3MB

Download
memory/4792-148-0x0000000001B20000-0x0000000001BAF000-memory.dmp

Filesize
572KB

Download
memory/4792-150-0x0000000001240000-0x000000000126D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads