formbook | 1ade1d842f0cb779839799c419832a9c05238f94a678e7cbf44fae51e2264f71

Analysis

max time kernel
171s
max time network
213s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
10-12-2022 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c974d9519a2bfe890a2fd763224d1e7.exe
Size

333KB
MD5

4c974d9519a2bfe890a2fd763224d1e7
SHA1

2e88feb98658d7ffee549438453aef2bc162b115
SHA256

1ade1d842f0cb779839799c419832a9c05238f94a678e7cbf44fae51e2264f71
SHA512

fbfccf98cf6cd86715c7990c31c1a3865ea5833f471cb198bf0bf523583e540f25b285022cecb40d97a93b230b5c89f566699f3c70382af03d13327854da5b27
SSDEEP

6144:9kw4zSWT5nfPUV3IyLOCJ8a2e8/rBpAUfoyrlAtn/3lxS5qr:k38RIyLG88TBawZi/3lkO

Score

10^/10

formbook dwdp persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dwdp

Decoy

jPxWFTS1Rn/K/LD47WRRW7+Veuct8yc=

ke1Wv1l26dZZxDikX9dU3s6k8+w=

+vtNyVBkx8VMf5KCaIj8DYR5QyLJgQ==

GHXPhYzwXcKgZwqBb/kejm7rfobj

yalW64iE8+aXs70=

MD83dBR0KSF4fizgRhAM

Xti3uNm2JDWgssPgRhAM

X7gYbv5uJhpvjdI0Qg==

ydxGznbNJ3tCCLAX4arq4nweMuQ=

Ca+fvtST8OBbosPgRhAM

kG1QegD8mU/E/hLw1t0=

g9FFFjEC5C2IvR/BhbSrpw==

PCkpeg38W0aPdg1rav1DFnVASw==

vSq+xBf3qjY27H3yqepK+g+nOmOMc3m7

G7WYirSZS9EYob8=

WbEWaOVIAPlSNNc4LsfL53weMuQ=

hnyAvEY4n3rTKS4g5mHKxR0=

JN7b0uCqVrQydMl7JNw=

XTki/RASDK6BCW0q8sU=

DQMBWA9wJyOKqqGSmGHKxR0=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

wyziyqqllh.exewyziyqqllh.exe

pid process

584 wyziyqqllh.exe
1152 wyziyqqllh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wyziyqqllh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	wyziyqqllh.exe

Loads dropped DLL 4 IoCs

Processes:

4c974d9519a2bfe890a2fd763224d1e7.exewyziyqqllh.exenetsh.exe

pid process

1656 4c974d9519a2bfe890a2fd763224d1e7.exe
1656 4c974d9519a2bfe890a2fd763224d1e7.exe
584 wyziyqqllh.exe
1808 netsh.exe

pid	process
1656	4c974d9519a2bfe890a2fd763224d1e7.exe
1656	4c974d9519a2bfe890a2fd763224d1e7.exe
584	wyziyqqllh.exe
1808	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wyziyqqllh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\aecgru = "C:\\Users\\Admin\\AppData\\Roaming\\lcdobatkse\\puisxyjyut.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wyziyqqllh.exe\" C:\\Users\\Admin\\AppData"	wyziyqqllh.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

wyziyqqllh.exewyziyqqllh.exenetsh.exe

description	pid	process	target process
PID 584 set thread context of 1152	584	wyziyqqllh.exe	wyziyqqllh.exe
PID 1152 set thread context of 1200	1152	wyziyqqllh.exe	Explorer.EXE
PID 1152 set thread context of 1200	1152	wyziyqqllh.exe	Explorer.EXE
PID 1808 set thread context of 1200	1808	netsh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

wyziyqqllh.exenetsh.exe

pid	process
1152	wyziyqqllh.exe
1152	wyziyqqllh.exe
1152	wyziyqqllh.exe
1152	wyziyqqllh.exe
1152	wyziyqqllh.exe
1808	netsh.exe
1808	netsh.exe
1808	netsh.exe
1808	netsh.exe
1808	netsh.exe
1808	netsh.exe
1808	netsh.exe
1808	netsh.exe
1808	netsh.exe
1808	netsh.exe
1808	netsh.exe
1808	netsh.exe
1808	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE

pid	process
1200	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

wyziyqqllh.exewyziyqqllh.exenetsh.exe

pid	process
584	wyziyqqllh.exe
1152	wyziyqqllh.exe
1152	wyziyqqllh.exe
1152	wyziyqqllh.exe
1152	wyziyqqllh.exe
1808	netsh.exe
1808	netsh.exe
1808	netsh.exe
1808	netsh.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wyziyqqllh.exenetsh.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1152 wyziyqqllh.exe
Token: SeDebugPrivilege 1808 netsh.exe
Token: SeShutdownPrivilege 1200 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1152	wyziyqqllh.exe
Token: SeDebugPrivilege	1808	netsh.exe
Token: SeShutdownPrivilege	1200	Explorer.EXE

pid	process
1200	Explorer.EXE
1200	Explorer.EXE

pid	process
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

4c974d9519a2bfe890a2fd763224d1e7.exewyziyqqllh.exeExplorer.EXEwyziyqqllh.exenetsh.exe

description	pid	process	target process
PID 1656 wrote to memory of 584	1656	4c974d9519a2bfe890a2fd763224d1e7.exe	wyziyqqllh.exe
PID 1656 wrote to memory of 584	1656	4c974d9519a2bfe890a2fd763224d1e7.exe	wyziyqqllh.exe
PID 1656 wrote to memory of 584	1656	4c974d9519a2bfe890a2fd763224d1e7.exe	wyziyqqllh.exe
PID 1656 wrote to memory of 584	1656	4c974d9519a2bfe890a2fd763224d1e7.exe	wyziyqqllh.exe
PID 584 wrote to memory of 1152	584	wyziyqqllh.exe	wyziyqqllh.exe
PID 584 wrote to memory of 1152	584	wyziyqqllh.exe	wyziyqqllh.exe
PID 584 wrote to memory of 1152	584	wyziyqqllh.exe	wyziyqqllh.exe
PID 584 wrote to memory of 1152	584	wyziyqqllh.exe	wyziyqqllh.exe
PID 584 wrote to memory of 1152	584	wyziyqqllh.exe	wyziyqqllh.exe
PID 1200 wrote to memory of 1688	1200	Explorer.EXE	svchost.exe
PID 1200 wrote to memory of 1688	1200	Explorer.EXE	svchost.exe
PID 1200 wrote to memory of 1688	1200	Explorer.EXE	svchost.exe
PID 1200 wrote to memory of 1688	1200	Explorer.EXE	svchost.exe
PID 1152 wrote to memory of 1808	1152	wyziyqqllh.exe	netsh.exe
PID 1152 wrote to memory of 1808	1152	wyziyqqllh.exe	netsh.exe
PID 1152 wrote to memory of 1808	1152	wyziyqqllh.exe	netsh.exe
PID 1152 wrote to memory of 1808	1152	wyziyqqllh.exe	netsh.exe
PID 1808 wrote to memory of 1360	1808	netsh.exe	Firefox.exe
PID 1808 wrote to memory of 1360	1808	netsh.exe	Firefox.exe
PID 1808 wrote to memory of 1360	1808	netsh.exe	Firefox.exe
PID 1808 wrote to memory of 1360	1808	netsh.exe	Firefox.exe
PID 1808 wrote to memory of 1360	1808	netsh.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\4c974d9519a2bfe890a2fd763224d1e7.exe
"C:\Users\Admin\AppData\Local\Temp\4c974d9519a2bfe890a2fd763224d1e7.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
"C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe" C:\Users\Admin\AppData\Local\Temp\qwdscgke.dnn
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
"C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
5⤵
PID:1796

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
5⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
6⤵
PID:1360

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fugegefct.s
Filesize
185KB

MD5
2375912c75db13281f3bfc9c3ddf7646

SHA1
9955467017fcb057d1ca868db84f4f7ebc31fd45

SHA256
f9cdfa1edf4a5f85d8ddaae338fc550580ff5094eed1507c9beca4097298d861

SHA512
56242ec311c00540ebee80b661fb3fcf8674635d48675b17e1de677271ab997f3ae057f009cf34654b5241b11e1a3f0d97f8f99be4e78a4b32b519a7695e5256

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwdscgke.dnn
Filesize
7KB

MD5
2c406815d04080e2fa43ba9e99ceabd3

SHA1
27b0f2b81e15d7715867accb5fa68f8c8f4ea209

SHA256
b70fa69ab56821b4902e9922d786948c5673440e0f8dd5403385d96d0167cee4

SHA512
32df91288abf935fb71e1fa04beeed0d945877f2ed2830fd7068344523371a05bc5fe973f475e8a1f9b5d95f50ca4ae9ab75a5182a063476209f2cb22b6c9b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
922KB

MD5
dda1b03a5cd2ca37c96b7daf5e3a8ed7

SHA1
c70e5f58e61980d39608f0795879bf012dbbbca2

SHA256
79f86c1edbbc69652a03a0f5667b3985bcf1e19f16fa3b8c7934e5b97ab8586d

SHA512
bf83648c9b5d6d65b2c8409d262a1b7421d2cb13d6c759ec5f352c2d1c5adff3ee2395250fbdfe3590f25fe96bf6b40c2d82a8e7eecaab03be2e6a398e83981f

Download Submit
\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
\Users\Admin\AppData\Local\Temp\wyziyqqllh.exe
Filesize
276KB

MD5
bd4eb7604f815c32830ec68cc479ad62

SHA1
00ac1b0b12be758027c01083ad85604305d4b1af

SHA256
1b417034908720dffd6e5847b89a013f0414b46a31f2e93f91446f8efede1f64

SHA512
b72e5e0e8cce7a22b6053f6daed91e91bc7c81c7a314a8340aa2903d1506b4e04e91ed2d08f343f9a616ecbf3f83cbe4763ee0876dd61e2acab141adc8d4dcd9

Download Submit
memory/584-57-0x0000000000000000-mapping.dmp

Download
memory/1152-69-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1152-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-68-0x0000000000750000-0x0000000000A53000-memory.dmp

Filesize
3.0MB

Download
memory/1152-64-0x00000000004012B0-mapping.dmp

Download
memory/1152-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-71-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/1200-74-0x0000000004DD0000-0x0000000004F4B000-memory.dmp

Filesize
1.5MB

Download
memory/1200-72-0x0000000004DD0000-0x0000000004F4B000-memory.dmp

Filesize
1.5MB

Download
memory/1200-70-0x0000000004CC0000-0x0000000004DCC000-memory.dmp

Filesize
1.0MB

Download
memory/1200-80-0x0000000006480000-0x000000000655A000-memory.dmp

Filesize
872KB

Download
memory/1200-81-0x0000000006480000-0x000000000655A000-memory.dmp

Filesize
872KB

Download
memory/1656-54-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download
memory/1808-75-0x0000000000000000-mapping.dmp

Download
memory/1808-76-0x00000000008F0000-0x000000000090B000-memory.dmp

Filesize
108KB

Download
memory/1808-77-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/1808-78-0x0000000002030000-0x0000000002333000-memory.dmp

Filesize
3.0MB

Download
memory/1808-79-0x0000000000470000-0x00000000004FF000-memory.dmp

Filesize
572KB

Download