formbook | 065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c

General

Target

065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exe
Size

229KB
MD5

69c8f26359a2f91a60c66023180491f7
SHA1

6be535b966a2d640a925a42375669f724bfb3ef3
SHA256

065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c
SHA512

4f19b7b3c44a8de4c39e8afd9482f6c8afdd981a9b1517e6ee53b5ecaff8f85294bc59117be501366b41d55aa33843cbad5405f9e1417f72fcc7b5ba543c29a6
SSDEEP

6144:MEa0NFHr+NjEJ6WJmDXhdbPPkVUEdojhT8:XJryEJ6WIzhdbUiE7

Score

10^/10

formbook henz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

lmyqtnonzg.exelmyqtnonzg.exe

pid process

1620 lmyqtnonzg.exe
1952 lmyqtnonzg.exe

pid	process
1620	lmyqtnonzg.exe
1952	lmyqtnonzg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lmyqtnonzg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	lmyqtnonzg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

lmyqtnonzg.exelmyqtnonzg.exeNETSTAT.EXE

description	pid	process	target process
PID 1620 set thread context of 1952	1620	lmyqtnonzg.exe	lmyqtnonzg.exe
PID 1952 set thread context of 1028	1952	lmyqtnonzg.exe	Explorer.EXE
PID 3444 set thread context of 1028	3444	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

3444 NETSTAT.EXE

pid	process
3444	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lmyqtnonzg.exeNETSTAT.EXE

pid	process
1952	lmyqtnonzg.exe
1952	lmyqtnonzg.exe
1952	lmyqtnonzg.exe
1952	lmyqtnonzg.exe
1952	lmyqtnonzg.exe
1952	lmyqtnonzg.exe
1952	lmyqtnonzg.exe
1952	lmyqtnonzg.exe
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1028 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

lmyqtnonzg.exelmyqtnonzg.exeNETSTAT.EXE

pid process

1620 lmyqtnonzg.exe
1952 lmyqtnonzg.exe
1952 lmyqtnonzg.exe
1952 lmyqtnonzg.exe
3444 NETSTAT.EXE
3444 NETSTAT.EXE
3444 NETSTAT.EXE
3444 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

lmyqtnonzg.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 1952 lmyqtnonzg.exe
Token: SeDebugPrivilege 3444 NETSTAT.EXE

pid	process
1028	Explorer.EXE

pid	process
1620	lmyqtnonzg.exe
1952	lmyqtnonzg.exe
1952	lmyqtnonzg.exe
1952	lmyqtnonzg.exe
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE
3444	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1952	lmyqtnonzg.exe
Token: SeDebugPrivilege	3444	NETSTAT.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exelmyqtnonzg.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 3576 wrote to memory of 1620	3576	065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exe	lmyqtnonzg.exe
PID 3576 wrote to memory of 1620	3576	065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exe	lmyqtnonzg.exe
PID 3576 wrote to memory of 1620	3576	065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exe	lmyqtnonzg.exe
PID 1620 wrote to memory of 1952	1620	lmyqtnonzg.exe	lmyqtnonzg.exe
PID 1620 wrote to memory of 1952	1620	lmyqtnonzg.exe	lmyqtnonzg.exe
PID 1620 wrote to memory of 1952	1620	lmyqtnonzg.exe	lmyqtnonzg.exe
PID 1620 wrote to memory of 1952	1620	lmyqtnonzg.exe	lmyqtnonzg.exe
PID 1028 wrote to memory of 3444	1028	Explorer.EXE	NETSTAT.EXE
PID 1028 wrote to memory of 3444	1028	Explorer.EXE	NETSTAT.EXE
PID 1028 wrote to memory of 3444	1028	Explorer.EXE	NETSTAT.EXE
PID 3444 wrote to memory of 3040	3444	NETSTAT.EXE	Firefox.exe
PID 3444 wrote to memory of 3040	3444	NETSTAT.EXE	Firefox.exe
PID 3444 wrote to memory of 3040	3444	NETSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exe
"C:\Users\Admin\AppData\Local\Temp\065bfe7258ac4eb13d48c8db0da681c32448bbcb96a0e8a80a692a61ba25c18c.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe
"C:\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe
"C:\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe
Filesize
13KB

MD5
6528140fd784ee2a196d5fd7d6b96622

SHA1
fb91fe68823c7ef598f920af978f0226d5e9a54d

SHA256
c85465defc810f0651b63b808c84b535b8859ac1638e96945f4f9ee92b73844d

SHA512
257c4bff97368eeeb97712cd33d213aea9658b6094693cecca46d76ccdd3780354694b11eea5b343e4b8093a7418b6a9f4bfd332bf7b99668477b55b5a2d814d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe
Filesize
13KB

MD5
6528140fd784ee2a196d5fd7d6b96622

SHA1
fb91fe68823c7ef598f920af978f0226d5e9a54d

SHA256
c85465defc810f0651b63b808c84b535b8859ac1638e96945f4f9ee92b73844d

SHA512
257c4bff97368eeeb97712cd33d213aea9658b6094693cecca46d76ccdd3780354694b11eea5b343e4b8093a7418b6a9f4bfd332bf7b99668477b55b5a2d814d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmyqtnonzg.exe
Filesize
13KB

MD5
6528140fd784ee2a196d5fd7d6b96622

SHA1
fb91fe68823c7ef598f920af978f0226d5e9a54d

SHA256
c85465defc810f0651b63b808c84b535b8859ac1638e96945f4f9ee92b73844d

SHA512
257c4bff97368eeeb97712cd33d213aea9658b6094693cecca46d76ccdd3780354694b11eea5b343e4b8093a7418b6a9f4bfd332bf7b99668477b55b5a2d814d

Download Submit
C:\Users\Admin\AppData\Local\Temp\plcqridn.iql
Filesize
5KB

MD5
8b2dd74b24049fa0644ae195073e22a7

SHA1
efcb154a283a48c8a118869fc5ec6aa902ec2a6b

SHA256
cf2642d8ad3cebbd586b1faa83912f9dfb70078dc2ba6914b4c6dc1f68470fe6

SHA512
de8fba3a5d1a568a1b30e57f2e14d3b7a8b1337f6d739c1cd1cf8fec84fe1ffcb4e8521d41189694e241847a475b560bd34b05080d44ce04308d2c8a2ef6dbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrybrlscnms.j
Filesize
185KB

MD5
da4adaa57769f1ba84485bc4f68358c9

SHA1
cd92822d9b7f91beeaf7d64e5ed836ebf93ed3c5

SHA256
56e12bbefcc6c07d425ade3bfe13d866db19cb11c7efc251f0f9a00fd11a7168

SHA512
e5a79088faca19ca58b5b5c0843bbdf8b51f2ca077cd7c6f186af0635e3165b15bf9ac7536077158283516becbb92d8a1f20d683fa997f8a4ac6fc2dddcf1af1

Download Submit
memory/1028-153-0x0000000002740000-0x0000000002840000-memory.dmp

Filesize
1024KB

Download
memory/1028-151-0x0000000002740000-0x0000000002840000-memory.dmp

Filesize
1024KB

Download
memory/1028-143-0x0000000007F20000-0x000000000803F000-memory.dmp

Filesize
1.1MB

Download
memory/1620-132-0x0000000000000000-mapping.dmp

Download
memory/1952-142-0x0000000001570000-0x0000000001580000-memory.dmp

Filesize
64KB

Download
memory/1952-141-0x0000000001670000-0x00000000019BA000-memory.dmp

Filesize
3.3MB

Download
memory/1952-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1952-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-146-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1952-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-137-0x0000000000000000-mapping.dmp

Download
memory/3444-144-0x0000000000000000-mapping.dmp

Download
memory/3444-148-0x0000000000D00000-0x0000000000D2D000-memory.dmp

Filesize
180KB

Download
memory/3444-147-0x0000000000810000-0x000000000081B000-memory.dmp

Filesize
44KB

Download
memory/3444-149-0x0000000001580000-0x00000000018CA000-memory.dmp

Filesize
3.3MB

Download
memory/3444-150-0x00000000012B0000-0x000000000133F000-memory.dmp

Filesize
572KB

Download
memory/3444-152-0x0000000000D00000-0x0000000000D2D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads