formbook | e15ba8be78ecdfc804dba4fbce9e14eaef0d84ec4c9b82d5d8b109c64a566266

General

Target

Scannedfile.exe
Size

350KB
MD5

56390adecfa92125980762fc0e8494a7
SHA1

d3c4dde030bcfc33c66e3a4753da01ccab190395
SHA256

e15ba8be78ecdfc804dba4fbce9e14eaef0d84ec4c9b82d5d8b109c64a566266
SHA512

7c45d53f6e6d09aa227b51a52cf09be6e2cf1ad1ab0e5aef1eddbe321748dc1d1601a215952aa983f18774a0960c567a2118271a897869565c7d7f36a36ee45c
SSDEEP

6144:vYa6Gwv4JbsquWe3Jf+vNUY88npcc90c72Z5X2uWRN:vYowvh02L8pJ0cP7

Score

10^/10

formbook dcn0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

vmkhea.exevmkhea.exe

pid process

1900 vmkhea.exe
1696 vmkhea.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

vmkhea.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation vmkhea.exe
Loads dropped DLL 3 IoCs

Processes:

Scannedfile.exevmkhea.exeNETSTAT.EXE

pid process

1160 Scannedfile.exe
1900 vmkhea.exe
984 NETSTAT.EXE

pid	process
1900	vmkhea.exe
1696	vmkhea.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	vmkhea.exe

pid	process
1160	Scannedfile.exe
1900	vmkhea.exe
984	NETSTAT.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

vmkhea.exevmkhea.exeNETSTAT.EXE

description	pid	process	target process
PID 1900 set thread context of 1696	1900	vmkhea.exe	vmkhea.exe
PID 1696 set thread context of 1352	1696	vmkhea.exe	Explorer.EXE
PID 984 set thread context of 1352	984	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

984 NETSTAT.EXE

pid	process
984	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

vmkhea.exeNETSTAT.EXE

pid	process
1696	vmkhea.exe
1696	vmkhea.exe
1696	vmkhea.exe
1696	vmkhea.exe
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

vmkhea.exevmkhea.exeNETSTAT.EXE

pid process

1900 vmkhea.exe
1696 vmkhea.exe
1696 vmkhea.exe
1696 vmkhea.exe
984 NETSTAT.EXE
984 NETSTAT.EXE
984 NETSTAT.EXE
984 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vmkhea.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 1696 vmkhea.exe
Token: SeDebugPrivilege 984 NETSTAT.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1352 Explorer.EXE
1352 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1352 Explorer.EXE
1352 Explorer.EXE

pid	process
1900	vmkhea.exe
1696	vmkhea.exe
1696	vmkhea.exe
1696	vmkhea.exe
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE
984	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1696	vmkhea.exe
Token: SeDebugPrivilege	984	NETSTAT.EXE

pid	process
1352	Explorer.EXE
1352	Explorer.EXE

pid	process
1352	Explorer.EXE
1352	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Scannedfile.exevmkhea.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1160 wrote to memory of 1900	1160	Scannedfile.exe	vmkhea.exe
PID 1160 wrote to memory of 1900	1160	Scannedfile.exe	vmkhea.exe
PID 1160 wrote to memory of 1900	1160	Scannedfile.exe	vmkhea.exe
PID 1160 wrote to memory of 1900	1160	Scannedfile.exe	vmkhea.exe
PID 1900 wrote to memory of 1696	1900	vmkhea.exe	vmkhea.exe
PID 1900 wrote to memory of 1696	1900	vmkhea.exe	vmkhea.exe
PID 1900 wrote to memory of 1696	1900	vmkhea.exe	vmkhea.exe
PID 1900 wrote to memory of 1696	1900	vmkhea.exe	vmkhea.exe
PID 1900 wrote to memory of 1696	1900	vmkhea.exe	vmkhea.exe
PID 1352 wrote to memory of 984	1352	Explorer.EXE	NETSTAT.EXE
PID 1352 wrote to memory of 984	1352	Explorer.EXE	NETSTAT.EXE
PID 1352 wrote to memory of 984	1352	Explorer.EXE	NETSTAT.EXE
PID 1352 wrote to memory of 984	1352	Explorer.EXE	NETSTAT.EXE
PID 984 wrote to memory of 1508	984	NETSTAT.EXE	Firefox.exe
PID 984 wrote to memory of 1508	984	NETSTAT.EXE	Firefox.exe
PID 984 wrote to memory of 1508	984	NETSTAT.EXE	Firefox.exe
PID 984 wrote to memory of 1508	984	NETSTAT.EXE	Firefox.exe
PID 984 wrote to memory of 1508	984	NETSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\Scannedfile.exe
"C:\Users\Admin\AppData\Local\Temp\Scannedfile.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\vmkhea.exe
"C:\Users\Admin\AppData\Local\Temp\vmkhea.exe" C:\Users\Admin\AppData\Local\Temp\mpivddpz.tri
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\vmkhea.exe
"C:\Users\Admin\AppData\Local\Temp\vmkhea.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iqjvzfk.ue
Filesize
204KB

MD5
0880babb09c29beb2b5abf5b4b77ae0c

SHA1
90acb23b49429d1dd1a1db34c52cd0b5573bb085

SHA256
82094ed0f6636c07dc5f334d8570f680b3e9b4a5940835c849fb389c9d4f8284

SHA512
2f285a8f147d4cb88341f36ec31b8663db67539b43abd11f5f07589150fafc5f0200c5c108c39f7d6e9c82d2755e7f2341645306cc89a8923cfaeeed76d52ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpivddpz.tri
Filesize
5KB

MD5
ff30951272329a53f6e3b5691499ed9b

SHA1
da7cb61266432bec47c2d1409514421d3dc094bf

SHA256
99f9281f44786eb78ed0c78bf7d1e49a2c74f39c372f9fa66a64c65e262c4b7b

SHA512
5d94a23233e58522fe0d85db6951f89075c48678c329e6a0410deb33fd25aeab7686744d6ef8ba4a43b202b3eaf057529ca95bb6b489eeff9407735232bceeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmkhea.exe
Filesize
253KB

MD5
9fdbc5d40969ccc25817337e6c07421e

SHA1
3461204d292e37aef9564d290b6d2ed3f895b202

SHA256
c897b24ede9abc850982db93be1b048365856aee09564427b856706b4d03467c

SHA512
dc947d8009b98cc89989d756b3d254ce066e6c75c9adefa440872b8c6c35053b85484c8aa0940be708bc197177f44cf8c507eda30c7ac16f8b8aa73d0e1688ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmkhea.exe
Filesize
253KB

MD5
9fdbc5d40969ccc25817337e6c07421e

SHA1
3461204d292e37aef9564d290b6d2ed3f895b202

SHA256
c897b24ede9abc850982db93be1b048365856aee09564427b856706b4d03467c

SHA512
dc947d8009b98cc89989d756b3d254ce066e6c75c9adefa440872b8c6c35053b85484c8aa0940be708bc197177f44cf8c507eda30c7ac16f8b8aa73d0e1688ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmkhea.exe
Filesize
253KB

MD5
9fdbc5d40969ccc25817337e6c07421e

SHA1
3461204d292e37aef9564d290b6d2ed3f895b202

SHA256
c897b24ede9abc850982db93be1b048365856aee09564427b856706b4d03467c

SHA512
dc947d8009b98cc89989d756b3d254ce066e6c75c9adefa440872b8c6c35053b85484c8aa0940be708bc197177f44cf8c507eda30c7ac16f8b8aa73d0e1688ca

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
1.0MB

MD5
ce5c15b5092877974d5b6476ad1cb2d7

SHA1
76a6fc307d1524081cba1886d312df97c9dd658f

SHA256
1f1a186ea26bd2462ea2a9cf35a816b92caf0897fdf332af3a61569e0ba97b24

SHA512
bb9ced38c63d2a29e18c38f60020cfdf0161384cd4ad6328352626643becdf49f6b4bef47012391720344fdd8ad520aa802dcbbed15b5026d27eb93b0a839c90

Download Submit
\Users\Admin\AppData\Local\Temp\vmkhea.exe
Filesize
253KB

MD5
9fdbc5d40969ccc25817337e6c07421e

SHA1
3461204d292e37aef9564d290b6d2ed3f895b202

SHA256
c897b24ede9abc850982db93be1b048365856aee09564427b856706b4d03467c

SHA512
dc947d8009b98cc89989d756b3d254ce066e6c75c9adefa440872b8c6c35053b85484c8aa0940be708bc197177f44cf8c507eda30c7ac16f8b8aa73d0e1688ca

Download Submit
\Users\Admin\AppData\Local\Temp\vmkhea.exe
Filesize
253KB

MD5
9fdbc5d40969ccc25817337e6c07421e

SHA1
3461204d292e37aef9564d290b6d2ed3f895b202

SHA256
c897b24ede9abc850982db93be1b048365856aee09564427b856706b4d03467c

SHA512
dc947d8009b98cc89989d756b3d254ce066e6c75c9adefa440872b8c6c35053b85484c8aa0940be708bc197177f44cf8c507eda30c7ac16f8b8aa73d0e1688ca

Download Submit
memory/984-73-0x0000000002250000-0x0000000002553000-memory.dmp

Filesize
3.0MB

Download
memory/984-70-0x0000000000000000-mapping.dmp

Download
memory/984-76-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/984-74-0x0000000001F80000-0x000000000200F000-memory.dmp

Filesize
572KB

Download
memory/984-72-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/984-71-0x0000000000730000-0x0000000000739000-memory.dmp

Filesize
36KB

Download
memory/1160-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1352-69-0x0000000004B20000-0x0000000004C22000-memory.dmp

Filesize
1.0MB

Download
memory/1352-75-0x0000000004C30000-0x0000000004CFA000-memory.dmp

Filesize
808KB

Download
memory/1352-78-0x0000000004C30000-0x0000000004CFA000-memory.dmp

Filesize
808KB

Download
memory/1696-68-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/1696-67-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/1696-62-0x00000000004012B0-mapping.dmp

Download
memory/1696-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1696-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1900-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads