formbook | b918ed3991e3f8cbcac0ec8b4d3d176634be12ed0614654cef1df9b84e15b4de

General

Target

1193af601f7742f964a6b14b0616a860.exe
Size

294KB
MD5

1193af601f7742f964a6b14b0616a860
SHA1

5f18b2b9aa276eb7a98593fce285c3d4d1705cf8
SHA256

b918ed3991e3f8cbcac0ec8b4d3d176634be12ed0614654cef1df9b84e15b4de
SHA512

96632f81685bc25a590153c3f18a6611e8a285dc5fde3b38e090360e91ebf7dd5f37cc91bc0e50325644b17430caf5c5112b855a35e906f8b3da1faa586b65d1
SSDEEP

6144:PYa6kUTqhzYIewfyV32depRkYu9iRooob:PY6WgzEdpfPof

Score

10^/10

formbook dcn0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

hiufmy.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation hiufmy.exe
Executes dropped EXE 2 IoCs

Processes:

hiufmy.exehiufmy.exe

pid process

3088 hiufmy.exe
5092 hiufmy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	hiufmy.exe

pid	process
3088	hiufmy.exe
5092	hiufmy.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

hiufmy.exehiufmy.exeexplorer.exe

description	pid	process	target process
PID 3088 set thread context of 5092	3088	hiufmy.exe	hiufmy.exe
PID 5092 set thread context of 3140	5092	hiufmy.exe	Explorer.EXE
PID 1588 set thread context of 3140	1588	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	explorer.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

hiufmy.exeexplorer.exe

pid	process
5092	hiufmy.exe
5092	hiufmy.exe
5092	hiufmy.exe
5092	hiufmy.exe
5092	hiufmy.exe
5092	hiufmy.exe
5092	hiufmy.exe
5092	hiufmy.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3140 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

hiufmy.exehiufmy.exeexplorer.exe

pid process

3088 hiufmy.exe
5092 hiufmy.exe
5092 hiufmy.exe
5092 hiufmy.exe
1588 explorer.exe
1588 explorer.exe
1588 explorer.exe
1588 explorer.exe

pid	process
3140	Explorer.EXE

pid	process
3088	hiufmy.exe
5092	hiufmy.exe
5092	hiufmy.exe
5092	hiufmy.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe
1588	explorer.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

hiufmy.exeexplorer.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	5092	hiufmy.exe
Token: SeDebugPrivilege	1588	explorer.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

1193af601f7742f964a6b14b0616a860.exehiufmy.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 4984 wrote to memory of 3088	4984	1193af601f7742f964a6b14b0616a860.exe	hiufmy.exe
PID 4984 wrote to memory of 3088	4984	1193af601f7742f964a6b14b0616a860.exe	hiufmy.exe
PID 4984 wrote to memory of 3088	4984	1193af601f7742f964a6b14b0616a860.exe	hiufmy.exe
PID 3088 wrote to memory of 5092	3088	hiufmy.exe	hiufmy.exe
PID 3088 wrote to memory of 5092	3088	hiufmy.exe	hiufmy.exe
PID 3088 wrote to memory of 5092	3088	hiufmy.exe	hiufmy.exe
PID 3088 wrote to memory of 5092	3088	hiufmy.exe	hiufmy.exe
PID 3140 wrote to memory of 1588	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 1588	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 1588	3140	Explorer.EXE	explorer.exe
PID 1588 wrote to memory of 3004	1588	explorer.exe	Firefox.exe
PID 1588 wrote to memory of 3004	1588	explorer.exe	Firefox.exe
PID 1588 wrote to memory of 3004	1588	explorer.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Temp\1193af601f7742f964a6b14b0616a860.exe
"C:\Users\Admin\AppData\Local\Temp\1193af601f7742f964a6b14b0616a860.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\hiufmy.exe
"C:\Users\Admin\AppData\Local\Temp\hiufmy.exe" C:\Users\Admin\AppData\Local\Temp\ufrrm.re
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3088

C:\Users\Admin\AppData\Local\Temp\hiufmy.exe
"C:\Users\Admin\AppData\Local\Temp\hiufmy.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hiufmy.exe
Filesize
99KB

MD5
9bd983a7f7cafd066b183cc621731ace

SHA1
5e48e8f6d654301ea92eba3e2719d61253be59e5

SHA256
9a45850409d77e661e6add9914865303eeee16199f2db1065b5faf143b2a6290

SHA512
435bcd4af83ba253b45c12f30890fcfae083fc3760e5d25b366469cf330eaa7d553c86687d334ab0b19d4ffe0ccda8cdba60f2d069845e5ec15a4ec564e25a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiufmy.exe
Filesize
99KB

MD5
9bd983a7f7cafd066b183cc621731ace

SHA1
5e48e8f6d654301ea92eba3e2719d61253be59e5

SHA256
9a45850409d77e661e6add9914865303eeee16199f2db1065b5faf143b2a6290

SHA512
435bcd4af83ba253b45c12f30890fcfae083fc3760e5d25b366469cf330eaa7d553c86687d334ab0b19d4ffe0ccda8cdba60f2d069845e5ec15a4ec564e25a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiufmy.exe
Filesize
99KB

MD5
9bd983a7f7cafd066b183cc621731ace

SHA1
5e48e8f6d654301ea92eba3e2719d61253be59e5

SHA256
9a45850409d77e661e6add9914865303eeee16199f2db1065b5faf143b2a6290

SHA512
435bcd4af83ba253b45c12f30890fcfae083fc3760e5d25b366469cf330eaa7d553c86687d334ab0b19d4ffe0ccda8cdba60f2d069845e5ec15a4ec564e25a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufrrm.re
Filesize
6KB

MD5
0f55e8f1fafe8a10f5d0700f89845b20

SHA1
a1b14d2a50993d55057ed453b39e8124ed3f79f7

SHA256
c4ab35124468b9bb5ea0bb6e26a9694ea1554bd8592270e2260bf8f3dcf49a90

SHA512
1962c15d715a73f8c2754301f43d64f3127a83a1189c58f07bf16788b6d48267e0a05dfb8847924d268eff90c22543c088dc564eda080fec62f4a31dc5fc965c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxpgjlroki.mcz
Filesize
204KB

MD5
07f0262d1a9028a22e5c35b9b5e00642

SHA1
cc26afbd084517a34063409b705dd3c58f5f7bc3

SHA256
ee1453e0677273ef631502e9cd13f195ea0530d1f6d95c6f0cc6fe92e97c4dca

SHA512
5c30c933d5dbec9254327160438fd6c162c2e6b6ba7a54040f708719196bb14f4a1fb962ebe0573947a6db597b1801f85681272e155e43818d27437132a75a20

Download Submit
memory/1588-155-0x0000000000440000-0x000000000046D000-memory.dmp

Filesize
180KB

Download
memory/1588-151-0x0000000000D40000-0x0000000001173000-memory.dmp

Filesize
4.2MB

Download
memory/1588-154-0x0000000000D40000-0x0000000001173000-memory.dmp

Filesize
4.2MB

Download
memory/1588-156-0x00000000028F0000-0x0000000002C3A000-memory.dmp

Filesize
3.3MB

Download
memory/1588-159-0x0000000002620000-0x00000000026AF000-memory.dmp

Filesize
572KB

Download
memory/1588-158-0x0000000000440000-0x000000000046D000-memory.dmp

Filesize
180KB

Download
memory/3140-179-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-196-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-231-0x0000000002890000-0x0000000002892000-memory.dmp

Filesize
8KB

Download
memory/3140-160-0x000000000A840000-0x000000000A9B1000-memory.dmp

Filesize
1.4MB

Download
memory/3140-161-0x000000000A840000-0x000000000A9B1000-memory.dmp

Filesize
1.4MB

Download
memory/3140-163-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-164-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-165-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-166-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-167-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-168-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-169-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-171-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-172-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-170-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/3140-173-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-174-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-175-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-176-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-177-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-178-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-150-0x0000000008F10000-0x00000000090A0000-memory.dmp

Filesize
1.6MB

Download
memory/3140-180-0x000000000A840000-0x000000000A9B1000-memory.dmp

Filesize
1.4MB

Download
memory/3140-192-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-193-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-194-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-195-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-224-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-197-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-198-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-199-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-200-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-201-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-202-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-203-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-204-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-205-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-206-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-207-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-208-0x0000000002890000-0x0000000002892000-memory.dmp

Filesize
8KB

Download
memory/3140-215-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-216-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-217-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-218-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-219-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-220-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-221-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-222-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3140-223-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/5092-146-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5092-142-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5092-148-0x0000000001380000-0x00000000016CA000-memory.dmp

Filesize
3.3MB

Download
memory/5092-149-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/5092-152-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads