formbook | dbf84e96986833b84a04c6940f2632bcd554523fbc8553bcdbda46d62846a17a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16346ed15b2d60e072d99cd110e29c8bef43483b9f8a5f9246123750bc0073d6.exe
Size

626KB
MD5

031281aa0667cba260ddad6f77c89ccd
SHA1

17b747e3e1de9296f862d522a9664046d2d3469e
SHA256

16346ed15b2d60e072d99cd110e29c8bef43483b9f8a5f9246123750bc0073d6
SHA512

f4715533c2f535964dc98f581887abc1a9daf68f913b9b316762ddf169b4209458fbeebed8173fca65c7d4732087bf0b0e4369fa440cebd45772d77559820ea2
SSDEEP

12288:bItKcNGvH3x+D0NDO6D7zkoT+lqp/7Iu/O2ybZx9Y9rl7jjGHS:bItK9H3xbJZlT+lQTD/O3BArRCHS

Score

10^/10

formbook henz discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	mwfkiq.exe

Executes dropped EXE 2 IoCs

pid	Process
3828	mwfkiq.exe
4824	mwfkiq.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3828 set thread context of 4824	3828	mwfkiq.exe	84
PID 4824 set thread context of 3444	4824	mwfkiq.exe	56
PID 3672 set thread context of 3444	3672	colorcpl.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	colorcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16346ed15b2d60e072d99cd110e29c8bef43483b9f8a5f9246123750bc0073d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mwfkiq.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	colorcpl.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4824	mwfkiq.exe
4824	mwfkiq.exe
4824	mwfkiq.exe
4824	mwfkiq.exe
4824	mwfkiq.exe
4824	mwfkiq.exe
4824	mwfkiq.exe
4824	mwfkiq.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe

Suspicious behavior: MapViewOfSection 9 IoCs

pid	Process
3828	mwfkiq.exe
3828	mwfkiq.exe
4824	mwfkiq.exe
4824	mwfkiq.exe
4824	mwfkiq.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe
3672	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4824	mwfkiq.exe
Token: SeDebugPrivilege	3672	colorcpl.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3828	mwfkiq.exe
3828	mwfkiq.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3828	mwfkiq.exe
3828	mwfkiq.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 3828	4408	16346ed15b2d60e072d99cd110e29c8bef43483b9f8a5f9246123750bc0073d6.exe	83
PID 4408 wrote to memory of 3828	4408	16346ed15b2d60e072d99cd110e29c8bef43483b9f8a5f9246123750bc0073d6.exe	83
PID 4408 wrote to memory of 3828	4408	16346ed15b2d60e072d99cd110e29c8bef43483b9f8a5f9246123750bc0073d6.exe	83
PID 3828 wrote to memory of 4824	3828	mwfkiq.exe	84
PID 3828 wrote to memory of 4824	3828	mwfkiq.exe	84
PID 3828 wrote to memory of 4824	3828	mwfkiq.exe	84
PID 3828 wrote to memory of 4824	3828	mwfkiq.exe	84
PID 3444 wrote to memory of 3672	3444	Explorer.EXE	86
PID 3444 wrote to memory of 3672	3444	Explorer.EXE	86
PID 3444 wrote to memory of 3672	3444	Explorer.EXE	86
PID 3672 wrote to memory of 1664	3672	colorcpl.exe	100
PID 3672 wrote to memory of 1664	3672	colorcpl.exe	100
PID 3672 wrote to memory of 1664	3672	colorcpl.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Local\Temp\16346ed15b2d60e072d99cd110e29c8bef43483b9f8a5f9246123750bc0073d6.exe
  "C:\Users\Admin\AppData\Local\Temp\16346ed15b2d60e072d99cd110e29c8bef43483b9f8a5f9246123750bc0073d6.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\mwfkiq.exe
    "C:\Users\Admin\AppData\Local\Temp\mwfkiq.exe" "C:\Users\Admin\AppData\Local\Temp\vqclxetbtm.au3"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Users\Admin\AppData\Local\Temp\mwfkiq.exe
      "C:\Users\Admin\AppData\Local\Temp\mwfkiq.exe" "C:\Users\Admin\AppData\Local\Temp\vqclxetbtm.au3"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4824
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:4004
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ispif.hre

Filesize
185KB

MD5
3cfd2fc4bace3b7a026ea386367aeb1c

SHA1
d8c09c5809ae2c09dccd6790bc3f57fa4bc42735

SHA256
75a663272a1cb4a66a727653d4128459844b3f407dc4366d65431331a00c3d5c

SHA512
1023861a2312e5b1607ff99ec0f5061502965339ee21c5719eb74081fe5820538f750ed45158b58cab6e2d27784a1c25e7b6325dfb1590fb97348db3bddf57c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwfkiq.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sxvuoazn.heb

Filesize
40KB

MD5
4b48ae58eb0a611ee3be6370c8b16c3f

SHA1
67065f7d57704bef238590ae76ad060c29470dfa

SHA256
394e96cda29cfffff3a9f4ef1e8b2e1751bf22e351d048c374ee8b088172094e

SHA512
a71320b300e23da49b25c0d9875d80e18c9a68660f5616b174ffa3a7b9ecef25418b28a2338a1b8133292600e3826282c9e352d50269f4acd9ad4b941632c06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqclxetbtm.au3

Filesize
9KB

MD5
528e53c721e9a9ddd2b963098da47a1b

SHA1
6e7b4d8a92b14ce4fbbe6eb4ca93b12dd120ae24

SHA256
bcbef065142b2fffd5baa3ce19f0ca347451f2d75cfbea9e3e9cc323c678edd6

SHA512
3c42df1b911768497f2822189ff999f229a904ced51a7e1c8355e73c1e30f4b8fc8ddcca584dccc9a6f482d0f48fb6dece54a73a95eec0c9506e25b5189e4d7c

Download Submit
memory/3444-20-0x00000000089B0000-0x0000000008B0B000-memory.dmp

Filesize
1.4MB

Download
memory/3444-30-0x0000000008D30000-0x0000000008E38000-memory.dmp

Filesize
1.0MB

Download
memory/3444-28-0x0000000008D30000-0x0000000008E38000-memory.dmp

Filesize
1.0MB

Download
memory/3444-27-0x0000000008D30000-0x0000000008E38000-memory.dmp

Filesize
1.0MB

Download
memory/3444-25-0x00000000089B0000-0x0000000008B0B000-memory.dmp

Filesize
1.4MB

Download
memory/3672-21-0x00000000004A0000-0x00000000004B9000-memory.dmp

Filesize
100KB

Download
memory/3672-22-0x00000000004A0000-0x00000000004B9000-memory.dmp

Filesize
100KB

Download
memory/3672-24-0x0000000000440000-0x000000000046D000-memory.dmp

Filesize
180KB

Download
memory/3828-8-0x0000000000EE0000-0x0000000000EE2000-memory.dmp

Filesize
8KB

Download
memory/4824-17-0x0000000000890000-0x00000000008BF000-memory.dmp

Filesize
188KB

Download
memory/4824-18-0x0000000000890000-0x00000000008BF000-memory.dmp

Filesize
188KB

Download
memory/4824-19-0x0000000000D80000-0x0000000000D90000-memory.dmp

Filesize
64KB

Download
memory/4824-16-0x0000000001050000-0x000000000139A000-memory.dmp

Filesize
3.3MB

Download
memory/4824-11-0x0000000000890000-0x00000000008BF000-memory.dmp

Filesize
188KB

Download
memory/4824-15-0x0000000000890000-0x00000000008BF000-memory.dmp

Filesize
188KB

Download