formbook | 8fe7837653de9e01919ef2ea22f0b777fc6ee5c4898c33d0ce68b2602b8d4b65

General

Target

vbc.bin.exe
Size

839KB
MD5

3dc59de9ed011154938af9c5e29a3e1f
SHA1

745034c7572595000bacdb8d71fcb29ffab16b2c
SHA256

8fe7837653de9e01919ef2ea22f0b777fc6ee5c4898c33d0ce68b2602b8d4b65
SHA512

1852090e7c5f82c5ec4a8c63a0980d70843a770c9cc03e4a598d13c0002d444246d295f9bbaa97ee22ef13213e86243842019efa63b55d95139fc4350d66b142

Score

10^/10

formbook m8g0 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m8g0

C2

http://www.psicologarenatacruz.com/m8g0/

Decoy

trypapaya.pro

instructorcornernet.com

techadvisorsfl.com

raunnan.com

filestune.com

learnitanywhereskills.com

beaullife.com

getcovidwear.com

tkrbeautyinstitut.com

lisaphamkhai.com

iconicdds.com

ksoopawlas.com

testosteron.store

jctaketwo.com

awexz.online

onlinening.com

steelwerkschicago.com

lukakordic.com

expertsofcoaching.com

dashcca.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3316-125-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3316-126-0x000000000041F1B0-mapping.dmp	formbook
behavioral2/memory/2928-132-0x0000000000A40000-0x0000000000A6F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.bin.exevbc.bin.exesystray.exe

description	pid	process	target process
PID 4648 set thread context of 3316	4648	vbc.bin.exe	vbc.bin.exe
PID 3316 set thread context of 3048	3316	vbc.bin.exe	Explorer.EXE
PID 2928 set thread context of 3048	2928	systray.exe	Explorer.EXE

Modifies registry class 9 IoCs

Processes:

vbc.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.gmkasm	vbc.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\GMKAssembler.Project\Shell\open\command	vbc.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\GMKAssembler.Project\Shell\open	vbc.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\GMKAssembler.Project\Shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\vbc.bin.exe\" \"%1\""	vbc.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\GMKAssembler.Project\DefaultIcon	vbc.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\GMKAssembler.Project\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vbc.bin.exe"	vbc.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.gmkasm\ = "GMKAssembler.Project"	vbc.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\GMKAssembler.Project	vbc.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\GMKAssembler.Project\Shell	vbc.bin.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

vbc.bin.exesystray.exe

pid	process
3316	vbc.bin.exe
3316	vbc.bin.exe
3316	vbc.bin.exe
3316	vbc.bin.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe
2928	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.bin.exesystray.exe

pid process

3316 vbc.bin.exe
3316 vbc.bin.exe
3316 vbc.bin.exe
2928 systray.exe
2928 systray.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.bin.exesystray.exe

description pid process

Token: SeDebugPrivilege 3316 vbc.bin.exe
Token: SeDebugPrivilege 2928 systray.exe

pid	process
3048	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3316	vbc.bin.exe
Token: SeDebugPrivilege	2928	systray.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

vbc.bin.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 4648 wrote to memory of 3316	4648	vbc.bin.exe	vbc.bin.exe
PID 4648 wrote to memory of 3316	4648	vbc.bin.exe	vbc.bin.exe
PID 4648 wrote to memory of 3316	4648	vbc.bin.exe	vbc.bin.exe
PID 4648 wrote to memory of 3316	4648	vbc.bin.exe	vbc.bin.exe
PID 4648 wrote to memory of 3316	4648	vbc.bin.exe	vbc.bin.exe
PID 4648 wrote to memory of 3316	4648	vbc.bin.exe	vbc.bin.exe
PID 3048 wrote to memory of 2928	3048	Explorer.EXE	systray.exe
PID 3048 wrote to memory of 2928	3048	Explorer.EXE	systray.exe
PID 3048 wrote to memory of 2928	3048	Explorer.EXE	systray.exe
PID 2928 wrote to memory of 2660	2928	systray.exe	cmd.exe
PID 2928 wrote to memory of 2660	2928	systray.exe	cmd.exe
PID 2928 wrote to memory of 2660	2928	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\vbc.bin.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.bin.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\vbc.bin.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.bin.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\vbc.bin.exe"
3⤵
PID:2660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2660-134-0x0000000000000000-mapping.dmp

Download
memory/2928-135-0x0000000004930000-0x00000000049C4000-memory.dmp

Filesize
592KB

Download
memory/2928-133-0x00000000049F0000-0x0000000004D10000-memory.dmp

Filesize
3.1MB

Download
memory/2928-131-0x0000000001110000-0x0000000001116000-memory.dmp

Filesize
24KB

Download
memory/2928-132-0x0000000000A40000-0x0000000000A6F000-memory.dmp

Filesize
188KB

Download
memory/2928-130-0x0000000000000000-mapping.dmp

Download
memory/3048-129-0x0000000006840000-0x0000000006965000-memory.dmp

Filesize
1.1MB

Download
memory/3048-136-0x00000000051C0000-0x0000000005349000-memory.dmp

Filesize
1.5MB

Download
memory/3316-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3316-128-0x0000000001270000-0x0000000001285000-memory.dmp

Filesize
84KB

Download
memory/3316-127-0x0000000000F30000-0x0000000001250000-memory.dmp

Filesize
3.1MB

Download
memory/3316-126-0x000000000041F1B0-mapping.dmp

Download
memory/4648-122-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/4648-114-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/4648-123-0x0000000007B80000-0x0000000007BEB000-memory.dmp

Filesize
428KB

Download
memory/4648-124-0x0000000007C60000-0x0000000007C9B000-memory.dmp

Filesize
236KB

Download
memory/4648-121-0x0000000005CB0000-0x0000000005CCD000-memory.dmp

Filesize
116KB

Download
memory/4648-120-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/4648-119-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/4648-118-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/4648-117-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/4648-116-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads