formbook | 38b3959cf30fce3b03c31286231db4d220427e31af7e3d7458792cdb3e8b895d

General

Target

yeni sipariş pdf.exe
Size

770KB
MD5

26b94b8cf43e9b091e3202ee396faa33
SHA1

a985b7b7f68f86c35f429d1d57416d8de04c6a4b
SHA256

38b3959cf30fce3b03c31286231db4d220427e31af7e3d7458792cdb3e8b895d
SHA512

a2390e0dcf816dd2ae33081922ce153602461b8b97114084aa1fcbcee267e546af96be4ca72d84efbc6c849b31d768a8126ccb8f6545e8c6682651569259079a

Score

10^/10

formbook g2m3 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2m3

Decoy

stocktonfingerprinting.com

metaaiqr.com

junicy.com

libertymutualgrou.com

jklhs7gl.xyz

alex-covalcova.space

socialfiguild.com

drnicholasreid.com

androidappprogrammierie.com

relatingtohumans.com

jitsystems.com

gbwpmz.com

lesaventuresdecocomango.com

wu8ggqdv077p.xyz

autnvg.com

wghakt016.xyz

lagosian.store

hilldoor.com

oculos-ajustavel-br.xyz

nameniboothac.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1172-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/816-76-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

yeni sipariş pdf.exeRegSvcs.execmmon32.exe

description	pid	process	target process
PID 1096 set thread context of 1172	1096	yeni sipariş pdf.exe	RegSvcs.exe
PID 1172 set thread context of 1252	1172	RegSvcs.exe	Explorer.EXE
PID 816 set thread context of 1252	816	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1680 schtasks.exe

pid	process
1680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

yeni sipariş pdf.exepowershell.exeRegSvcs.execmmon32.exe

pid	process
1096	yeni sipariş pdf.exe
1096	yeni sipariş pdf.exe
564	powershell.exe
1172	RegSvcs.exe
1172	RegSvcs.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe
816	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.execmmon32.exe

pid process

1172 RegSvcs.exe
1172 RegSvcs.exe
1172 RegSvcs.exe
816 cmmon32.exe
816 cmmon32.exe

pid	process
1172	RegSvcs.exe
1172	RegSvcs.exe
1172	RegSvcs.exe
816	cmmon32.exe
816	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

yeni sipariş pdf.exepowershell.exeRegSvcs.execmmon32.exe

description	pid	process
Token: SeDebugPrivilege	1096	yeni sipariş pdf.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	1172	RegSvcs.exe
Token: SeDebugPrivilege	816	cmmon32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE
1252 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE
1252 Explorer.EXE

pid	process
1252	Explorer.EXE
1252	Explorer.EXE

pid	process
1252	Explorer.EXE
1252	Explorer.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

yeni sipariş pdf.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 1096 wrote to memory of 564	1096	yeni sipariş pdf.exe	powershell.exe
PID 1096 wrote to memory of 564	1096	yeni sipariş pdf.exe	powershell.exe
PID 1096 wrote to memory of 564	1096	yeni sipariş pdf.exe	powershell.exe
PID 1096 wrote to memory of 564	1096	yeni sipariş pdf.exe	powershell.exe
PID 1096 wrote to memory of 1680	1096	yeni sipariş pdf.exe	schtasks.exe
PID 1096 wrote to memory of 1680	1096	yeni sipariş pdf.exe	schtasks.exe
PID 1096 wrote to memory of 1680	1096	yeni sipariş pdf.exe	schtasks.exe
PID 1096 wrote to memory of 1680	1096	yeni sipariş pdf.exe	schtasks.exe
PID 1096 wrote to memory of 1172	1096	yeni sipariş pdf.exe	RegSvcs.exe
PID 1096 wrote to memory of 1172	1096	yeni sipariş pdf.exe	RegSvcs.exe
PID 1096 wrote to memory of 1172	1096	yeni sipariş pdf.exe	RegSvcs.exe
PID 1096 wrote to memory of 1172	1096	yeni sipariş pdf.exe	RegSvcs.exe
PID 1096 wrote to memory of 1172	1096	yeni sipariş pdf.exe	RegSvcs.exe
PID 1096 wrote to memory of 1172	1096	yeni sipariş pdf.exe	RegSvcs.exe
PID 1096 wrote to memory of 1172	1096	yeni sipariş pdf.exe	RegSvcs.exe
PID 1096 wrote to memory of 1172	1096	yeni sipariş pdf.exe	RegSvcs.exe
PID 1096 wrote to memory of 1172	1096	yeni sipariş pdf.exe	RegSvcs.exe
PID 1096 wrote to memory of 1172	1096	yeni sipariş pdf.exe	RegSvcs.exe
PID 1252 wrote to memory of 816	1252	Explorer.EXE	cmmon32.exe
PID 1252 wrote to memory of 816	1252	Explorer.EXE	cmmon32.exe
PID 1252 wrote to memory of 816	1252	Explorer.EXE	cmmon32.exe
PID 1252 wrote to memory of 816	1252	Explorer.EXE	cmmon32.exe
PID 816 wrote to memory of 1016	816	cmmon32.exe	cmd.exe
PID 816 wrote to memory of 1016	816	cmmon32.exe	cmd.exe
PID 816 wrote to memory of 1016	816	cmmon32.exe	cmd.exe
PID 816 wrote to memory of 1016	816	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\yeni sipariş pdf.exe
"C:\Users\Admin\AppData\Local\Temp\yeni sipariş pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OkKhgkaw.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OkKhgkaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC5D.tmp"
3⤵
- Creates scheduled task(s)
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBC5D.tmp
MD5
725f03c3edb9925990a79516c239d76e

SHA1
0a197e0db727727c3e96a929eaa15ebf58376a7c

SHA256
c1c37775b0fc4fb3a9938ebd9a50a730766d3752599a201b89a04836bd79ad7b

SHA512
2b15d58f80f0b18533451eacd4d87ae37b90a220afefddad05f7d64cb0d694dfec904fabf95748c2ebe2a604db55bdf24847e8a6b45bb9e66f8918ca3f2ba515

Download Submit
memory/564-66-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/564-65-0x000000006E3F1000-0x000000006E3F2000-memory.dmp

Filesize
4KB

Download
memory/564-59-0x00000000757F1000-0x00000000757F3000-memory.dmp

Filesize
8KB

Download
memory/564-68-0x0000000002531000-0x0000000002532000-memory.dmp

Filesize
4KB

Download
memory/564-67-0x000000006E3F2000-0x000000006E3F4000-memory.dmp

Filesize
8KB

Download
memory/564-70-0x0000000002532000-0x0000000002534000-memory.dmp

Filesize
8KB

Download
memory/816-77-0x0000000001F80000-0x0000000002283000-memory.dmp

Filesize
3.0MB

Download
memory/816-78-0x0000000001D70000-0x0000000001E03000-memory.dmp

Filesize
588KB

Download
memory/816-76-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/816-75-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/1096-61-0x0000000004FC0000-0x0000000004FF4000-memory.dmp

Filesize
208KB

Download
memory/1096-56-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/1096-57-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/1096-58-0x00000000053E0000-0x0000000005494000-memory.dmp

Filesize
720KB

Download
memory/1096-54-0x0000000001150000-0x0000000001216000-memory.dmp

Filesize
792KB

Download
memory/1096-55-0x000000007404E000-0x000000007404F000-memory.dmp

Filesize
4KB

Download
memory/1172-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-73-0x0000000000150000-0x0000000000164000-memory.dmp

Filesize
80KB

Download
memory/1172-74-0x0000000000BD0000-0x0000000000ED3000-memory.dmp

Filesize
3.0MB

Download
memory/1172-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-71-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/1252-72-0x0000000006AE0000-0x0000000006C75000-memory.dmp

Filesize
1.6MB

Download
memory/1252-79-0x0000000006DE0000-0x0000000006F12000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads