formbook | a8e45b2b0117e0a1e195a054667fca524862223bd2838a17f2ac9f47fe6191cc

General

Target

new order pdf.exe
Size

499KB
MD5

628a7485ff121976a776a305616581f5
SHA1

b14a8eb559a7a28388b7cede334ccc08914c2516
SHA256

a8e45b2b0117e0a1e195a054667fca524862223bd2838a17f2ac9f47fe6191cc
SHA512

4dadf6ca85e4d41fcbb1816fa854a5eba0e37aca2539ea0bacf9920729bf9a602c65ec0745a0d89347d032a0bdef5f9c95196126f1b2c244833ba10e4296ec79

Score

10^/10

formbook g2m3 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2m3

Decoy

stocktonfingerprinting.com

metaaiqr.com

junicy.com

libertymutualgrou.com

jklhs7gl.xyz

alex-covalcova.space

socialfiguild.com

drnicholasreid.com

androidappprogrammierie.com

relatingtohumans.com

jitsystems.com

gbwpmz.com

lesaventuresdecocomango.com

wu8ggqdv077p.xyz

autnvg.com

wghakt016.xyz

lagosian.store

hilldoor.com

oculos-ajustavel-br.xyz

nameniboothac.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4360-136-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4360-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2188-154-0x0000000000870000-0x000000000089F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

new order pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation	new order pdf.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

new order pdf.exeRegSvcs.exerundll32.exe

description	pid	process	target process
PID 2280 set thread context of 4360	2280	new order pdf.exe	RegSvcs.exe
PID 4360 set thread context of 2660	4360	RegSvcs.exe	Explorer.EXE
PID 2188 set thread context of 2660	2188	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5036 schtasks.exe

pid	process
5036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

new order pdf.exepowershell.exeRegSvcs.exerundll32.exe

pid	process
2280	new order pdf.exe
2280	new order pdf.exe
5016	powershell.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
5016	powershell.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2660 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exerundll32.exe

pid process

4360 RegSvcs.exe
4360 RegSvcs.exe
4360 RegSvcs.exe
2188 rundll32.exe
2188 rundll32.exe

pid	process
2660	Explorer.EXE

pid	process
4360	RegSvcs.exe
4360	RegSvcs.exe
4360	RegSvcs.exe
2188	rundll32.exe
2188	rundll32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

new order pdf.exepowershell.exeRegSvcs.exerundll32.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2280	new order pdf.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	4360	RegSvcs.exe
Token: SeDebugPrivilege	2188	rundll32.exe
Token: SeShutdownPrivilege	2660	Explorer.EXE
Token: SeCreatePagefilePrivilege	2660	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

new order pdf.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 2280 wrote to memory of 5016	2280	new order pdf.exe	powershell.exe
PID 2280 wrote to memory of 5016	2280	new order pdf.exe	powershell.exe
PID 2280 wrote to memory of 5016	2280	new order pdf.exe	powershell.exe
PID 2280 wrote to memory of 5036	2280	new order pdf.exe	schtasks.exe
PID 2280 wrote to memory of 5036	2280	new order pdf.exe	schtasks.exe
PID 2280 wrote to memory of 5036	2280	new order pdf.exe	schtasks.exe
PID 2280 wrote to memory of 4360	2280	new order pdf.exe	RegSvcs.exe
PID 2280 wrote to memory of 4360	2280	new order pdf.exe	RegSvcs.exe
PID 2280 wrote to memory of 4360	2280	new order pdf.exe	RegSvcs.exe
PID 2280 wrote to memory of 4360	2280	new order pdf.exe	RegSvcs.exe
PID 2280 wrote to memory of 4360	2280	new order pdf.exe	RegSvcs.exe
PID 2280 wrote to memory of 4360	2280	new order pdf.exe	RegSvcs.exe
PID 2660 wrote to memory of 2188	2660	Explorer.EXE	rundll32.exe
PID 2660 wrote to memory of 2188	2660	Explorer.EXE	rundll32.exe
PID 2660 wrote to memory of 2188	2660	Explorer.EXE	rundll32.exe
PID 2188 wrote to memory of 3928	2188	rundll32.exe	cmd.exe
PID 2188 wrote to memory of 3928	2188	rundll32.exe	cmd.exe
PID 2188 wrote to memory of 3928	2188	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\AppData\Local\Temp\new order pdf.exe
"C:\Users\Admin\AppData\Local\Temp\new order pdf.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vEyBxaRI.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vEyBxaRI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFC66.tmp"
3⤵
- Creates scheduled task(s)
PID:5036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:3928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFC66.tmp
Filesize
1KB

MD5
77122ee5be27e07e9e9690cb3ed599b9

SHA1
00bc2c49ee7afeacf3318fdb17cb37aa3a937f40

SHA256
9ba2b80924b24224f2308d076da024e2de92cdae28fa1150111b5b74e3cbb16f

SHA512
bd8cf96c428dfc2061c8e573050ac60bd02c1aa12b08779099c45403f4cced185ccbfa3d276d825d8cb7f623042a6e710ce6cd26c628d1846962514e8016497d

Download Submit
memory/2188-161-0x0000000002670000-0x0000000002703000-memory.dmp

Filesize
588KB

Download
memory/2188-155-0x0000000002840000-0x0000000002B8A000-memory.dmp

Filesize
3.3MB

Download
memory/2188-154-0x0000000000870000-0x000000000089F000-memory.dmp

Filesize
188KB

Download
memory/2188-153-0x0000000000BB0000-0x0000000000BC4000-memory.dmp

Filesize
80KB

Download
memory/2188-151-0x0000000000000000-mapping.dmp

Download
memory/2280-124-0x0000000000900000-0x0000000000982000-memory.dmp

Filesize
520KB

Download
memory/2280-125-0x0000000005A50000-0x0000000005FF4000-memory.dmp

Filesize
5.6MB

Download
memory/2280-126-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/2280-127-0x0000000005320000-0x000000000532A000-memory.dmp

Filesize
40KB

Download
memory/2280-128-0x00000000076E0000-0x000000000777C000-memory.dmp

Filesize
624KB

Download
memory/2280-129-0x0000000009020000-0x0000000009086000-memory.dmp

Filesize
408KB

Download
memory/2660-143-0x0000000002E80000-0x0000000002F8F000-memory.dmp

Filesize
1.1MB

Download
memory/2660-162-0x0000000008160000-0x0000000008285000-memory.dmp

Filesize
1.1MB

Download
memory/3928-157-0x0000000000000000-mapping.dmp

Download
memory/4360-135-0x0000000000000000-mapping.dmp

Download
memory/4360-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-141-0x00000000018A0000-0x0000000001BEA000-memory.dmp

Filesize
3.3MB

Download
memory/4360-142-0x0000000001810000-0x0000000001824000-memory.dmp

Filesize
80KB

Download
memory/4360-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-150-0x0000000007A40000-0x0000000007A5A000-memory.dmp

Filesize
104KB

Download
memory/5016-132-0x0000000002E00000-0x0000000002E36000-memory.dmp

Filesize
216KB

Download
memory/5016-147-0x0000000070C60000-0x0000000070CAC000-memory.dmp

Filesize
304KB

Download
memory/5016-148-0x0000000007890000-0x00000000078AE000-memory.dmp

Filesize
120KB

Download
memory/5016-149-0x0000000008080000-0x00000000086FA000-memory.dmp

Filesize
6.5MB

Download
memory/5016-137-0x00000000058E0000-0x0000000005902000-memory.dmp

Filesize
136KB

Download
memory/5016-145-0x00000000078B0000-0x00000000078E2000-memory.dmp

Filesize
200KB

Download
memory/5016-152-0x0000000007AB0000-0x0000000007ABA000-memory.dmp

Filesize
40KB

Download
memory/5016-134-0x0000000005A10000-0x0000000006038000-memory.dmp

Filesize
6.2MB

Download
memory/5016-146-0x00000000053D5000-0x00000000053D7000-memory.dmp

Filesize
8KB

Download
memory/5016-138-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/5016-156-0x0000000007CC0000-0x0000000007D56000-memory.dmp

Filesize
600KB

Download
memory/5016-144-0x0000000005510000-0x000000000552E000-memory.dmp

Filesize
120KB

Download
memory/5016-158-0x0000000007C70000-0x0000000007C7E000-memory.dmp

Filesize
56KB

Download
memory/5016-159-0x0000000007D80000-0x0000000007D9A000-memory.dmp

Filesize
104KB

Download
memory/5016-160-0x0000000007D60000-0x0000000007D68000-memory.dmp

Filesize
32KB

Download
memory/5016-130-0x0000000000000000-mapping.dmp

Download
memory/5036-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads