formbook | 67df0a89b663af659b5f00979d5ecb52592f81ab32d55ab197963b5cfed28e8e

General

Target

DHL_AWB_NO#907853880911.exe
Size

268KB
MD5

a4fce543204701289e529a5143a417dd
SHA1

e3b2091b4efaf71e5a9ea48c4c0c5764bef0e04c
SHA256

67df0a89b663af659b5f00979d5ecb52592f81ab32d55ab197963b5cfed28e8e
SHA512

d9c38a3750e0733410735f16061082165f96e1f761aa29957d1b2a4451110fe1bcc26396a5c085bc575919e5fd25102ee9969a0af53926de433b80f6f583de1e

Score

10^/10

formbook fw02 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

payer-breakers.com

thesiscoper.com

rental-villa.com

scovikinnovations.com

hydh33.com

allmyshit.rest

lovejaclyn.com

vanessaruizwriting.com

dufonddelaclasse.com

kiddee168.com

monumentalmarketsllc.com

musclegainfatloss.com

avida.info

cosmo-wellness.net

dandelionfusedigital.com

oversizeloadbanners.com

konstelle.store

sdjnsbd.com

czoqg.xyz

5p6xljjse1lq.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1432-136-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1724-145-0x0000000000C00000-0x0000000000C2F000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

67 1724 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

gvttgvwc.exegvttgvwc.exe

pid process

1920 gvttgvwc.exe
1432 gvttgvwc.exe

flow	pid	process
67	1724	rundll32.exe

pid	process
1920	gvttgvwc.exe
1432	gvttgvwc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

gvttgvwc.exegvttgvwc.exerundll32.exe

description	pid	process	target process
PID 1920 set thread context of 1432	1920	gvttgvwc.exe	gvttgvwc.exe
PID 1432 set thread context of 2284	1432	gvttgvwc.exe	Explorer.EXE
PID 1724 set thread context of 2284	1724	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

gvttgvwc.exerundll32.exe

pid	process
1432	gvttgvwc.exe
1432	gvttgvwc.exe
1432	gvttgvwc.exe
1432	gvttgvwc.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe
1724	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2284 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

gvttgvwc.exerundll32.exe

pid process

1432 gvttgvwc.exe
1432 gvttgvwc.exe
1432 gvttgvwc.exe
1724 rundll32.exe
1724 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

gvttgvwc.exerundll32.exe

description pid process

Token: SeDebugPrivilege 1432 gvttgvwc.exe
Token: SeDebugPrivilege 1724 rundll32.exe

pid	process
2284	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1432	gvttgvwc.exe
Token: SeDebugPrivilege	1724	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

DHL_AWB_NO#907853880911.exegvttgvwc.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 4964 wrote to memory of 1920	4964	DHL_AWB_NO#907853880911.exe	gvttgvwc.exe
PID 4964 wrote to memory of 1920	4964	DHL_AWB_NO#907853880911.exe	gvttgvwc.exe
PID 4964 wrote to memory of 1920	4964	DHL_AWB_NO#907853880911.exe	gvttgvwc.exe
PID 1920 wrote to memory of 1432	1920	gvttgvwc.exe	gvttgvwc.exe
PID 1920 wrote to memory of 1432	1920	gvttgvwc.exe	gvttgvwc.exe
PID 1920 wrote to memory of 1432	1920	gvttgvwc.exe	gvttgvwc.exe
PID 1920 wrote to memory of 1432	1920	gvttgvwc.exe	gvttgvwc.exe
PID 1920 wrote to memory of 1432	1920	gvttgvwc.exe	gvttgvwc.exe
PID 1920 wrote to memory of 1432	1920	gvttgvwc.exe	gvttgvwc.exe
PID 2284 wrote to memory of 1724	2284	Explorer.EXE	rundll32.exe
PID 2284 wrote to memory of 1724	2284	Explorer.EXE	rundll32.exe
PID 2284 wrote to memory of 1724	2284	Explorer.EXE	rundll32.exe
PID 1724 wrote to memory of 3584	1724	rundll32.exe	cmd.exe
PID 1724 wrote to memory of 3584	1724	rundll32.exe	cmd.exe
PID 1724 wrote to memory of 3584	1724	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exe
C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exe C:\Users\Admin\AppData\Local\Temp\bndphz
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exe
C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exe C:\Users\Admin\AppData\Local\Temp\bndphz
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exe"
3⤵
PID:3584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3zjk5bodwmhk
Filesize
184KB

MD5
e22c1dae93f5eaa74cf061f3317cd8aa

SHA1
cfd436e61a71c36b5cf9556be467d7ae4ed03dd2

SHA256
8705a86e017ba79fb861cccfb6326f1e1d03652863bedf935d7f5178725e7d1b

SHA512
38692fa9f000c980bcd736ac6324a62117a97141c8cc67500f0546c3d864ead104341ef935a0ffb5c17628ee5b3c14e8b47ec4c510861c3e5c4d9b70df36d886

Download Submit
C:\Users\Admin\AppData\Local\Temp\bndphz
Filesize
5KB

MD5
91fad66d3669b29e96d4212b1742266b

SHA1
d6e91d14bfc279a05665df9c3dd54345ca1b03f2

SHA256
f013968269e40e178e31ee48b339fb69b71dae0ea6f9dcf4036f822483b45c2f

SHA512
2ac0d59f48d55bb05eb88afd079e849821d4c6ac7a671210d0b3aecd0d73c6bcc9964f14a498a54ce429173b74e41859ce265b1ddbf459e98c49d91f457c95fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exe
Filesize
74KB

MD5
edfb926367eb32980768270b264fbfc7

SHA1
e51e7deb61ebc6bc8a9f74c9b954ef1b01236f81

SHA256
234746ef5cb7e35013efdb2935837ccd94cb9d03fdc2d05498efe632c854714f

SHA512
0ccaa54ee8e3f875900422783e3f92b02c2b81e293765d026b423fe5e6f9aa6fd46796c697ca2001785f1b36348a5c6c1330c86dc59d75867b05db0399a03162

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exe
Filesize
74KB

MD5
edfb926367eb32980768270b264fbfc7

SHA1
e51e7deb61ebc6bc8a9f74c9b954ef1b01236f81

SHA256
234746ef5cb7e35013efdb2935837ccd94cb9d03fdc2d05498efe632c854714f

SHA512
0ccaa54ee8e3f875900422783e3f92b02c2b81e293765d026b423fe5e6f9aa6fd46796c697ca2001785f1b36348a5c6c1330c86dc59d75867b05db0399a03162

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvttgvwc.exe
Filesize
74KB

MD5
edfb926367eb32980768270b264fbfc7

SHA1
e51e7deb61ebc6bc8a9f74c9b954ef1b01236f81

SHA256
234746ef5cb7e35013efdb2935837ccd94cb9d03fdc2d05498efe632c854714f

SHA512
0ccaa54ee8e3f875900422783e3f92b02c2b81e293765d026b423fe5e6f9aa6fd46796c697ca2001785f1b36348a5c6c1330c86dc59d75867b05db0399a03162

Download Submit
memory/1432-139-0x0000000000A20000-0x0000000000D6A000-memory.dmp

Filesize
3.3MB

Download
memory/1432-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1432-135-0x0000000000000000-mapping.dmp

Download
memory/1432-140-0x00000000009F0000-0x0000000000A04000-memory.dmp

Filesize
80KB

Download
memory/1724-142-0x0000000000000000-mapping.dmp

Download
memory/1724-144-0x0000000000870000-0x0000000000884000-memory.dmp

Filesize
80KB

Download
memory/1724-145-0x0000000000C00000-0x0000000000C2F000-memory.dmp

Filesize
188KB

Download
memory/1724-146-0x0000000002A50000-0x0000000002D9A000-memory.dmp

Filesize
3.3MB

Download
memory/1724-147-0x00000000028C0000-0x0000000002953000-memory.dmp

Filesize
588KB

Download
memory/1920-130-0x0000000000000000-mapping.dmp

Download
memory/2284-141-0x0000000007DC0000-0x0000000007EF1000-memory.dmp

Filesize
1.2MB

Download
memory/2284-148-0x0000000008310000-0x0000000008472000-memory.dmp

Filesize
1.4MB

Download
memory/3584-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads