formbook | 52052b4191b4785bd6dc43453882f41dbeb0731111bb2390c33ee30a15ba0bea

General

Target

GENTECH PRODUCT INQUIRY.exe
Size

642KB
MD5

6366b461b56945be4a795ca8bd346ec3
SHA1

d08c5c0188c8bb4e84b41bed78a805cbc0a127de
SHA256

38d4e4ea5e9b15b4d221cc6627a7b088a54964dfe95b49173a45bc5f9177a249
SHA512

dc07e51c460193869514c875cdc5aaa1da59855ebaee8fae5edb44cd4acf35d37190982113fda285c0c7f95fbc5c1c854c13be42d7cad53f46360c0beddd8b82

Score

10^/10

formbook q5e persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q5e

Decoy

446f58.com

usadealerskills.com

henryandshekera2018.com

51weishan.com

aidlex.com

1t0tenother.men

ucai-inter.com

khelojharkhand.com

scrimvate.com

nlxgz.info

99083311.com

free-space.site

isaiahfernandes.com

atmospherictechnologies.com

posteuphoria.com

cflcinc.com

fafa886.com

bestapps4ever168.download

bpen.ltd

tongtaikeji0427.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE Evil Google Drive Download
suricata: ET MALWARE Evil Google Drive Download
suricata
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1312-57-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/1312-58-0x000000000041E2F0-mapping.dmp	formbook
behavioral1/memory/1312-60-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/524-66-0x0000000000110000-0x000000000013D000-memory.dmp	formbook

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GENTECH PRODUCT INQUIRY.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Vsru = "C:\\Users\\Admin\\AppData\\Local\\Vsru\\Vsru.hta"	GENTECH PRODUCT INQUIRY.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 3 IoCs

Processes:

GENTECH PRODUCT INQUIRY.exeieinstal.exewlanext.exe

description	pid	process	target process
PID 1260 set thread context of 1312	1260	GENTECH PRODUCT INQUIRY.exe	ieinstal.exe
PID 1312 set thread context of 1380	1312	ieinstal.exe	Explorer.EXE
PID 524 set thread context of 1380	524	wlanext.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wlanext.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wlanext.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

ieinstal.exewlanext.exe

pid	process
1312	ieinstal.exe
1312	ieinstal.exe
524	wlanext.exe
524	wlanext.exe
524	wlanext.exe
524	wlanext.exe
524	wlanext.exe
524	wlanext.exe
524	wlanext.exe
524	wlanext.exe
524	wlanext.exe
524	wlanext.exe
524	wlanext.exe
524	wlanext.exe
524	wlanext.exe
524	wlanext.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

ieinstal.exewlanext.exe

pid process

1312 ieinstal.exe
1312 ieinstal.exe
1312 ieinstal.exe
524 wlanext.exe
524 wlanext.exe
524 wlanext.exe
524 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ieinstal.exewlanext.exe

description pid process

Token: SeDebugPrivilege 1312 ieinstal.exe
Token: SeDebugPrivilege 524 wlanext.exe

description	pid	process
Token: SeDebugPrivilege	1312	ieinstal.exe
Token: SeDebugPrivilege	524	wlanext.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

GENTECH PRODUCT INQUIRY.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 1260 wrote to memory of 1312	1260	GENTECH PRODUCT INQUIRY.exe	ieinstal.exe
PID 1260 wrote to memory of 1312	1260	GENTECH PRODUCT INQUIRY.exe	ieinstal.exe
PID 1260 wrote to memory of 1312	1260	GENTECH PRODUCT INQUIRY.exe	ieinstal.exe
PID 1260 wrote to memory of 1312	1260	GENTECH PRODUCT INQUIRY.exe	ieinstal.exe
PID 1260 wrote to memory of 1312	1260	GENTECH PRODUCT INQUIRY.exe	ieinstal.exe
PID 1260 wrote to memory of 1312	1260	GENTECH PRODUCT INQUIRY.exe	ieinstal.exe
PID 1260 wrote to memory of 1312	1260	GENTECH PRODUCT INQUIRY.exe	ieinstal.exe
PID 1260 wrote to memory of 1312	1260	GENTECH PRODUCT INQUIRY.exe	ieinstal.exe
PID 1260 wrote to memory of 1312	1260	GENTECH PRODUCT INQUIRY.exe	ieinstal.exe
PID 1380 wrote to memory of 524	1380	Explorer.EXE	wlanext.exe
PID 1380 wrote to memory of 524	1380	Explorer.EXE	wlanext.exe
PID 1380 wrote to memory of 524	1380	Explorer.EXE	wlanext.exe
PID 1380 wrote to memory of 524	1380	Explorer.EXE	wlanext.exe
PID 524 wrote to memory of 1972	524	wlanext.exe	Firefox.exe
PID 524 wrote to memory of 1972	524	wlanext.exe	Firefox.exe
PID 524 wrote to memory of 1972	524	wlanext.exe	Firefox.exe
PID 524 wrote to memory of 1972	524	wlanext.exe	Firefox.exe
PID 524 wrote to memory of 1972	524	wlanext.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\GENTECH PRODUCT INQUIRY.exe
"C:\Users\Admin\AppData\Local\Temp\GENTECH PRODUCT INQUIRY.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1260

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\17MAR21T\17Mlogim.jpeg
Filesize
69KB

MD5
36e4438f1aef11547836ad8c3d94db49

SHA1
d2d725923f6c3a44058809cdd1b36ddc23aafc26

SHA256
816266d35a545b514e5a818bce5f9a0a22a441ee3aef11b30cb6c750e77fd89f

SHA512
fe149340f28ff9b1e959b174c346fa79cc12c015b6a8df1499d020d7b4f9d698b053454ae5bba2f2a235cd89e909ceb8556247eeeab70ad6e7bab310360e148c

Download Submit
C:\Users\Admin\AppData\Roaming\17MAR21T\17Mlogrf.ini
Filesize
40B

MD5
2f245469795b865bdd1b956c23d7893d

SHA1
6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

SHA256
1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

SHA512
909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

Download Submit
C:\Users\Admin\AppData\Roaming\17MAR21T\17Mlogri.ini
Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\17MAR21T\17Mlogrv.ini
Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
memory/524-69-0x0000000000990000-0x0000000000A23000-memory.dmp

Filesize
588KB

Download
memory/524-68-0x0000000000B70000-0x0000000000E73000-memory.dmp

Filesize
3.0MB

Download
memory/524-66-0x0000000000110000-0x000000000013D000-memory.dmp

Filesize
180KB

Download
memory/524-65-0x0000000000E90000-0x0000000000EA6000-memory.dmp

Filesize
88KB

Download
memory/524-64-0x0000000000000000-mapping.dmp

Download
memory/1260-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1312-61-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1312-62-0x0000000000350000-0x0000000000364000-memory.dmp

Filesize
80KB

Download
memory/1312-60-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1312-58-0x000000000041E2F0-mapping.dmp

Download
memory/1312-57-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1312-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1380-63-0x00000000064E0000-0x000000000661F000-memory.dmp

Filesize
1.2MB

Download
memory/1380-70-0x0000000006370000-0x0000000006418000-memory.dmp

Filesize
672KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads