formbook | e4b98a029783ce068a262f3393caa28754470082b6b7066f34a27595e5ff2ea2

General

Target

6d1fc60576f650b2806d7e74da8ddd79.exe
Size

316KB
MD5

6d1fc60576f650b2806d7e74da8ddd79
SHA1

e315d5c0868e4a2c8a796e52616cc71fe02f2e4c
SHA256

e4b98a029783ce068a262f3393caa28754470082b6b7066f34a27595e5ff2ea2
SHA512

5e6cb4636df3121435c16d509a717965cdde9823d67876b75217b8346c4de1f5aa37f84eab951db6d5ff1c4ba68954a63a8556c8d872d960705cab759baf2c64
SSDEEP

6144:0Ea0Mr7/9GTiV71Oz7VtsorLQMYN6amP+73M/3Qt9/FvDxxf1lB97Z0V5l3g/Gjh:mr7/9UiV716rLQTNmP+73BpFvDxxdjIZ

Score

10^/10

formbook g2dc rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

g2dc

Decoy

OqIwFVmXHnPUgdurr7I=

0YwewYtWNLZdkF7Q

HFT6VwOYdkifOpbT1h9DcYQ=

D+zGTvGlpriTumzBbw==

gMSID89/QqMV8yjH

HN5/g0/3yJBsnZCig9Qf

Hl33xdRU8xaC1rY=

/rhq03DorPAUH2bSp6228fGQ

gBwzCyfHge9SumzBbw==

NuOmK9+fenLQa9urr7I=

cA4+yKM4IQjpFwMt1BQEUJ1q6y0=

gpK3pqdoVNu93yS0uhocUtQmtQ==

3i3tx82Rf7yQdIyeprA=

FTo+4qVlVK7gIgxi0g3bUA==

7kDtq4wo6+cV8yjH

Dc123pIo9vcNuR9pwkQ0pPpHvQ==

KYREtH0zKNiI374=

Tok2qF4n2XOiRw==

DYFtA6ZXUJfA3MLhRtTVTQ==

C8poIeeskBCxEYHIbQ==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

efjbvjbax.exeefjbvjbax.exe

pid process

1760 efjbvjbax.exe
904 efjbvjbax.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

efjbvjbax.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation efjbvjbax.exe
Loads dropped DLL 3 IoCs

Processes:

6d1fc60576f650b2806d7e74da8ddd79.exeefjbvjbax.execolorcpl.exe

pid process

1544 6d1fc60576f650b2806d7e74da8ddd79.exe
1760 efjbvjbax.exe
1472 colorcpl.exe

pid	process
1760	efjbvjbax.exe
904	efjbvjbax.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	efjbvjbax.exe

pid	process
1544	6d1fc60576f650b2806d7e74da8ddd79.exe
1760	efjbvjbax.exe
1472	colorcpl.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

efjbvjbax.exeefjbvjbax.execolorcpl.exe

description	pid	process	target process
PID 1760 set thread context of 904	1760	efjbvjbax.exe	efjbvjbax.exe
PID 904 set thread context of 1220	904	efjbvjbax.exe	Explorer.EXE
PID 1472 set thread context of 1220	1472	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

colorcpl.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	colorcpl.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

efjbvjbax.execolorcpl.exe

pid	process
904	efjbvjbax.exe
904	efjbvjbax.exe
904	efjbvjbax.exe
904	efjbvjbax.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

efjbvjbax.exeefjbvjbax.execolorcpl.exe

pid process

1760 efjbvjbax.exe
904 efjbvjbax.exe
904 efjbvjbax.exe
904 efjbvjbax.exe
1472 colorcpl.exe
1472 colorcpl.exe
1472 colorcpl.exe
1472 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

efjbvjbax.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 904 efjbvjbax.exe
Token: SeDebugPrivilege 1472 colorcpl.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE

pid	process
1220	Explorer.EXE

pid	process
1760	efjbvjbax.exe
904	efjbvjbax.exe
904	efjbvjbax.exe
904	efjbvjbax.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe
1472	colorcpl.exe

description	pid	process
Token: SeDebugPrivilege	904	efjbvjbax.exe
Token: SeDebugPrivilege	1472	colorcpl.exe

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6d1fc60576f650b2806d7e74da8ddd79.exeefjbvjbax.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 1544 wrote to memory of 1760	1544	6d1fc60576f650b2806d7e74da8ddd79.exe	efjbvjbax.exe
PID 1544 wrote to memory of 1760	1544	6d1fc60576f650b2806d7e74da8ddd79.exe	efjbvjbax.exe
PID 1544 wrote to memory of 1760	1544	6d1fc60576f650b2806d7e74da8ddd79.exe	efjbvjbax.exe
PID 1544 wrote to memory of 1760	1544	6d1fc60576f650b2806d7e74da8ddd79.exe	efjbvjbax.exe
PID 1760 wrote to memory of 904	1760	efjbvjbax.exe	efjbvjbax.exe
PID 1760 wrote to memory of 904	1760	efjbvjbax.exe	efjbvjbax.exe
PID 1760 wrote to memory of 904	1760	efjbvjbax.exe	efjbvjbax.exe
PID 1760 wrote to memory of 904	1760	efjbvjbax.exe	efjbvjbax.exe
PID 1760 wrote to memory of 904	1760	efjbvjbax.exe	efjbvjbax.exe
PID 1220 wrote to memory of 1472	1220	Explorer.EXE	colorcpl.exe
PID 1220 wrote to memory of 1472	1220	Explorer.EXE	colorcpl.exe
PID 1220 wrote to memory of 1472	1220	Explorer.EXE	colorcpl.exe
PID 1220 wrote to memory of 1472	1220	Explorer.EXE	colorcpl.exe
PID 1472 wrote to memory of 1628	1472	colorcpl.exe	Firefox.exe
PID 1472 wrote to memory of 1628	1472	colorcpl.exe	Firefox.exe
PID 1472 wrote to memory of 1628	1472	colorcpl.exe	Firefox.exe
PID 1472 wrote to memory of 1628	1472	colorcpl.exe	Firefox.exe
PID 1472 wrote to memory of 1628	1472	colorcpl.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\6d1fc60576f650b2806d7e74da8ddd79.exe
"C:\Users\Admin\AppData\Local\Temp\6d1fc60576f650b2806d7e74da8ddd79.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe
"C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe
"C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe
Filesize
148KB

MD5
1e7d3db9174be4b6ef30f6b4badeb9d2

SHA1
c61a0009e2f0604f7878aa73a401d509410f0d75

SHA256
a555c27d3b29ddfd268c242f74b47e70dff5650425a77eef76cdde22f379dea0

SHA512
5fadeb1d89e852cfd9079afc0cc9dc1f0588995720b9ce2dcc36d0d273d041fecee6dad845c5fea6dcbdfe6c8b58ff4b4bbe0569ee864e63a5113d8f99299bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe
Filesize
148KB

MD5
1e7d3db9174be4b6ef30f6b4badeb9d2

SHA1
c61a0009e2f0604f7878aa73a401d509410f0d75

SHA256
a555c27d3b29ddfd268c242f74b47e70dff5650425a77eef76cdde22f379dea0

SHA512
5fadeb1d89e852cfd9079afc0cc9dc1f0588995720b9ce2dcc36d0d273d041fecee6dad845c5fea6dcbdfe6c8b58ff4b4bbe0569ee864e63a5113d8f99299bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe
Filesize
148KB

MD5
1e7d3db9174be4b6ef30f6b4badeb9d2

SHA1
c61a0009e2f0604f7878aa73a401d509410f0d75

SHA256
a555c27d3b29ddfd268c242f74b47e70dff5650425a77eef76cdde22f379dea0

SHA512
5fadeb1d89e852cfd9079afc0cc9dc1f0588995720b9ce2dcc36d0d273d041fecee6dad845c5fea6dcbdfe6c8b58ff4b4bbe0569ee864e63a5113d8f99299bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jtfdyoawp.n
Filesize
185KB

MD5
52c16d1552e3a40a5f8cd42f0969cf8e

SHA1
c680e7b89130aff5eeac81a63e32546e14a2af6c

SHA256
19cc2a51f253da74af95ad89088dbac472e8a5e23c697f0d430ed5ba331a00aa

SHA512
a0376e398a42e46de7964d6c32ed51cb60b1cca1a44685fd18decedb185cf34ee7fcd035692fb350e29ffb97da4a54c564360e15fa1c8424544cde74d751d758

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrsxi.nje
Filesize
5KB

MD5
b354743445a48fc1ebfadafc0d0b2e89

SHA1
49a2abd1ca350204be8099457a0e17f73ec5ac59

SHA256
ddc537e9d96875d019c772aff294b7b63c796831343c277918585b313a4fb138

SHA512
aeb46f91ed117204d31c3140ec74ef7f70f0214ea08c2ca0a0972eaf09bb49998444cdc66552f2d2eb61df079e20cfb3f1563646a2e26c2ab08987c539aecd4b

Download Submit
\Users\Admin\AppData\Local\Temp\efjbvjbax.exe
Filesize
148KB

MD5
1e7d3db9174be4b6ef30f6b4badeb9d2

SHA1
c61a0009e2f0604f7878aa73a401d509410f0d75

SHA256
a555c27d3b29ddfd268c242f74b47e70dff5650425a77eef76cdde22f379dea0

SHA512
5fadeb1d89e852cfd9079afc0cc9dc1f0588995720b9ce2dcc36d0d273d041fecee6dad845c5fea6dcbdfe6c8b58ff4b4bbe0569ee864e63a5113d8f99299bc3

Download Submit
\Users\Admin\AppData\Local\Temp\efjbvjbax.exe
Filesize
148KB

MD5
1e7d3db9174be4b6ef30f6b4badeb9d2

SHA1
c61a0009e2f0604f7878aa73a401d509410f0d75

SHA256
a555c27d3b29ddfd268c242f74b47e70dff5650425a77eef76cdde22f379dea0

SHA512
5fadeb1d89e852cfd9079afc0cc9dc1f0588995720b9ce2dcc36d0d273d041fecee6dad845c5fea6dcbdfe6c8b58ff4b4bbe0569ee864e63a5113d8f99299bc3

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
770KB

MD5
65f6090dfb069aca962a59f6df9e6113

SHA1
879bad504dfcce1a591c97817f3ff1e63931cfd2

SHA256
32a302d8c235226d8cdda4d957f151df3e5736fdce7886e6c794f0648b2eb106

SHA512
4c0e5e1103749356dceaaaa312e853bda83ec14f2f12288e9020cdf42b6e80d4caaec03d1ef7f34d81ddf2da88e6160c0c711380c2a7d89012e660406cdbb987

Download Submit
memory/904-67-0x0000000000B60000-0x0000000000E63000-memory.dmp

Filesize
3.0MB

Download
memory/904-63-0x00000000004012B0-mapping.dmp

Download
memory/904-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/904-66-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/904-68-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/1220-78-0x00000000068D0000-0x00000000069CB000-memory.dmp

Filesize
1004KB

Download
memory/1220-69-0x0000000006500000-0x000000000661D000-memory.dmp

Filesize
1.1MB

Download
memory/1220-76-0x00000000068D0000-0x00000000069CB000-memory.dmp

Filesize
1004KB

Download
memory/1472-72-0x0000000000060000-0x0000000000078000-memory.dmp

Filesize
96KB

Download
memory/1472-74-0x00000000020F0000-0x00000000023F3000-memory.dmp

Filesize
3.0MB

Download
memory/1472-73-0x00000000000A0000-0x00000000000CD000-memory.dmp

Filesize
180KB

Download
memory/1472-75-0x0000000000390000-0x000000000041F000-memory.dmp

Filesize
572KB

Download
memory/1472-70-0x0000000000000000-mapping.dmp

Download
memory/1472-77-0x00000000000A0000-0x00000000000CD000-memory.dmp

Filesize
180KB

Download
memory/1544-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1760-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads