formbook | e4b98a029783ce068a262f3393caa28754470082b6b7066f34a27595e5ff2ea2

General

Target

6d1fc60576f650b2806d7e74da8ddd79.exe
Size

316KB
MD5

6d1fc60576f650b2806d7e74da8ddd79
SHA1

e315d5c0868e4a2c8a796e52616cc71fe02f2e4c
SHA256

e4b98a029783ce068a262f3393caa28754470082b6b7066f34a27595e5ff2ea2
SHA512

5e6cb4636df3121435c16d509a717965cdde9823d67876b75217b8346c4de1f5aa37f84eab951db6d5ff1c4ba68954a63a8556c8d872d960705cab759baf2c64
SSDEEP

6144:0Ea0Mr7/9GTiV71Oz7VtsorLQMYN6amP+73M/3Qt9/FvDxxf1lB97Z0V5l3g/Gjh:mr7/9UiV716rLQTNmP+73BpFvDxxdjIZ

Score

10^/10

formbook g2dc rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

g2dc

Decoy

OqIwFVmXHnPUgdurr7I=

0YwewYtWNLZdkF7Q

HFT6VwOYdkifOpbT1h9DcYQ=

D+zGTvGlpriTumzBbw==

gMSID89/QqMV8yjH

HN5/g0/3yJBsnZCig9Qf

Hl33xdRU8xaC1rY=

/rhq03DorPAUH2bSp6228fGQ

gBwzCyfHge9SumzBbw==

NuOmK9+fenLQa9urr7I=

cA4+yKM4IQjpFwMt1BQEUJ1q6y0=

gpK3pqdoVNu93yS0uhocUtQmtQ==

3i3tx82Rf7yQdIyeprA=

FTo+4qVlVK7gIgxi0g3bUA==

7kDtq4wo6+cV8yjH

Dc123pIo9vcNuR9pwkQ0pPpHvQ==

KYREtH0zKNiI374=

Tok2qF4n2XOiRw==

DYFtA6ZXUJfA3MLhRtTVTQ==

C8poIeeskBCxEYHIbQ==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

efjbvjbax.exeefjbvjbax.exe

pid process

4892 efjbvjbax.exe
2980 efjbvjbax.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

efjbvjbax.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation efjbvjbax.exe

pid	process
4892	efjbvjbax.exe
2980	efjbvjbax.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	efjbvjbax.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

efjbvjbax.exeefjbvjbax.exewlanext.exe

description	pid	process	target process
PID 4892 set thread context of 2980	4892	efjbvjbax.exe	efjbvjbax.exe
PID 2980 set thread context of 3000	2980	efjbvjbax.exe	Explorer.EXE
PID 4904 set thread context of 3000	4904	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wlanext.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wlanext.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

efjbvjbax.exewlanext.exe

pid	process
2980	efjbvjbax.exe
2980	efjbvjbax.exe
2980	efjbvjbax.exe
2980	efjbvjbax.exe
2980	efjbvjbax.exe
2980	efjbvjbax.exe
2980	efjbvjbax.exe
2980	efjbvjbax.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3000 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

efjbvjbax.exeefjbvjbax.exewlanext.exe

pid process

4892 efjbvjbax.exe
2980 efjbvjbax.exe
2980 efjbvjbax.exe
2980 efjbvjbax.exe
4904 wlanext.exe
4904 wlanext.exe
4904 wlanext.exe
4904 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

efjbvjbax.exewlanext.exe

description pid process

Token: SeDebugPrivilege 2980 efjbvjbax.exe
Token: SeDebugPrivilege 4904 wlanext.exe

pid	process
3000	Explorer.EXE

pid	process
4892	efjbvjbax.exe
2980	efjbvjbax.exe
2980	efjbvjbax.exe
2980	efjbvjbax.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe
4904	wlanext.exe

description	pid	process
Token: SeDebugPrivilege	2980	efjbvjbax.exe
Token: SeDebugPrivilege	4904	wlanext.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

6d1fc60576f650b2806d7e74da8ddd79.exeefjbvjbax.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 4200 wrote to memory of 4892	4200	6d1fc60576f650b2806d7e74da8ddd79.exe	efjbvjbax.exe
PID 4200 wrote to memory of 4892	4200	6d1fc60576f650b2806d7e74da8ddd79.exe	efjbvjbax.exe
PID 4200 wrote to memory of 4892	4200	6d1fc60576f650b2806d7e74da8ddd79.exe	efjbvjbax.exe
PID 4892 wrote to memory of 2980	4892	efjbvjbax.exe	efjbvjbax.exe
PID 4892 wrote to memory of 2980	4892	efjbvjbax.exe	efjbvjbax.exe
PID 4892 wrote to memory of 2980	4892	efjbvjbax.exe	efjbvjbax.exe
PID 4892 wrote to memory of 2980	4892	efjbvjbax.exe	efjbvjbax.exe
PID 3000 wrote to memory of 4904	3000	Explorer.EXE	wlanext.exe
PID 3000 wrote to memory of 4904	3000	Explorer.EXE	wlanext.exe
PID 3000 wrote to memory of 4904	3000	Explorer.EXE	wlanext.exe
PID 4904 wrote to memory of 4364	4904	wlanext.exe	Firefox.exe
PID 4904 wrote to memory of 4364	4904	wlanext.exe	Firefox.exe
PID 4904 wrote to memory of 4364	4904	wlanext.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\6d1fc60576f650b2806d7e74da8ddd79.exe
"C:\Users\Admin\AppData\Local\Temp\6d1fc60576f650b2806d7e74da8ddd79.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe
"C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4892

C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe
"C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe
Filesize
148KB

MD5
1e7d3db9174be4b6ef30f6b4badeb9d2

SHA1
c61a0009e2f0604f7878aa73a401d509410f0d75

SHA256
a555c27d3b29ddfd268c242f74b47e70dff5650425a77eef76cdde22f379dea0

SHA512
5fadeb1d89e852cfd9079afc0cc9dc1f0588995720b9ce2dcc36d0d273d041fecee6dad845c5fea6dcbdfe6c8b58ff4b4bbe0569ee864e63a5113d8f99299bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe
Filesize
148KB

MD5
1e7d3db9174be4b6ef30f6b4badeb9d2

SHA1
c61a0009e2f0604f7878aa73a401d509410f0d75

SHA256
a555c27d3b29ddfd268c242f74b47e70dff5650425a77eef76cdde22f379dea0

SHA512
5fadeb1d89e852cfd9079afc0cc9dc1f0588995720b9ce2dcc36d0d273d041fecee6dad845c5fea6dcbdfe6c8b58ff4b4bbe0569ee864e63a5113d8f99299bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\efjbvjbax.exe
Filesize
148KB

MD5
1e7d3db9174be4b6ef30f6b4badeb9d2

SHA1
c61a0009e2f0604f7878aa73a401d509410f0d75

SHA256
a555c27d3b29ddfd268c242f74b47e70dff5650425a77eef76cdde22f379dea0

SHA512
5fadeb1d89e852cfd9079afc0cc9dc1f0588995720b9ce2dcc36d0d273d041fecee6dad845c5fea6dcbdfe6c8b58ff4b4bbe0569ee864e63a5113d8f99299bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jtfdyoawp.n
Filesize
185KB

MD5
52c16d1552e3a40a5f8cd42f0969cf8e

SHA1
c680e7b89130aff5eeac81a63e32546e14a2af6c

SHA256
19cc2a51f253da74af95ad89088dbac472e8a5e23c697f0d430ed5ba331a00aa

SHA512
a0376e398a42e46de7964d6c32ed51cb60b1cca1a44685fd18decedb185cf34ee7fcd035692fb350e29ffb97da4a54c564360e15fa1c8424544cde74d751d758

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrsxi.nje
Filesize
5KB

MD5
b354743445a48fc1ebfadafc0d0b2e89

SHA1
49a2abd1ca350204be8099457a0e17f73ec5ac59

SHA256
ddc537e9d96875d019c772aff294b7b63c796831343c277918585b313a4fb138

SHA512
aeb46f91ed117204d31c3140ec74ef7f70f0214ea08c2ca0a0972eaf09bb49998444cdc66552f2d2eb61df079e20cfb3f1563646a2e26c2ab08987c539aecd4b

Download Submit
memory/2980-142-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/2980-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2980-141-0x0000000001190000-0x00000000014DA000-memory.dmp

Filesize
3.3MB

Download
memory/2980-137-0x0000000000000000-mapping.dmp

Download
memory/3000-149-0x0000000008460000-0x0000000008551000-memory.dmp

Filesize
964KB

Download
memory/3000-143-0x0000000007B00000-0x0000000007BE4000-memory.dmp

Filesize
912KB

Download
memory/3000-151-0x0000000008460000-0x0000000008551000-memory.dmp

Filesize
964KB

Download
memory/4892-132-0x0000000000000000-mapping.dmp

Download
memory/4904-144-0x0000000000000000-mapping.dmp

Download
memory/4904-147-0x0000000000D00000-0x0000000000D2D000-memory.dmp

Filesize
180KB

Download
memory/4904-148-0x0000000001240000-0x00000000012CF000-memory.dmp

Filesize
572KB

Download
memory/4904-146-0x00000000014A0000-0x00000000017EA000-memory.dmp

Filesize
3.3MB

Download
memory/4904-150-0x0000000000D00000-0x0000000000D2D000-memory.dmp

Filesize
180KB

Download
memory/4904-145-0x00000000007D0000-0x00000000007E7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads