formbook | af3838d501fed830bcb3c3b48d3184b05f588d8699816aff5a2f2f27ec0d1154

General

Target

PROVA DE PAGAMENTO.exe
Size

710KB
MD5

d90ee4a69a80b53f8b6ac0f3fd08e72c
SHA1

000e8e599fbf58baeac2483c92370b811fa2477d
SHA256

c0764ceab13a533b3ea99ccc162a1f36e85f4094b29c4a30b91b0d3f0ff1112e
SHA512

ec18433d2c9afc3865c5f6b58acdb895c6abe98427b8e19d37e991033a3aee5254fea78f097aa472d9a1930f6d5fcc17cafd524fd5170c9bf3427bdb0f5a7755
SSDEEP

12288:pSIyM/U057k2TlIh1A/lDMzAmORWyYuMkAAV/8wot83w/8rRWnu6:BBOzGVMU9WyvdFotCronu6

Score

10^/10

formbook gs25 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gs25

Decoy

real-food.store

marketdatalibrary.com

jolidens.space

ydental.info

tattoosbyjayinked.com

buytradesellpei.com

61983.xyz

identitysolver.xyz

mgfang.com

teizer.one

staychillax.com

ylanzarote.com

workte.net

maukigato.shop

coolbag.site

btya1r.com

dkhaohao.shop

zugaro.xyz

boon168.com

xn--80aeegahlwtdkp.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1644-68-0x000000000041F1B0-mapping.dmp	formbook
behavioral1/memory/1644-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1644-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/864-79-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/864-84-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

PROVA DE PAGAMENTO.exeRegSvcs.execontrol.exe

description	pid	process	target process
PID 1200 set thread context of 1644	1200	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 1644 set thread context of 1280	1644	RegSvcs.exe	Explorer.EXE
PID 864 set thread context of 1280	864	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

520 schtasks.exe

pid	process
520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

PROVA DE PAGAMENTO.exepowershell.exeRegSvcs.execontrol.exe

pid	process
1200	PROVA DE PAGAMENTO.exe
1200	PROVA DE PAGAMENTO.exe
1500	powershell.exe
1644	RegSvcs.exe
1644	RegSvcs.exe
864	control.exe
864	control.exe
864	control.exe
864	control.exe
864	control.exe
864	control.exe
864	control.exe
864	control.exe
864	control.exe
864	control.exe
864	control.exe
864	control.exe
864	control.exe
864	control.exe
864	control.exe
864	control.exe
864	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.execontrol.exe

pid process

1644 RegSvcs.exe
1644 RegSvcs.exe
1644 RegSvcs.exe
864 control.exe
864 control.exe

pid	process
1280	Explorer.EXE

pid	process
1644	RegSvcs.exe
1644	RegSvcs.exe
1644	RegSvcs.exe
864	control.exe
864	control.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

PROVA DE PAGAMENTO.exepowershell.exeRegSvcs.execontrol.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1200	PROVA DE PAGAMENTO.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	1644	RegSvcs.exe
Token: SeDebugPrivilege	864	control.exe
Token: SeShutdownPrivilege	1280	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
1280 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
1280 Explorer.EXE

pid	process
1280	Explorer.EXE
1280	Explorer.EXE

pid	process
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

PROVA DE PAGAMENTO.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 1200 wrote to memory of 1500	1200	PROVA DE PAGAMENTO.exe	powershell.exe
PID 1200 wrote to memory of 1500	1200	PROVA DE PAGAMENTO.exe	powershell.exe
PID 1200 wrote to memory of 1500	1200	PROVA DE PAGAMENTO.exe	powershell.exe
PID 1200 wrote to memory of 1500	1200	PROVA DE PAGAMENTO.exe	powershell.exe
PID 1200 wrote to memory of 520	1200	PROVA DE PAGAMENTO.exe	schtasks.exe
PID 1200 wrote to memory of 520	1200	PROVA DE PAGAMENTO.exe	schtasks.exe
PID 1200 wrote to memory of 520	1200	PROVA DE PAGAMENTO.exe	schtasks.exe
PID 1200 wrote to memory of 520	1200	PROVA DE PAGAMENTO.exe	schtasks.exe
PID 1200 wrote to memory of 1644	1200	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 1200 wrote to memory of 1644	1200	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 1200 wrote to memory of 1644	1200	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 1200 wrote to memory of 1644	1200	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 1200 wrote to memory of 1644	1200	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 1200 wrote to memory of 1644	1200	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 1200 wrote to memory of 1644	1200	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 1200 wrote to memory of 1644	1200	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 1200 wrote to memory of 1644	1200	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 1200 wrote to memory of 1644	1200	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 1280 wrote to memory of 864	1280	Explorer.EXE	control.exe
PID 1280 wrote to memory of 864	1280	Explorer.EXE	control.exe
PID 1280 wrote to memory of 864	1280	Explorer.EXE	control.exe
PID 1280 wrote to memory of 864	1280	Explorer.EXE	control.exe
PID 864 wrote to memory of 1056	864	control.exe	cmd.exe
PID 864 wrote to memory of 1056	864	control.exe	cmd.exe
PID 864 wrote to memory of 1056	864	control.exe	cmd.exe
PID 864 wrote to memory of 1056	864	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\PROVA DE PAGAMENTO.exe
"C:\Users\Admin\AppData\Local\Temp\PROVA DE PAGAMENTO.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WvnNgxUfgUAHr.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WvnNgxUfgUAHr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7022.tmp"
3⤵
- Creates scheduled task(s)
PID:520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7022.tmp

Filesize
1KB

MD5
dcf8e2ee32a239658ee4a02594ad24c2

SHA1
c5de46c20e37111cb076dbfe8e73417399501350

SHA256
a5f97c7e267c329b0ddf1764bf096a66cccf8d7bb464d84b3a2e1a139ae03338

SHA512
86bb35585de2f310bd3c1befb121c076fa339e40e7c00cba166346b743a39e51bdaeafe6b1d7753fab150516a1d189cab71742e9c64aef63658cb8d5ec3ac763

Download Submit
memory/520-60-0x0000000000000000-mapping.dmp

Download
memory/864-79-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/864-76-0x0000000000000000-mapping.dmp

Download
memory/864-84-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/864-82-0x00000000008E0000-0x0000000000974000-memory.dmp

Filesize
592KB

Download
memory/864-81-0x0000000002080000-0x0000000002383000-memory.dmp

Filesize
3.0MB

Download
memory/864-78-0x0000000000C60000-0x0000000000C7F000-memory.dmp

Filesize
124KB

Download
memory/1056-80-0x0000000000000000-mapping.dmp

Download
memory/1200-54-0x0000000000F80000-0x0000000001038000-memory.dmp

Filesize
736KB

Download
memory/1200-58-0x0000000005200000-0x0000000005270000-memory.dmp

Filesize
448KB

Download
memory/1200-56-0x0000000000710000-0x0000000000728000-memory.dmp

Filesize
96KB

Download
memory/1200-55-0x0000000075C21000-0x0000000075C23000-memory.dmp

Filesize
8KB

Download
memory/1200-57-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/1200-63-0x0000000005270000-0x00000000052A4000-memory.dmp

Filesize
208KB

Download
memory/1280-85-0x0000000006D30000-0x0000000006EB1000-memory.dmp

Filesize
1.5MB

Download
memory/1280-74-0x0000000006C50000-0x0000000006D2C000-memory.dmp

Filesize
880KB

Download
memory/1280-83-0x0000000006D30000-0x0000000006EB1000-memory.dmp

Filesize
1.5MB

Download
memory/1500-59-0x0000000000000000-mapping.dmp

Download
memory/1500-75-0x000000006EBB0000-0x000000006F15B000-memory.dmp

Filesize
5.7MB

Download
memory/1500-70-0x000000006EBB0000-0x000000006F15B000-memory.dmp

Filesize
5.7MB

Download
memory/1644-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-68-0x000000000041F1B0-mapping.dmp

Download
memory/1644-73-0x0000000000240000-0x0000000000255000-memory.dmp

Filesize
84KB

Download
memory/1644-72-0x0000000000A60000-0x0000000000D63000-memory.dmp

Filesize
3.0MB

Download
memory/1644-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads