formbook | af3838d501fed830bcb3c3b48d3184b05f588d8699816aff5a2f2f27ec0d1154

General

Target

PROVA DE PAGAMENTO.exe
Size

710KB
MD5

d90ee4a69a80b53f8b6ac0f3fd08e72c
SHA1

000e8e599fbf58baeac2483c92370b811fa2477d
SHA256

c0764ceab13a533b3ea99ccc162a1f36e85f4094b29c4a30b91b0d3f0ff1112e
SHA512

ec18433d2c9afc3865c5f6b58acdb895c6abe98427b8e19d37e991033a3aee5254fea78f097aa472d9a1930f6d5fcc17cafd524fd5170c9bf3427bdb0f5a7755
SSDEEP

12288:pSIyM/U057k2TlIh1A/lDMzAmORWyYuMkAAV/8wot83w/8rRWnu6:BBOzGVMU9WyvdFotCronu6

Score

10^/10

formbook gs25 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gs25

Decoy

real-food.store

marketdatalibrary.com

jolidens.space

ydental.info

tattoosbyjayinked.com

buytradesellpei.com

61983.xyz

identitysolver.xyz

mgfang.com

teizer.one

staychillax.com

ylanzarote.com

workte.net

maukigato.shop

coolbag.site

btya1r.com

dkhaohao.shop

zugaro.xyz

boon168.com

xn--80aeegahlwtdkp.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3136-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3136-149-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4580-155-0x00000000003D0000-0x00000000003FF000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PROVA DE PAGAMENTO.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	PROVA DE PAGAMENTO.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

PROVA DE PAGAMENTO.exeRegSvcs.exe

description	pid	process	target process
PID 4320 set thread context of 3136	4320	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 3136 set thread context of 2748	3136	RegSvcs.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2876 schtasks.exe

pid	process
2876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

PROVA DE PAGAMENTO.exeRegSvcs.exepowershell.exeWWAHost.exe

pid	process
4320	PROVA DE PAGAMENTO.exe
4320	PROVA DE PAGAMENTO.exe
4320	PROVA DE PAGAMENTO.exe
4320	PROVA DE PAGAMENTO.exe
4320	PROVA DE PAGAMENTO.exe
4320	PROVA DE PAGAMENTO.exe
4320	PROVA DE PAGAMENTO.exe
4320	PROVA DE PAGAMENTO.exe
4320	PROVA DE PAGAMENTO.exe
4320	PROVA DE PAGAMENTO.exe
4320	PROVA DE PAGAMENTO.exe
4320	PROVA DE PAGAMENTO.exe
4320	PROVA DE PAGAMENTO.exe
4320	PROVA DE PAGAMENTO.exe
4320	PROVA DE PAGAMENTO.exe
3136	RegSvcs.exe
3136	RegSvcs.exe
3136	RegSvcs.exe
3136	RegSvcs.exe
1404	powershell.exe
1404	powershell.exe
4580	WWAHost.exe
4580	WWAHost.exe
4580	WWAHost.exe
4580	WWAHost.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

RegSvcs.exeWWAHost.exe

pid process

3136 RegSvcs.exe
3136 RegSvcs.exe
3136 RegSvcs.exe
4580 WWAHost.exe

pid	process
3136	RegSvcs.exe
3136	RegSvcs.exe
3136	RegSvcs.exe
4580	WWAHost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

PROVA DE PAGAMENTO.exepowershell.exeRegSvcs.exeExplorer.EXEWWAHost.exe

description	pid	process
Token: SeDebugPrivilege	4320	PROVA DE PAGAMENTO.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	3136	RegSvcs.exe
Token: SeShutdownPrivilege	2748	Explorer.EXE
Token: SeCreatePagefilePrivilege	2748	Explorer.EXE
Token: SeDebugPrivilege	4580	WWAHost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

PROVA DE PAGAMENTO.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 4320 wrote to memory of 1404	4320	PROVA DE PAGAMENTO.exe	powershell.exe
PID 4320 wrote to memory of 1404	4320	PROVA DE PAGAMENTO.exe	powershell.exe
PID 4320 wrote to memory of 1404	4320	PROVA DE PAGAMENTO.exe	powershell.exe
PID 4320 wrote to memory of 2876	4320	PROVA DE PAGAMENTO.exe	schtasks.exe
PID 4320 wrote to memory of 2876	4320	PROVA DE PAGAMENTO.exe	schtasks.exe
PID 4320 wrote to memory of 2876	4320	PROVA DE PAGAMENTO.exe	schtasks.exe
PID 4320 wrote to memory of 3116	4320	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 4320 wrote to memory of 3116	4320	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 4320 wrote to memory of 3116	4320	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 4320 wrote to memory of 3136	4320	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 4320 wrote to memory of 3136	4320	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 4320 wrote to memory of 3136	4320	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 4320 wrote to memory of 3136	4320	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 4320 wrote to memory of 3136	4320	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 4320 wrote to memory of 3136	4320	PROVA DE PAGAMENTO.exe	RegSvcs.exe
PID 2748 wrote to memory of 4580	2748	Explorer.EXE	WWAHost.exe
PID 2748 wrote to memory of 4580	2748	Explorer.EXE	WWAHost.exe
PID 2748 wrote to memory of 4580	2748	Explorer.EXE	WWAHost.exe
PID 4580 wrote to memory of 3188	4580	WWAHost.exe	cmd.exe
PID 4580 wrote to memory of 3188	4580	WWAHost.exe	cmd.exe
PID 4580 wrote to memory of 3188	4580	WWAHost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\PROVA DE PAGAMENTO.exe
"C:\Users\Admin\AppData\Local\Temp\PROVA DE PAGAMENTO.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WvnNgxUfgUAHr.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WvnNgxUfgUAHr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF94.tmp"
2⤵
- Creates scheduled task(s)
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:3116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:3188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAF94.tmp
Filesize
1KB

MD5
83264b5a4eb802b2da9daad98ed5024e

SHA1
241ef50b9f1194f1471a1e284ba26ce33ee6dc8a

SHA256
88474e9ccaeb7916acf1abb44f5b5c1c4e5b1baa2bccbcda9779489c18d5dc1f

SHA512
829ca2e9aad52b67e1c321dd1cc645c60389f957afbbe493f780a8010611a603f7b3ef8d4913996063f2b33867b470e4e69554fa27efb9a2690589cce74b48d0

Download Submit
memory/1404-142-0x0000000004DE0000-0x0000000005408000-memory.dmp

Filesize
6.2MB

Download
memory/1404-156-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/1404-152-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/1404-151-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/1404-150-0x0000000004D70000-0x0000000004D92000-memory.dmp

Filesize
136KB

Download
memory/1404-137-0x0000000000000000-mapping.dmp

Download
memory/1404-139-0x00000000021D0000-0x0000000002206000-memory.dmp

Filesize
216KB

Download
memory/2748-148-0x0000000007870000-0x000000000793F000-memory.dmp

Filesize
828KB

Download
memory/2876-138-0x0000000000000000-mapping.dmp

Download
memory/3116-141-0x0000000000000000-mapping.dmp

Download
memory/3136-143-0x0000000000000000-mapping.dmp

Download
memory/3136-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3136-145-0x0000000001190000-0x00000000014DA000-memory.dmp

Filesize
3.3MB

Download
memory/3136-147-0x0000000000B80000-0x0000000000B95000-memory.dmp

Filesize
84KB

Download
memory/3136-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3188-157-0x0000000000000000-mapping.dmp

Download
memory/4320-135-0x00000000059D0000-0x00000000059DA000-memory.dmp

Filesize
40KB

Download
memory/4320-136-0x00000000014A0000-0x000000000153C000-memory.dmp

Filesize
624KB

Download
memory/4320-134-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/4320-133-0x0000000005B50000-0x00000000060F4000-memory.dmp

Filesize
5.6MB

Download
memory/4320-132-0x0000000000B60000-0x0000000000C18000-memory.dmp

Filesize
736KB

Download
memory/4580-153-0x0000000000000000-mapping.dmp

Download
memory/4580-154-0x0000000000230000-0x000000000030C000-memory.dmp

Filesize
880KB

Download
memory/4580-155-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/4580-158-0x00000000013A0000-0x00000000016EA000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads