formbook | f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a

Analysis

max time kernel
132s
max time network
73s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
28-11-2022 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe
Size

578KB
MD5

cd932bec1188b046a3312ab5ce3b4898
SHA1

21d703c97f16f46693ff9d5ea35f6f0a672436a7
SHA256

f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a
SHA512

d2c36f04ba5dc2e27022206869cfffc10ce02bfc7fbe8e6a5781e085e593732212dc7db8078ff7e7b24eaf9dd1491d544b9f883f955f45a81a417ddbc5d2757b
SSDEEP

12288:6WO+MpbKbfjuyD9V/QuMwTRdA0uYWd0v:6WibKPvD9V4OXLXd

Score

10^/10

formbook g2fg rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2fg

Decoy

snowcrash.website

pointman.us

newheartvalve.care

drandl.com

sandspringsramblers.com

programagubernamental.online

boja.us

mvrsnike.com

mentallyillmotherhood.com

facom.us

programagubernamental.store

izivente.com

roller-v.fr

amazonbioactives.com

metaverseapple.xyz

5gt-mobilevsverizon.com

gtwebsolutions.co

scottdunn.life

usdp.trade

pikmin.run

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4500-260-0x000000000041F160-mapping.dmp	formbook
behavioral1/memory/4500-270-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe

description	pid	process	target process
PID 2124 set thread context of 4500	2124	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4128 schtasks.exe

pid	process
4128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exepowershell.exe

pid	process
4500	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe
4500	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe
3320	powershell.exe
3320	powershell.exe
3320	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3320 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3320	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe

description	pid	process	target process
PID 2124 wrote to memory of 3320	2124	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe	powershell.exe
PID 2124 wrote to memory of 3320	2124	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe	powershell.exe
PID 2124 wrote to memory of 3320	2124	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe	powershell.exe
PID 2124 wrote to memory of 4128	2124	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe	schtasks.exe
PID 2124 wrote to memory of 4128	2124	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe	schtasks.exe
PID 2124 wrote to memory of 4128	2124	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe	schtasks.exe
PID 2124 wrote to memory of 4500	2124	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe
PID 2124 wrote to memory of 4500	2124	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe
PID 2124 wrote to memory of 4500	2124	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe
PID 2124 wrote to memory of 4500	2124	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe
PID 2124 wrote to memory of 4500	2124	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe
PID 2124 wrote to memory of 4500	2124	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe	f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe

C:\Users\Admin\AppData\Local\Temp\f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe
"C:\Users\Admin\AppData\Local\Temp\f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BenzuQiEPgaXnl.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BenzuQiEPgaXnl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE89.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4128
- C:\Users\Admin\AppData\Local\Temp\f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe
  "C:\Users\Admin\AppData\Local\Temp\f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDE89.tmp

Filesize
1KB

MD5
d722cfb5858c86c0e4f30aac6c67c402

SHA1
dd12f1675aad43fb1db693c395d7c69e8955c64f

SHA256
743cd91cfb2ae8fd225c882d34c53ce430a0705f41f222fe44771906dd55a383

SHA512
3520df7fa23681e9c0bc558049b540526dfcca9ab12d91cdbd5a7ba91c6dac21303b438b341424f652e050ab4807fbcb48f74abbf63b4f7ff19e706182f90f55

Download Submit
memory/2124-165-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-140-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-122-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-123-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-124-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-125-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-126-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-127-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-128-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-129-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-130-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-131-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-132-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-133-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-134-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-135-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-136-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-137-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-138-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-139-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-167-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-141-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-142-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-143-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-144-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-145-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-146-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-147-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-148-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-149-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-166-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-151-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-152-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-153-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-154-0x0000000000720000-0x00000000007B6000-memory.dmp

Filesize
600KB

Download
memory/2124-155-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-156-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-157-0x00000000054A0000-0x000000000599E000-memory.dmp

Filesize
5.0MB

Download
memory/2124-158-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-159-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/2124-160-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-161-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-162-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-163-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-164-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-120-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-150-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-121-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-171-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-169-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-170-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-168-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-172-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-173-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-174-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-175-0x0000000005000000-0x000000000500A000-memory.dmp

Filesize
40KB

Download
memory/2124-176-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-177-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-178-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-179-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-181-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-180-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-182-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-183-0x0000000005120000-0x0000000005136000-memory.dmp

Filesize
88KB

Download
memory/2124-184-0x0000000005290000-0x000000000529E000-memory.dmp

Filesize
56KB

Download
memory/2124-185-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-186-0x0000000007740000-0x00000000077B0000-memory.dmp

Filesize
448KB

Download
memory/2124-187-0x0000000007870000-0x000000000790C000-memory.dmp

Filesize
624KB

Download
memory/2124-188-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-189-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-190-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-191-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-258-0x0000000000F80000-0x0000000000FB4000-memory.dmp

Filesize
208KB

Download
memory/3320-326-0x0000000009AE0000-0x0000000009B74000-memory.dmp

Filesize
592KB

Download
memory/3320-313-0x0000000008960000-0x000000000897E000-memory.dmp

Filesize
120KB

Download
memory/3320-299-0x00000000086B0000-0x0000000008726000-memory.dmp

Filesize
472KB

Download
memory/3320-295-0x0000000007E30000-0x0000000007E7B000-memory.dmp

Filesize
300KB

Download
memory/3320-289-0x0000000007D30000-0x0000000007D96000-memory.dmp

Filesize
408KB

Download
memory/3320-291-0x0000000008010000-0x0000000008360000-memory.dmp

Filesize
3.3MB

Download
memory/3320-253-0x0000000006F30000-0x0000000006F66000-memory.dmp

Filesize
216KB

Download
memory/3320-286-0x0000000007C10000-0x0000000007C32000-memory.dmp

Filesize
136KB

Download
memory/3320-529-0x0000000009970000-0x000000000998A000-memory.dmp

Filesize
104KB

Download
memory/3320-534-0x0000000009950000-0x0000000009958000-memory.dmp

Filesize
32KB

Download
memory/3320-290-0x0000000007DA0000-0x0000000007E06000-memory.dmp

Filesize
408KB

Download
memory/3320-264-0x00000000075A0000-0x0000000007BC8000-memory.dmp

Filesize
6.2MB

Download
memory/3320-312-0x0000000008980000-0x00000000089B3000-memory.dmp

Filesize
204KB

Download
memory/3320-294-0x0000000007E10000-0x0000000007E2C000-memory.dmp

Filesize
112KB

Download
memory/3320-322-0x0000000009690000-0x0000000009735000-memory.dmp

Filesize
660KB

Download
memory/3320-198-0x0000000000000000-mapping.dmp

Download
memory/4128-226-0x0000000000000000-mapping.dmp

Download
memory/4500-271-0x00000000012B0000-0x00000000015D0000-memory.dmp

Filesize
3.1MB

Download
memory/4500-260-0x000000000041F160-mapping.dmp

Download
memory/4500-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download