formbook | 71ea65acce74b5793f509989efe2b9dee25d7700f6d52aeb07e321ad2ebe0b59

General

Target

vbc.exe
Size

572KB
MD5

5215d77fe7658c57dfa558d06347cb9d
SHA1

bec3bc597455060365a4b52a94d6cd10bb1d8e70
SHA256

71ea65acce74b5793f509989efe2b9dee25d7700f6d52aeb07e321ad2ebe0b59
SHA512

409a12e9201ec535d03bb250e3ae2bba23729574f1a21b31a409431c55562740869ad3465263c4b27fc3d60f719684974237ef2abac034bf631dadfad2052f0d
SSDEEP

12288:SqJLBMmBDlr4COKJ+JLgRSZ5KPZYPfzD:SqJFMJCOKc/KRY

Score

10^/10

formbook g2fg rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2fg

Decoy

snowcrash.website

pointman.us

newheartvalve.care

drandl.com

sandspringsramblers.com

programagubernamental.online

boja.us

mvrsnike.com

mentallyillmotherhood.com

facom.us

programagubernamental.store

izivente.com

roller-v.fr

amazonbioactives.com

metaverseapple.xyz

5gt-mobilevsverizon.com

gtwebsolutions.co

scottdunn.life

usdp.trade

pikmin.run

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/616-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/616-68-0x000000000041F160-mapping.dmp	formbook
behavioral1/memory/616-75-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/632-79-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/632-84-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1508 cmd.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1508	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exevbc.execolorcpl.exe

description	pid	process	target process
PID 1976 set thread context of 616	1976	vbc.exe	vbc.exe
PID 616 set thread context of 1232	616	vbc.exe	Explorer.EXE
PID 632 set thread context of 1232	632	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1912 schtasks.exe

pid	process
1912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

vbc.exevbc.execolorcpl.exepowershell.exe

pid	process
1976	vbc.exe
616	vbc.exe
616	vbc.exe
632	colorcpl.exe
1752	powershell.exe
632	colorcpl.exe
632	colorcpl.exe
632	colorcpl.exe
632	colorcpl.exe
632	colorcpl.exe
632	colorcpl.exe
632	colorcpl.exe
632	colorcpl.exe
632	colorcpl.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.execolorcpl.exe

pid process

616 vbc.exe
616 vbc.exe
616 vbc.exe
632 colorcpl.exe
632 colorcpl.exe

pid	process
616	vbc.exe
616	vbc.exe
616	vbc.exe
632	colorcpl.exe
632	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exevbc.execolorcpl.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1976	vbc.exe
Token: SeDebugPrivilege	616	vbc.exe
Token: SeDebugPrivilege	632	colorcpl.exe
Token: SeDebugPrivilege	1752	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

vbc.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 1976 wrote to memory of 1752	1976	vbc.exe	powershell.exe
PID 1976 wrote to memory of 1752	1976	vbc.exe	powershell.exe
PID 1976 wrote to memory of 1752	1976	vbc.exe	powershell.exe
PID 1976 wrote to memory of 1752	1976	vbc.exe	powershell.exe
PID 1976 wrote to memory of 1912	1976	vbc.exe	schtasks.exe
PID 1976 wrote to memory of 1912	1976	vbc.exe	schtasks.exe
PID 1976 wrote to memory of 1912	1976	vbc.exe	schtasks.exe
PID 1976 wrote to memory of 1912	1976	vbc.exe	schtasks.exe
PID 1976 wrote to memory of 756	1976	vbc.exe	vbc.exe
PID 1976 wrote to memory of 756	1976	vbc.exe	vbc.exe
PID 1976 wrote to memory of 756	1976	vbc.exe	vbc.exe
PID 1976 wrote to memory of 756	1976	vbc.exe	vbc.exe
PID 1976 wrote to memory of 616	1976	vbc.exe	vbc.exe
PID 1976 wrote to memory of 616	1976	vbc.exe	vbc.exe
PID 1976 wrote to memory of 616	1976	vbc.exe	vbc.exe
PID 1976 wrote to memory of 616	1976	vbc.exe	vbc.exe
PID 1976 wrote to memory of 616	1976	vbc.exe	vbc.exe
PID 1976 wrote to memory of 616	1976	vbc.exe	vbc.exe
PID 1976 wrote to memory of 616	1976	vbc.exe	vbc.exe
PID 1232 wrote to memory of 632	1232	Explorer.EXE	colorcpl.exe
PID 1232 wrote to memory of 632	1232	Explorer.EXE	colorcpl.exe
PID 1232 wrote to memory of 632	1232	Explorer.EXE	colorcpl.exe
PID 1232 wrote to memory of 632	1232	Explorer.EXE	colorcpl.exe
PID 632 wrote to memory of 1508	632	colorcpl.exe	cmd.exe
PID 632 wrote to memory of 1508	632	colorcpl.exe	cmd.exe
PID 632 wrote to memory of 1508	632	colorcpl.exe	cmd.exe
PID 632 wrote to memory of 1508	632	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PSjwKGB.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PSjwKGB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBECE.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1912
- - C:\Users\Admin\AppData\Local\Temp\vbc.exe
    "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
    3⤵
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\vbc.exe
    "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:616
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
    3⤵
    - Deletes itself
    PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBECE.tmp

Filesize
1KB

MD5
02b3dac05fc3dafadb41c3f04f5238ee

SHA1
f8c7c73245dfd156f5205eb9896b5f65ac5e8e87

SHA256
7d4c52cf4501f6616f07fcb122355621e7fb89f165a812ec66b773ddbaa6542d

SHA512
d52d4c4ffa556964064ec08a89d30e434ee3e2a5e9d79208cd1fae8b93965e7a69f90c9b2136e248c561007bb9c8692af849aa27361591f4b4043ac5ed361c25

Download Submit
memory/616-71-0x0000000000200000-0x0000000000214000-memory.dmp

Filesize
80KB

Download
memory/616-70-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download
memory/616-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/616-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/616-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/616-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/616-68-0x000000000041F160-mapping.dmp

Download
memory/632-80-0x0000000001F10000-0x0000000002213000-memory.dmp

Filesize
3.0MB

Download
memory/632-84-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/632-81-0x0000000001DC0000-0x0000000001E53000-memory.dmp

Filesize
588KB

Download
memory/632-79-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/632-78-0x0000000000360000-0x0000000000378000-memory.dmp

Filesize
96KB

Download
memory/632-74-0x0000000000000000-mapping.dmp

Download
memory/1232-85-0x0000000006280000-0x00000000063E3000-memory.dmp

Filesize
1.4MB

Download
memory/1232-72-0x0000000007B40000-0x0000000007CE1000-memory.dmp

Filesize
1.6MB

Download
memory/1232-82-0x0000000006280000-0x00000000063E3000-memory.dmp

Filesize
1.4MB

Download
memory/1508-77-0x0000000000000000-mapping.dmp

Download
memory/1752-73-0x000000006E5A0000-0x000000006EB4B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-83-0x000000006E5A0000-0x000000006EB4B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-59-0x0000000000000000-mapping.dmp

Download
memory/1912-61-0x0000000000000000-mapping.dmp

Download
memory/1976-56-0x0000000000240000-0x0000000000256000-memory.dmp

Filesize
88KB

Download
memory/1976-55-0x00000000754E1000-0x00000000754E3000-memory.dmp

Filesize
8KB

Download
memory/1976-63-0x00000000046C0000-0x00000000046F4000-memory.dmp

Filesize
208KB

Download
memory/1976-57-0x00000000002B0000-0x00000000002BE000-memory.dmp

Filesize
56KB

Download
memory/1976-58-0x0000000005D70000-0x0000000005DE0000-memory.dmp

Filesize
448KB

Download
memory/1976-54-0x0000000000E10000-0x0000000000EA6000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads