formbook | e90c54d32e7a267681bef788fefb68a4a6ed2c74718039cd5d5fce43c6f33377

General

Target

DHL_INVOICE#-00834.exe
Size

262KB
MD5

c4c96fd02d8673927cf596fc80cd8647
SHA1

8b5c6d26685f5c0373ba95ea3f5c76e19a1548de
SHA256

e90c54d32e7a267681bef788fefb68a4a6ed2c74718039cd5d5fce43c6f33377
SHA512

3f72d7cee8db3e880b33ef483f5e706d2e9308582d60385660a2ae4b37a7e879cd7fa01b1c583e0e7399b51f9887ce384333754282c783d85953ff0edaf17696
SSDEEP

6144:NBn0lN4V4dffxSB8diLsh6JUIbcubtlVzNb:EDXxSBxLshR/ubzVh

Score

10^/10

formbook g2dc rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

g2dc

Decoy

OqIwFVmXHnPUgdurr7I=

0YwewYtWNLZdkF7Q

HFT6VwOYdkifOpbT1h9DcYQ=

D+zGTvGlpriTumzBbw==

gMSID89/QqMV8yjH

HN5/g0/3yJBsnZCig9Qf

Hl33xdRU8xaC1rY=

/rhq03DorPAUH2bSp6228fGQ

gBwzCyfHge9SumzBbw==

NuOmK9+fenLQa9urr7I=

cA4+yKM4IQjpFwMt1BQEUJ1q6y0=

gpK3pqdoVNu93yS0uhocUtQmtQ==

3i3tx82Rf7yQdIyeprA=

FTo+4qVlVK7gIgxi0g3bUA==

7kDtq4wo6+cV8yjH

Dc123pIo9vcNuR9pwkQ0pPpHvQ==

KYREtH0zKNiI374=

Tok2qF4n2XOiRw==

DYFtA6ZXUJfA3MLhRtTVTQ==

C8poIeeskBCxEYHIbQ==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

fbtgbm.exefbtgbm.exe

pid process

5072 fbtgbm.exe
3900 fbtgbm.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

fbtgbm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation fbtgbm.exe

pid	process
5072	fbtgbm.exe
3900	fbtgbm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fbtgbm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

fbtgbm.exefbtgbm.exeWWAHost.exe

description	pid	process	target process
PID 5072 set thread context of 3900	5072	fbtgbm.exe	fbtgbm.exe
PID 3900 set thread context of 2376	3900	fbtgbm.exe	Explorer.EXE
PID 3328 set thread context of 2376	3328	WWAHost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

WWAHost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	WWAHost.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

fbtgbm.exeWWAHost.exe

pid	process
3900	fbtgbm.exe
3900	fbtgbm.exe
3900	fbtgbm.exe
3900	fbtgbm.exe
3900	fbtgbm.exe
3900	fbtgbm.exe
3900	fbtgbm.exe
3900	fbtgbm.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2376 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

fbtgbm.exefbtgbm.exeWWAHost.exe

pid process

5072 fbtgbm.exe
3900 fbtgbm.exe
3900 fbtgbm.exe
3900 fbtgbm.exe
3328 WWAHost.exe
3328 WWAHost.exe
3328 WWAHost.exe
3328 WWAHost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fbtgbm.exeWWAHost.exe

description pid process

Token: SeDebugPrivilege 3900 fbtgbm.exe
Token: SeDebugPrivilege 3328 WWAHost.exe

pid	process
2376	Explorer.EXE

pid	process
5072	fbtgbm.exe
3900	fbtgbm.exe
3900	fbtgbm.exe
3900	fbtgbm.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe
3328	WWAHost.exe

description	pid	process
Token: SeDebugPrivilege	3900	fbtgbm.exe
Token: SeDebugPrivilege	3328	WWAHost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

DHL_INVOICE#-00834.exefbtgbm.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 1488 wrote to memory of 5072	1488	DHL_INVOICE#-00834.exe	fbtgbm.exe
PID 1488 wrote to memory of 5072	1488	DHL_INVOICE#-00834.exe	fbtgbm.exe
PID 1488 wrote to memory of 5072	1488	DHL_INVOICE#-00834.exe	fbtgbm.exe
PID 5072 wrote to memory of 3900	5072	fbtgbm.exe	fbtgbm.exe
PID 5072 wrote to memory of 3900	5072	fbtgbm.exe	fbtgbm.exe
PID 5072 wrote to memory of 3900	5072	fbtgbm.exe	fbtgbm.exe
PID 5072 wrote to memory of 3900	5072	fbtgbm.exe	fbtgbm.exe
PID 2376 wrote to memory of 3328	2376	Explorer.EXE	WWAHost.exe
PID 2376 wrote to memory of 3328	2376	Explorer.EXE	WWAHost.exe
PID 2376 wrote to memory of 3328	2376	Explorer.EXE	WWAHost.exe
PID 3328 wrote to memory of 3636	3328	WWAHost.exe	Firefox.exe
PID 3328 wrote to memory of 3636	3328	WWAHost.exe	Firefox.exe
PID 3328 wrote to memory of 3636	3328	WWAHost.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Admin\AppData\Local\Temp\DHL_INVOICE#-00834.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_INVOICE#-00834.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe
"C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe" C:\Users\Admin\AppData\Local\Temp\uynbaziu.t
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5072

C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe
"C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4896

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe
Filesize
11KB

MD5
0e50a8c11030a7367c770cd5317015a5

SHA1
1275cd7ecef9059e7959868f551df317db1971f4

SHA256
5b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f

SHA512
814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe
Filesize
11KB

MD5
0e50a8c11030a7367c770cd5317015a5

SHA1
1275cd7ecef9059e7959868f551df317db1971f4

SHA256
5b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f

SHA512
814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbtgbm.exe
Filesize
11KB

MD5
0e50a8c11030a7367c770cd5317015a5

SHA1
1275cd7ecef9059e7959868f551df317db1971f4

SHA256
5b808ae1862b54f2e5e65a924d03d827d3a6b113aeab7a07c8b090961099d33f

SHA512
814f1a949f4ca394fb4bb4e1d28a66e763fbe243e7319c28b618da536108428fa4356cd024e97bca89e684f552cbfc51483a54c4205dc92621ae69976cd934d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\imzbj.qm
Filesize
185KB

MD5
50ad533858f9a65a0ce926bf0b396619

SHA1
ae88e2d52163e66666ef78f6559db7534dd9dbb6

SHA256
7fdbf2b32a07ce5b22762439f2251725170fe4bef290e07ac566b1a0b4c6cb64

SHA512
3d13a4faa0719e531f7ed00ca841b9bffa360c3fadd3c34697d4b1ab27bdcfce27f79e80e9e5fa5a62baaec70d78040ac1092b3f97bed45ee748638cde8887f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uynbaziu.t
Filesize
5KB

MD5
fd876a99321992ceaff68b84bbdbbbe0

SHA1
0239567f1a08dd305fe9351783abc9c2ce67c2d8

SHA256
d9faf20ff13fff6619c79af16313646de9d13e9d6686c1ca91c596b50a89dabd

SHA512
6901a2b7eae60cab62688e8028a51c0eea5487825e7bc7cc52a126040df405171609dd45e8fbb8a8a5af5b9d4ba3745a83eda07993339f24968113cd548237cd

Download Submit
memory/2376-151-0x00000000084E0000-0x0000000008648000-memory.dmp

Filesize
1.4MB

Download
memory/2376-150-0x00000000084E0000-0x0000000008648000-memory.dmp

Filesize
1.4MB

Download
memory/2376-143-0x00000000033C0000-0x00000000034C9000-memory.dmp

Filesize
1.0MB

Download
memory/3328-146-0x00000000003C0000-0x00000000003ED000-memory.dmp

Filesize
180KB

Download
memory/3328-149-0x00000000013B0000-0x000000000143F000-memory.dmp

Filesize
572KB

Download
memory/3328-148-0x00000000003C0000-0x00000000003ED000-memory.dmp

Filesize
180KB

Download
memory/3328-147-0x0000000001660000-0x00000000019AA000-memory.dmp

Filesize
3.3MB

Download
memory/3328-144-0x0000000000000000-mapping.dmp

Download
memory/3328-145-0x00000000008A0000-0x000000000097C000-memory.dmp

Filesize
880KB

Download
memory/3900-137-0x0000000000000000-mapping.dmp

Download
memory/3900-142-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/3900-141-0x00000000009F0000-0x0000000000D3A000-memory.dmp

Filesize
3.3MB

Download
memory/3900-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3900-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5072-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads