formbook | b66fc3c8f01ea488838e57cda4157b5ec8d3398b321fcc68bdb9d7ce397486f5

General

Target

FATURA ÖDEMESİ.exe
Size

857KB
MD5

66ed7ba0a4ca21ace023480e4015a9e3
SHA1

5de079ca99452414f7c68a985e9b114a16bf3f94
SHA256

b66fc3c8f01ea488838e57cda4157b5ec8d3398b321fcc68bdb9d7ce397486f5
SHA512

4319d634180de8a14f2bdb652a132ef1649ce05018b8f86f47b09ded7c5b20fd1691648539095276c46f7e35823b5f81d0d2dd8af353a523788828c81acbf1f1
SSDEEP

12288:y+oQgKZ/nXt7virmWhlGLaQYIIjmas5JGXylk+mphdWvzAtpexqlI9aDc7nH6Py:y/u/PlbmperA5IBH6Pq/M9

Score

10^/10

formbook gs25 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gs25

Decoy

real-food.store

marketdatalibrary.com

jolidens.space

ydental.info

tattoosbyjayinked.com

buytradesellpei.com

61983.xyz

identitysolver.xyz

mgfang.com

teizer.one

staychillax.com

ylanzarote.com

workte.net

maukigato.shop

coolbag.site

btya1r.com

dkhaohao.shop

zugaro.xyz

boon168.com

xn--80aeegahlwtdkp.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4520-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FATURA ÖDEMESİ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	FATURA ÖDEMESİ.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

FATURA ÖDEMESİ.exeRegSvcs.exe

description	pid	process	target process
PID 2376 set thread context of 4520	2376	FATURA ÖDEMESİ.exe	RegSvcs.exe
PID 4520 set thread context of 2584	4520	RegSvcs.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2736 schtasks.exe

pid	process
2736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

FATURA ÖDEMESİ.exepowershell.exeRegSvcs.exe

pid	process
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
2376	FATURA ÖDEMESİ.exe
4260	powershell.exe
4260	powershell.exe
4520	RegSvcs.exe
4520	RegSvcs.exe
4520	RegSvcs.exe
4520	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

RegSvcs.exe

pid process

4520 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

FATURA ÖDEMESİ.exepowershell.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 2376 FATURA ÖDEMESİ.exe
Token: SeDebugPrivilege 4260 powershell.exe
Token: SeDebugPrivilege 4520 RegSvcs.exe

pid	process
4520	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2376	FATURA ÖDEMESİ.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	4520	RegSvcs.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

FATURA ÖDEMESİ.exeExplorer.EXE

description	pid	process	target process
PID 2376 wrote to memory of 4260	2376	FATURA ÖDEMESİ.exe	powershell.exe
PID 2376 wrote to memory of 4260	2376	FATURA ÖDEMESİ.exe	powershell.exe
PID 2376 wrote to memory of 4260	2376	FATURA ÖDEMESİ.exe	powershell.exe
PID 2376 wrote to memory of 2736	2376	FATURA ÖDEMESİ.exe	schtasks.exe
PID 2376 wrote to memory of 2736	2376	FATURA ÖDEMESİ.exe	schtasks.exe
PID 2376 wrote to memory of 2736	2376	FATURA ÖDEMESİ.exe	schtasks.exe
PID 2376 wrote to memory of 4952	2376	FATURA ÖDEMESİ.exe	RegSvcs.exe
PID 2376 wrote to memory of 4952	2376	FATURA ÖDEMESİ.exe	RegSvcs.exe
PID 2376 wrote to memory of 4952	2376	FATURA ÖDEMESİ.exe	RegSvcs.exe
PID 2376 wrote to memory of 4520	2376	FATURA ÖDEMESİ.exe	RegSvcs.exe
PID 2376 wrote to memory of 4520	2376	FATURA ÖDEMESİ.exe	RegSvcs.exe
PID 2376 wrote to memory of 4520	2376	FATURA ÖDEMESİ.exe	RegSvcs.exe
PID 2376 wrote to memory of 4520	2376	FATURA ÖDEMESİ.exe	RegSvcs.exe
PID 2376 wrote to memory of 4520	2376	FATURA ÖDEMESİ.exe	RegSvcs.exe
PID 2376 wrote to memory of 4520	2376	FATURA ÖDEMESİ.exe	RegSvcs.exe
PID 2584 wrote to memory of 2632	2584	Explorer.EXE	colorcpl.exe
PID 2584 wrote to memory of 2632	2584	Explorer.EXE	colorcpl.exe
PID 2584 wrote to memory of 2632	2584	Explorer.EXE	colorcpl.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\FATURA ÖDEMESİ.exe
  "C:\Users\Admin\AppData\Local\Temp\FATURA ÖDEMESİ.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FajjkkDL.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4260
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FajjkkDL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp985E.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:4952
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:2632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp985E.tmp

Filesize
1KB

MD5
aa6a796dc7918683a4590e4831cb3353

SHA1
f8b025bd0f3fef4b5f9ffe68a183c29ddca3b249

SHA256
f3f6699a6c4286f83b9f6659a40a8719bf2127ca619ae421e22bf5bb90c36f37

SHA512
f6033b2eff0d33aa3a2f29e2925e879f9daeb92e605fbbea9764b64557c55f49079bf1136e12a29ffa865adeb19904eb4b370fd9e4d429467a7167d5f3ee7cc9

Download Submit
memory/2376-133-0x0000000005840000-0x0000000005DE4000-memory.dmp

Filesize
5.6MB

Download
memory/2376-134-0x0000000005290000-0x0000000005322000-memory.dmp

Filesize
584KB

Download
memory/2376-135-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/2376-136-0x0000000005DF0000-0x0000000005E8C000-memory.dmp

Filesize
624KB

Download
memory/2376-132-0x0000000000800000-0x00000000008DC000-memory.dmp

Filesize
880KB

Download
memory/2584-152-0x00000000028B0000-0x0000000002972000-memory.dmp

Filesize
776KB

Download
memory/2736-138-0x0000000000000000-mapping.dmp

Download
memory/4260-146-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/4260-141-0x0000000005300000-0x0000000005928000-memory.dmp

Filesize
6.2MB

Download
memory/4260-145-0x0000000005260000-0x0000000005282000-memory.dmp

Filesize
136KB

Download
memory/4260-147-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/4260-139-0x0000000004C30000-0x0000000004C66000-memory.dmp

Filesize
216KB

Download
memory/4260-149-0x00000000061F0000-0x000000000620E000-memory.dmp

Filesize
120KB

Download
memory/4260-137-0x0000000000000000-mapping.dmp

Download
memory/4520-143-0x0000000000000000-mapping.dmp

Download
memory/4520-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-150-0x0000000001960000-0x0000000001CAA000-memory.dmp

Filesize
3.3MB

Download
memory/4520-151-0x0000000001630000-0x0000000001645000-memory.dmp

Filesize
84KB

Download
memory/4952-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads