formbook | 11b7ed15ae6b1bb53ad3eeff567acb939f794bfdf067b6c3c07c19a15a02fb8f

General

Target

tmp.exe
Size

755KB
MD5

32c97647b3b5602a7cdf5cae7aa3f289
SHA1

23a7ee141819cb81d92d4dc4de53ff704f2908fd
SHA256

11b7ed15ae6b1bb53ad3eeff567acb939f794bfdf067b6c3c07c19a15a02fb8f
SHA512

fa81b95cf2825bc869aeaddb85c90744cd29a172f7e6b86a73727caea4f230fddc222d4a9aee7903cc05cee6ffbdb7974e59ec905a0e4a191d7c6ff77c47f412
SSDEEP

12288:C6IOEw4qE4iVV/r7VWCsBvTDoJ+JlQcNoOXRHWBWDUNV26M+KJxHOWAi9bLLX69/:vIOMqEZV/NWC8noYlQukBWDS2PJMWA6Q

Score

10^/10

formbook g2fg rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2fg

Decoy

snowcrash.website

pointman.us

newheartvalve.care

drandl.com

sandspringsramblers.com

programagubernamental.online

boja.us

mvrsnike.com

mentallyillmotherhood.com

facom.us

programagubernamental.store

izivente.com

roller-v.fr

amazonbioactives.com

metaverseapple.xyz

5gt-mobilevsverizon.com

gtwebsolutions.co

scottdunn.life

usdp.trade

pikmin.run

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/752-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/752-68-0x000000000041F160-mapping.dmp	formbook
behavioral1/memory/752-70-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/752-79-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/960-83-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1536 cmd.exe

pid	process
1536	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

tmp.exetmp.exemsiexec.exe

description	pid	process	target process
PID 1388 set thread context of 752	1388	tmp.exe	tmp.exe
PID 752 set thread context of 1288	752	tmp.exe	Explorer.EXE
PID 752 set thread context of 1288	752	tmp.exe	Explorer.EXE
PID 960 set thread context of 1288	960	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

268 schtasks.exe

pid	process
268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exetmp.exemsiexec.exe

pid	process
524	powershell.exe
752	tmp.exe
752	tmp.exe
752	tmp.exe
960	msiexec.exe
960	msiexec.exe
960	msiexec.exe
960	msiexec.exe
960	msiexec.exe
960	msiexec.exe
960	msiexec.exe
960	msiexec.exe
960	msiexec.exe
960	msiexec.exe
960	msiexec.exe
960	msiexec.exe
960	msiexec.exe
960	msiexec.exe
960	msiexec.exe
960	msiexec.exe
960	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

tmp.exemsiexec.exe

pid process

752 tmp.exe
752 tmp.exe
752 tmp.exe
752 tmp.exe
960 msiexec.exe
960 msiexec.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exetmp.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 524 powershell.exe
Token: SeDebugPrivilege 752 tmp.exe
Token: SeDebugPrivilege 960 msiexec.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE

pid	process
1288	Explorer.EXE

pid	process
752	tmp.exe
752	tmp.exe
752	tmp.exe
752	tmp.exe
960	msiexec.exe
960	msiexec.exe

description	pid	process
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	752	tmp.exe
Token: SeDebugPrivilege	960	msiexec.exe

pid	process
1288	Explorer.EXE
1288	Explorer.EXE

pid	process
1288	Explorer.EXE
1288	Explorer.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

tmp.exetmp.exemsiexec.exe

description	pid	process	target process
PID 1388 wrote to memory of 524	1388	tmp.exe	powershell.exe
PID 1388 wrote to memory of 524	1388	tmp.exe	powershell.exe
PID 1388 wrote to memory of 524	1388	tmp.exe	powershell.exe
PID 1388 wrote to memory of 524	1388	tmp.exe	powershell.exe
PID 1388 wrote to memory of 268	1388	tmp.exe	schtasks.exe
PID 1388 wrote to memory of 268	1388	tmp.exe	schtasks.exe
PID 1388 wrote to memory of 268	1388	tmp.exe	schtasks.exe
PID 1388 wrote to memory of 268	1388	tmp.exe	schtasks.exe
PID 1388 wrote to memory of 752	1388	tmp.exe	tmp.exe
PID 1388 wrote to memory of 752	1388	tmp.exe	tmp.exe
PID 1388 wrote to memory of 752	1388	tmp.exe	tmp.exe
PID 1388 wrote to memory of 752	1388	tmp.exe	tmp.exe
PID 1388 wrote to memory of 752	1388	tmp.exe	tmp.exe
PID 1388 wrote to memory of 752	1388	tmp.exe	tmp.exe
PID 1388 wrote to memory of 752	1388	tmp.exe	tmp.exe
PID 752 wrote to memory of 960	752	tmp.exe	msiexec.exe
PID 752 wrote to memory of 960	752	tmp.exe	msiexec.exe
PID 752 wrote to memory of 960	752	tmp.exe	msiexec.exe
PID 752 wrote to memory of 960	752	tmp.exe	msiexec.exe
PID 752 wrote to memory of 960	752	tmp.exe	msiexec.exe
PID 752 wrote to memory of 960	752	tmp.exe	msiexec.exe
PID 752 wrote to memory of 960	752	tmp.exe	msiexec.exe
PID 960 wrote to memory of 1536	960	msiexec.exe	cmd.exe
PID 960 wrote to memory of 1536	960	msiexec.exe	cmd.exe
PID 960 wrote to memory of 1536	960	msiexec.exe	cmd.exe
PID 960 wrote to memory of 1536	960	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1288

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OmNDQZtzXRnhGI.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OmNDQZtzXRnhGI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB424.tmp"
3⤵
- Creates scheduled task(s)
PID:268

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
5⤵
- Deletes itself
PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB424.tmp
Filesize
1KB

MD5
7ff60cdf79ed85afb6e7e5ab13602fdf

SHA1
c4625d41af15fdc8d3f5e2eccde9b569d14edcea

SHA256
15f5281fb20f7419b8412f20ba03bd87509d5197b36b20f2505408fea897ae63

SHA512
11f4291f3f014c93be6cd82d82033f60120b4bc602f3e77faea37de3e9ab6c781ad01bbee043a1a3c77343f3f89343762d42fbed16ad34b6969298160a82bd27

Download Submit
memory/268-60-0x0000000000000000-mapping.dmp

Download
memory/524-71-0x000000006F140000-0x000000006F6EB000-memory.dmp

Filesize
5.7MB

Download
memory/524-59-0x0000000000000000-mapping.dmp

Download
memory/752-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/752-73-0x0000000000330000-0x0000000000344000-memory.dmp

Filesize
80KB

Download
memory/752-72-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/752-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/752-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/752-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/752-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/752-76-0x00000000003C0000-0x00000000003D4000-memory.dmp

Filesize
80KB

Download
memory/752-68-0x000000000041F160-mapping.dmp

Download
memory/960-78-0x0000000000000000-mapping.dmp

Download
memory/960-82-0x00000000002A0000-0x00000000002B4000-memory.dmp

Filesize
80KB

Download
memory/960-85-0x0000000002080000-0x0000000002113000-memory.dmp

Filesize
588KB

Download
memory/960-84-0x00000000022B0000-0x00000000025B3000-memory.dmp

Filesize
3.0MB

Download
memory/960-83-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1288-77-0x0000000006480000-0x0000000006566000-memory.dmp

Filesize
920KB

Download
memory/1288-87-0x0000000003A70000-0x0000000003B1C000-memory.dmp

Filesize
688KB

Download
memory/1288-74-0x0000000004E80000-0x0000000004FE4000-memory.dmp

Filesize
1.4MB

Download
memory/1288-86-0x0000000003A70000-0x0000000003B1C000-memory.dmp

Filesize
688KB

Download
memory/1388-63-0x0000000004FA0000-0x0000000004FD6000-memory.dmp

Filesize
216KB

Download
memory/1388-54-0x0000000000D00000-0x0000000000DC2000-memory.dmp

Filesize
776KB

Download
memory/1388-56-0x00000000004C0000-0x00000000004D6000-memory.dmp

Filesize
88KB

Download
memory/1388-58-0x00000000050A0000-0x0000000005110000-memory.dmp

Filesize
448KB

Download
memory/1388-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1388-57-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download
memory/1536-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads