formbook | 139c10bab25d09231dfa465708c27632ed0618caaa710af0a1f326f80abd365b

Analysis

max time kernel
148s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2023, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Garf.Gen.10.30679.23954.exe
Size

277KB
MD5

43056ad325dc432700151289c7135e81
SHA1

7bbed739e54f8c6806d75bc1e07b64f3585297ee
SHA256

139c10bab25d09231dfa465708c27632ed0618caaa710af0a1f326f80abd365b
SHA512

8c28e6fb9f49e302abf8f58f4cabe54bc35cb64139fb4a0a335debc1a994fcd9db03b82941284b2d62add0d706de8353a39bd945a757e79f8e25deaa1e5e12e0
SSDEEP

6144:ZYa6lRGw1D8yslb006YIaSt+sBa6klAF/uGBe3H9ZOJ/chVmabHyvbCfnN4K:ZYTRn4yslb0BYXH6a6kI/un3nIuAa4bS

Score

10^/10

formbook sk29 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sk29

Decoy

adobeholidaylego.com

labassecourdecaro.com

whhlbz.net

aikxian.net

myimmigration.net

etribe.info

fercosgru.com

everbrighthouse.com

finepizzavegesack.info

mesuretonradon.com

escopic.art

mapzle.com

panachesports.net

alabamasbesthvac.com

esghf.com

usrisik.com

activseal.com

eventplanningpros.africa

adufyuwefjdfuiwefl.site

kornilt.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/560-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3532-145-0x0000000000CF0000-0x0000000000D1F000-memory.dmp	formbook
behavioral2/memory/3532-150-0x0000000000CF0000-0x0000000000D1F000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
42	3532	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
4552	igqsdqvs.exe
560	igqsdqvs.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4552 set thread context of 560	4552	igqsdqvs.exe	84
PID 560 set thread context of 2584	560	igqsdqvs.exe	40
PID 3532 set thread context of 2584	3532	wscript.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
560	igqsdqvs.exe
560	igqsdqvs.exe
560	igqsdqvs.exe
560	igqsdqvs.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe
3532	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2584	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4552	igqsdqvs.exe
560	igqsdqvs.exe
560	igqsdqvs.exe
560	igqsdqvs.exe
3532	wscript.exe
3532	wscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	560	igqsdqvs.exe
Token: SeDebugPrivilege	3532	wscript.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 4552	4032	SecuriteInfo.com.Trojan.Garf.Gen.10.30679.23954.exe	83
PID 4032 wrote to memory of 4552	4032	SecuriteInfo.com.Trojan.Garf.Gen.10.30679.23954.exe	83
PID 4032 wrote to memory of 4552	4032	SecuriteInfo.com.Trojan.Garf.Gen.10.30679.23954.exe	83
PID 4552 wrote to memory of 560	4552	igqsdqvs.exe	84
PID 4552 wrote to memory of 560	4552	igqsdqvs.exe	84
PID 4552 wrote to memory of 560	4552	igqsdqvs.exe	84
PID 4552 wrote to memory of 560	4552	igqsdqvs.exe	84
PID 2584 wrote to memory of 3532	2584	Explorer.EXE	85
PID 2584 wrote to memory of 3532	2584	Explorer.EXE	85
PID 2584 wrote to memory of 3532	2584	Explorer.EXE	85
PID 3532 wrote to memory of 2276	3532	wscript.exe	89
PID 3532 wrote to memory of 2276	3532	wscript.exe	89
PID 3532 wrote to memory of 2276	3532	wscript.exe	89

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Garf.Gen.10.30679.23954.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Garf.Gen.10.30679.23954.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\igqsdqvs.exe
    "C:\Users\Admin\AppData\Local\Temp\igqsdqvs.exe" C:\Users\Admin\AppData\Local\Temp\umnfqcwjk.uu
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\igqsdqvs.exe
      "C:\Users\Admin\AppData\Local\Temp\igqsdqvs.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:560
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\igqsdqvs.exe"
    3⤵
    PID:2276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\igqsdqvs.exe

Filesize
79KB

MD5
d02a98212c1785ecf951ec74e6ea6686

SHA1
987e8d18822156f8b7acfa47be0ecd4b1b1691f4

SHA256
8b043a0ec51dda12fa60faa0cd98b64fddc34e21bb78276cba7bd36b4c6d21f2

SHA512
41aaad997fb5724f18a67e2200880709ddc5975c28764fd03bbf82011ff3458b1a051bc8dafed65118cf4f6270cdda00f443b8666280abf12bbfd877c4e210e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\igqsdqvs.exe

Filesize
79KB

MD5
d02a98212c1785ecf951ec74e6ea6686

SHA1
987e8d18822156f8b7acfa47be0ecd4b1b1691f4

SHA256
8b043a0ec51dda12fa60faa0cd98b64fddc34e21bb78276cba7bd36b4c6d21f2

SHA512
41aaad997fb5724f18a67e2200880709ddc5975c28764fd03bbf82011ff3458b1a051bc8dafed65118cf4f6270cdda00f443b8666280abf12bbfd877c4e210e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\igqsdqvs.exe

Filesize
79KB

MD5
d02a98212c1785ecf951ec74e6ea6686

SHA1
987e8d18822156f8b7acfa47be0ecd4b1b1691f4

SHA256
8b043a0ec51dda12fa60faa0cd98b64fddc34e21bb78276cba7bd36b4c6d21f2

SHA512
41aaad997fb5724f18a67e2200880709ddc5975c28764fd03bbf82011ff3458b1a051bc8dafed65118cf4f6270cdda00f443b8666280abf12bbfd877c4e210e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfjmksxlfc.x

Filesize
205KB

MD5
9af9a19828c432a51cd94c8ae8dcf2fa

SHA1
0cc758b6d8d19245e71fb17040d00b6c97d8913c

SHA256
096ea8045efd69f4e8c91e12f2bbb8b3e20470792edf3fef3ac0b9f77e3c0a74

SHA512
af8d7a689dbdf20c926aa708a5108fd9c19222b6fd90f745ace42b46d573280c7ae7f573c62f8ac1e013740cb0e143ec36fbe4be138718ceee9e14229eed1510

Download Submit
C:\Users\Admin\AppData\Local\Temp\umnfqcwjk.uu

Filesize
5KB

MD5
249902c306a6270253a9395ec85b2418

SHA1
5aa18252e3a3124ad4b4e075d612eea321e9c5dc

SHA256
7d174252e365ebb9af3bd705dd84b55788d99ce4a99cdcbf40f1b10131dfbf6e

SHA512
a87e8c4acd2cc050c2488930e4293dce09d4893a1bbbbddeee3f0bb4ac9e507a31874d0773b445fbcc844b9c556ad171d94ae4ab8ea4f4c5e98b20d1c563c356

Download Submit
memory/560-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/560-140-0x0000000000A10000-0x0000000000D5A000-memory.dmp

Filesize
3.3MB

Download
memory/560-141-0x00000000008E0000-0x00000000008F4000-memory.dmp

Filesize
80KB

Download
memory/2584-142-0x00000000028B0000-0x0000000002A01000-memory.dmp

Filesize
1.3MB

Download
memory/2584-149-0x0000000002C80000-0x0000000002D53000-memory.dmp

Filesize
844KB

Download
memory/2584-151-0x0000000002C80000-0x0000000002D53000-memory.dmp

Filesize
844KB

Download
memory/3532-144-0x0000000000D80000-0x0000000000DA7000-memory.dmp

Filesize
156KB

Download
memory/3532-145-0x0000000000CF0000-0x0000000000D1F000-memory.dmp

Filesize
188KB

Download
memory/3532-147-0x0000000002F80000-0x00000000032CA000-memory.dmp

Filesize
3.3MB

Download
memory/3532-148-0x0000000002DF0000-0x0000000002E83000-memory.dmp

Filesize
588KB

Download
memory/3532-150-0x0000000000CF0000-0x0000000000D1F000-memory.dmp

Filesize
188KB

Download