formbook | 6ae760d9b669fbcc87fd61647e1904de552f09b6af8d36d48eff89df60b06cd8

General

Target

0b793ae840102dff93fa1ec0a38bd603.exe
Size

430KB
MD5

0b793ae840102dff93fa1ec0a38bd603
SHA1

ac9a73ff2b30557949547e4b1d30fb2a2dd3f06c
SHA256

6ae760d9b669fbcc87fd61647e1904de552f09b6af8d36d48eff89df60b06cd8
SHA512

374a7258257a3735bed3e9aa7c941058388d4411d486077e7e77b3b3be6e2f7d9de1ed4496330c6d472482a84ca156780390faca795e5a926dd8e2b6874d1bb7
SSDEEP

6144:AbUTp1kKX7AB/N0A6SgZUNuhYHOrq9V56lSN0WFOnxMfEa+pvLf+xM+Y:AIFEzDgZUYyurc/2KEa4vLfH

Score

10^/10

formbook guloader u34f discovery downloader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

u34f

Decoy

carpool.bar

badburyparkbakery.co.uk

aigooglebot.com

arihantautogas.com

specmart.online

newschatgpt.net

mmcroberts.com

ativeerrtechnologies.com

pheonix-blog-lomg-1098.com

simplisetup.com

teorikatapublishing.com

stephanyvgrfingle.click

tropicoa.com

isystem.world

tiger-lion.space

mackenziefarms.net

tl8841.buzz

alfabank.credit

lockdaccesactolapqqk.com

directaccesspetroleum.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/764-97-0x0000000000400000-0x0000000001462000-memory.dmp	formbook

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0b793ae840102dff93fa1ec0a38bd603.exe0b793ae840102dff93fa1ec0a38bd603.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	0b793ae840102dff93fa1ec0a38bd603.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	0b793ae840102dff93fa1ec0a38bd603.exe

Loads dropped DLL 1 IoCs

Processes:

0b793ae840102dff93fa1ec0a38bd603.exe

pid process

1064 0b793ae840102dff93fa1ec0a38bd603.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

0b793ae840102dff93fa1ec0a38bd603.exe

pid process

764 0b793ae840102dff93fa1ec0a38bd603.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

0b793ae840102dff93fa1ec0a38bd603.exe0b793ae840102dff93fa1ec0a38bd603.exe

pid process

1064 0b793ae840102dff93fa1ec0a38bd603.exe
764 0b793ae840102dff93fa1ec0a38bd603.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

0b793ae840102dff93fa1ec0a38bd603.exe

description pid process target process

PID 1064 set thread context of 764 1064 0b793ae840102dff93fa1ec0a38bd603.exe 0b793ae840102dff93fa1ec0a38bd603.exe

pid	process
1064	0b793ae840102dff93fa1ec0a38bd603.exe

pid	process
764	0b793ae840102dff93fa1ec0a38bd603.exe

pid	process
1064	0b793ae840102dff93fa1ec0a38bd603.exe
764	0b793ae840102dff93fa1ec0a38bd603.exe

description	pid	process	target process
PID 1064 set thread context of 764	1064	0b793ae840102dff93fa1ec0a38bd603.exe	0b793ae840102dff93fa1ec0a38bd603.exe

Drops file in Program Files directory 2 IoCs

Processes:

0b793ae840102dff93fa1ec0a38bd603.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Rodsammenet\Atavi.ini	0b793ae840102dff93fa1ec0a38bd603.exe
File opened for modification	C:\Program Files (x86)\Common Files\skovgangsmanden.Kli	0b793ae840102dff93fa1ec0a38bd603.exe

Drops file in Windows directory 1 IoCs

Processes:

0b793ae840102dff93fa1ec0a38bd603.exe

description	ioc	process
File opened for modification	C:\Windows\resources\0409\Pantanencephalia\Trinitrotoluene\Flanched.Sup	0b793ae840102dff93fa1ec0a38bd603.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0b793ae840102dff93fa1ec0a38bd603.exe

pid process

764 0b793ae840102dff93fa1ec0a38bd603.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0b793ae840102dff93fa1ec0a38bd603.exe

pid process

1064 0b793ae840102dff93fa1ec0a38bd603.exe

pid	process
764	0b793ae840102dff93fa1ec0a38bd603.exe

pid	process
1064	0b793ae840102dff93fa1ec0a38bd603.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

0b793ae840102dff93fa1ec0a38bd603.exe

description	pid	process	target process
PID 1064 wrote to memory of 764	1064	0b793ae840102dff93fa1ec0a38bd603.exe	0b793ae840102dff93fa1ec0a38bd603.exe
PID 1064 wrote to memory of 764	1064	0b793ae840102dff93fa1ec0a38bd603.exe	0b793ae840102dff93fa1ec0a38bd603.exe
PID 1064 wrote to memory of 764	1064	0b793ae840102dff93fa1ec0a38bd603.exe	0b793ae840102dff93fa1ec0a38bd603.exe
PID 1064 wrote to memory of 764	1064	0b793ae840102dff93fa1ec0a38bd603.exe	0b793ae840102dff93fa1ec0a38bd603.exe
PID 1064 wrote to memory of 764	1064	0b793ae840102dff93fa1ec0a38bd603.exe	0b793ae840102dff93fa1ec0a38bd603.exe

C:\Users\Admin\AppData\Local\Temp\0b793ae840102dff93fa1ec0a38bd603.exe
"C:\Users\Admin\AppData\Local\Temp\0b793ae840102dff93fa1ec0a38bd603.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Local\Temp\0b793ae840102dff93fa1ec0a38bd603.exe
"C:\Users\Admin\AppData\Local\Temp\0b793ae840102dff93fa1ec0a38bd603.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd3F72.tmp\System.dll
Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
memory/764-72-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/764-73-0x0000000001470000-0x0000000002258000-memory.dmp

Filesize
13.9MB

Download
memory/764-74-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/764-75-0x0000000001470000-0x0000000002258000-memory.dmp

Filesize
13.9MB

Download
memory/764-97-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/764-98-0x0000000001470000-0x0000000002258000-memory.dmp

Filesize
13.9MB

Download
memory/764-101-0x0000000001470000-0x0000000002258000-memory.dmp

Filesize
13.9MB

Download
memory/764-102-0x0000000032750000-0x0000000032A53000-memory.dmp

Filesize
3.0MB

Download
memory/1064-70-0x0000000003110000-0x0000000003EF8000-memory.dmp

Filesize
13.9MB

Download
memory/1064-71-0x0000000003110000-0x0000000003EF8000-memory.dmp

Filesize
13.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads