formbook | 6ae760d9b669fbcc87fd61647e1904de552f09b6af8d36d48eff89df60b06cd8

General

Target

0b793ae840102dff93fa1ec0a38bd603.exe
Size

430KB
MD5

0b793ae840102dff93fa1ec0a38bd603
SHA1

ac9a73ff2b30557949547e4b1d30fb2a2dd3f06c
SHA256

6ae760d9b669fbcc87fd61647e1904de552f09b6af8d36d48eff89df60b06cd8
SHA512

374a7258257a3735bed3e9aa7c941058388d4411d486077e7e77b3b3be6e2f7d9de1ed4496330c6d472482a84ca156780390faca795e5a926dd8e2b6874d1bb7
SSDEEP

6144:AbUTp1kKX7AB/N0A6SgZUNuhYHOrq9V56lSN0WFOnxMfEa+pvLf+xM+Y:AIFEzDgZUYyurc/2KEa4vLfH

Score

10^/10

formbook guloader u34f discovery downloader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

u34f

Decoy

carpool.bar

badburyparkbakery.co.uk

aigooglebot.com

arihantautogas.com

specmart.online

newschatgpt.net

mmcroberts.com

ativeerrtechnologies.com

pheonix-blog-lomg-1098.com

simplisetup.com

teorikatapublishing.com

stephanyvgrfingle.click

tropicoa.com

isystem.world

tiger-lion.space

mackenziefarms.net

tl8841.buzz

alfabank.credit

lockdaccesactolapqqk.com

directaccesspetroleum.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/764-97-0x0000000000400000-0x0000000001462000-memory.dmp	formbook

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	0b793ae840102dff93fa1ec0a38bd603.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	0b793ae840102dff93fa1ec0a38bd603.exe

Loads dropped DLL 1 IoCs

pid	Process
1064	0b793ae840102dff93fa1ec0a38bd603.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
764	0b793ae840102dff93fa1ec0a38bd603.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1064	0b793ae840102dff93fa1ec0a38bd603.exe
764	0b793ae840102dff93fa1ec0a38bd603.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1064 set thread context of 764	1064	0b793ae840102dff93fa1ec0a38bd603.exe	27

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Rodsammenet\Atavi.ini	0b793ae840102dff93fa1ec0a38bd603.exe
File opened for modification	C:\Program Files (x86)\Common Files\skovgangsmanden.Kli	0b793ae840102dff93fa1ec0a38bd603.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\Pantanencephalia\Trinitrotoluene\Flanched.Sup	0b793ae840102dff93fa1ec0a38bd603.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
764	0b793ae840102dff93fa1ec0a38bd603.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1064	0b793ae840102dff93fa1ec0a38bd603.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 764	1064	0b793ae840102dff93fa1ec0a38bd603.exe	27
PID 1064 wrote to memory of 764	1064	0b793ae840102dff93fa1ec0a38bd603.exe	27
PID 1064 wrote to memory of 764	1064	0b793ae840102dff93fa1ec0a38bd603.exe	27
PID 1064 wrote to memory of 764	1064	0b793ae840102dff93fa1ec0a38bd603.exe	27
PID 1064 wrote to memory of 764	1064	0b793ae840102dff93fa1ec0a38bd603.exe	27

C:\Users\Admin\AppData\Local\Temp\0b793ae840102dff93fa1ec0a38bd603.exe
"C:\Users\Admin\AppData\Local\Temp\0b793ae840102dff93fa1ec0a38bd603.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\0b793ae840102dff93fa1ec0a38bd603.exe
  "C:\Users\Admin\AppData\Local\Temp\0b793ae840102dff93fa1ec0a38bd603.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd3F72.tmp\System.dll

Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
memory/764-72-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/764-73-0x0000000001470000-0x0000000002258000-memory.dmp

Filesize
13.9MB

Download
memory/764-74-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/764-75-0x0000000001470000-0x0000000002258000-memory.dmp

Filesize
13.9MB

Download
memory/764-97-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/764-98-0x0000000001470000-0x0000000002258000-memory.dmp

Filesize
13.9MB

Download
memory/764-101-0x0000000001470000-0x0000000002258000-memory.dmp

Filesize
13.9MB

Download
memory/764-102-0x0000000032750000-0x0000000032A53000-memory.dmp

Filesize
3.0MB

Download
memory/1064-70-0x0000000003110000-0x0000000003EF8000-memory.dmp

Filesize
13.9MB

Download
memory/1064-71-0x0000000003110000-0x0000000003EF8000-memory.dmp

Filesize
13.9MB

Download

Analysis

Sharing