formbook | c036bf9593241c5ba0f2a7d38b6ff8099344e4b17a758ff64b145f2329256415

General

Target

Justificante de transferencia.exe
Size

324KB
MD5

89c1af7470bf3a699a914a62a7a37c1f
SHA1

75112e7df02461e8dc0266d6a147959b2ae3701c
SHA256

c036bf9593241c5ba0f2a7d38b6ff8099344e4b17a758ff64b145f2329256415
SHA512

fa4ef030ff88c36e4028fc22e7e285383f38d73ec5b36f06bf4f087d84a55dbf72ad8e79d279deecac3181c71b239549c023e27e529cc57c3d46bd4a46971ba6
SSDEEP

6144:nQ606xUAK/TxV595DDV6v/bGj5Yb7T/lZNG5isZ/UTUNsKn8sFLZJFJJWkFx:k3LJZ6HbGjQLZiU1sFdHnWkFx

Score

10^/10

formbook guloader bd16 downloader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bd16

Decoy

fjosephsolicitor.co.uk

itworx.store

firstlinebeefits.com

cadimaglobalservices.com

inclevin.com

kashmirimasale.com

charalambidis.com

homeliday.co.uk

joseguardiola.dev

wowmomofranchise.info

halongbaycruisestours.com

000217.com

dslt.xyz

careyinmobiliaria.com

ucankofteci.net

brisace.com

fastestcleaningservice.com

cornbreadnchicken.com

sizeable.app

labradordiamond.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/580-104-0x0000000000400000-0x0000000001462000-memory.dmp	formbook
behavioral1/memory/580-111-0x0000000000400000-0x0000000001462000-memory.dmp	formbook
behavioral1/memory/580-119-0x0000000000400000-0x0000000001462000-memory.dmp	formbook
behavioral1/memory/1284-121-0x00000000000A0000-0x00000000000CF000-memory.dmp	formbook
behavioral1/memory/1284-123-0x00000000000A0000-0x00000000000CF000-memory.dmp	formbook

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Justificante de transferencia.exeJustificante de transferencia.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Justificante de transferencia.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Justificante de transferencia.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1732 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

Justificante de transferencia.exe

pid process

1644 Justificante de transferencia.exe
1644 Justificante de transferencia.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in System32 directory 1 IoCs

Processes:

Justificante de transferencia.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Autogensvejse\Dispowder\tilsttendes.Per Justificante de transferencia.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

Justificante de transferencia.exe

pid process

580 Justificante de transferencia.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Justificante de transferencia.exeJustificante de transferencia.exe

pid process

1644 Justificante de transferencia.exe
580 Justificante de transferencia.exe

pid	process
1732	cmd.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Autogensvejse\Dispowder\tilsttendes.Per	Justificante de transferencia.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Justificante de transferencia.exeJustificante de transferencia.exewininit.exe

description	pid	process	target process
PID 1644 set thread context of 580	1644	Justificante de transferencia.exe	Justificante de transferencia.exe
PID 580 set thread context of 1208	580	Justificante de transferencia.exe	Explorer.EXE
PID 580 set thread context of 1208	580	Justificante de transferencia.exe	Explorer.EXE
PID 1284 set thread context of 1208	1284	wininit.exe	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

Justificante de transferencia.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Superstars148\Fodslbende\Hippocampus.Run	Justificante de transferencia.exe
File created	C:\Program Files (x86)\Undertvungnes.lnk	Justificante de transferencia.exe

Drops file in Windows directory 2 IoCs

Processes:

Justificante de transferencia.exe

description	ioc	process
File opened for modification	C:\Windows\resources\Tilskrivningen.ini	Justificante de transferencia.exe
File opened for modification	C:\Windows\Fonts\Pharyngorhinitis\Silicispongiae\Barrikaden.Scr	Justificante de transferencia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

Justificante de transferencia.exewininit.exe

pid	process
580	Justificante de transferencia.exe
580	Justificante de transferencia.exe
580	Justificante de transferencia.exe
1284	wininit.exe
1284	wininit.exe
1284	wininit.exe
1284	wininit.exe
1284	wininit.exe
1284	wininit.exe
1284	wininit.exe
1284	wininit.exe
1284	wininit.exe
1284	wininit.exe
1284	wininit.exe
1284	wininit.exe
1284	wininit.exe
1284	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE

pid	process
1208	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Justificante de transferencia.exeJustificante de transferencia.exewininit.exe

pid	process
1644	Justificante de transferencia.exe
580	Justificante de transferencia.exe
580	Justificante de transferencia.exe
580	Justificante de transferencia.exe
580	Justificante de transferencia.exe
1284	wininit.exe
1284	wininit.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Justificante de transferencia.exeExplorer.EXEwininit.exe

description	pid	process
Token: SeDebugPrivilege	580	Justificante de transferencia.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	1284	wininit.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Justificante de transferencia.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 1644 wrote to memory of 580	1644	Justificante de transferencia.exe	Justificante de transferencia.exe
PID 1644 wrote to memory of 580	1644	Justificante de transferencia.exe	Justificante de transferencia.exe
PID 1644 wrote to memory of 580	1644	Justificante de transferencia.exe	Justificante de transferencia.exe
PID 1644 wrote to memory of 580	1644	Justificante de transferencia.exe	Justificante de transferencia.exe
PID 1644 wrote to memory of 580	1644	Justificante de transferencia.exe	Justificante de transferencia.exe
PID 1208 wrote to memory of 1284	1208	Explorer.EXE	wininit.exe
PID 1208 wrote to memory of 1284	1208	Explorer.EXE	wininit.exe
PID 1208 wrote to memory of 1284	1208	Explorer.EXE	wininit.exe
PID 1208 wrote to memory of 1284	1208	Explorer.EXE	wininit.exe
PID 1284 wrote to memory of 1732	1284	wininit.exe	cmd.exe
PID 1284 wrote to memory of 1732	1284	wininit.exe	cmd.exe
PID 1284 wrote to memory of 1732	1284	wininit.exe	cmd.exe
PID 1284 wrote to memory of 1732	1284	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe
"C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe"
2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe
"C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe"
3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe"
3⤵
- Deletes itself
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdF874.tmp\AdvSplash.dll
Filesize
6KB

MD5
e8b67a37fb41d54a7eda453309d45d97

SHA1
96be9bf7a988d9cea06150d57cd1de19f1fec19e

SHA256
2ad232bccf4ca06cf13475af87b510c5788aa790785fd50509be483afc0e0bcf

SHA512
20effae18eebb2df90d3186a281fa9233a97998f226f7adead0784fbc787feee419973962f8369d8822c1bbcdfb6e7948d9ca6086c9cf90190c8ab3ec97f4c38

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF874.tmp\System.dll
Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
memory/580-81-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/580-116-0x0000000001470000-0x00000000029A2000-memory.dmp

Filesize
21.2MB

Download
memory/580-79-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/580-80-0x0000000001470000-0x00000000029A2000-memory.dmp

Filesize
21.2MB

Download
memory/580-114-0x00000000324A0000-0x00000000324B4000-memory.dmp

Filesize
80KB

Download
memory/580-104-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/580-105-0x0000000001470000-0x00000000029A2000-memory.dmp

Filesize
21.2MB

Download
memory/580-107-0x0000000001470000-0x00000000029A2000-memory.dmp

Filesize
21.2MB

Download
memory/580-108-0x0000000032ED0000-0x00000000331D3000-memory.dmp

Filesize
3.0MB

Download
memory/580-109-0x0000000032960000-0x0000000032974000-memory.dmp

Filesize
80KB

Download
memory/580-119-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/580-111-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1208-110-0x00000000061C0000-0x00000000062A6000-memory.dmp

Filesize
920KB

Download
memory/1208-115-0x00000000062B0000-0x00000000063AF000-memory.dmp

Filesize
1020KB

Download
memory/1208-126-0x0000000006510000-0x0000000006658000-memory.dmp

Filesize
1.3MB

Download
memory/1208-127-0x0000000006510000-0x0000000006658000-memory.dmp

Filesize
1.3MB

Download
memory/1208-130-0x0000000006510000-0x0000000006658000-memory.dmp

Filesize
1.3MB

Download
memory/1284-117-0x0000000000080000-0x000000000009A000-memory.dmp

Filesize
104KB

Download
memory/1284-118-0x0000000000080000-0x000000000009A000-memory.dmp

Filesize
104KB

Download
memory/1284-121-0x00000000000A0000-0x00000000000CF000-memory.dmp

Filesize
188KB

Download
memory/1284-122-0x0000000001FB0000-0x00000000022B3000-memory.dmp

Filesize
3.0MB

Download
memory/1284-123-0x00000000000A0000-0x00000000000CF000-memory.dmp

Filesize
188KB

Download
memory/1284-125-0x0000000001E20000-0x0000000001EB3000-memory.dmp

Filesize
588KB

Download
memory/1644-78-0x0000000002FE0000-0x0000000004512000-memory.dmp

Filesize
21.2MB

Download
memory/1644-77-0x0000000002FE0000-0x0000000004512000-memory.dmp

Filesize
21.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads