formbook | abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159

General

Target

abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
Size

812KB
MD5

4f57c474b77a208ee4d212894b3512d2
SHA1

41d369bc50e40fc80054e215d3b2ff44be10c08e
SHA256

abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159
SHA512

0d7efaba27a0564ed224edc0fba642e93676d3c2c561a58887ca925870bc09eb1dda9b9617428247761386aff630ad052a832f698b054d434b82456e80707d25
SSDEEP

24576:0EXVZ9a++LeZLGjl66eaCku6e4XCi/EJq9:330LDJUaCG1wJq

Score

10^/10

formbook g2fg rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2fg

Decoy

snowcrash.website

pointman.us

newheartvalve.care

drandl.com

sandspringsramblers.com

programagubernamental.online

boja.us

mvrsnike.com

mentallyillmotherhood.com

facom.us

programagubernamental.store

izivente.com

roller-v.fr

amazonbioactives.com

metaverseapple.xyz

5gt-mobilevsverizon.com

gtwebsolutions.co

scottdunn.life

usdp.trade

pikmin.run

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4008-147-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe

description	pid	process	target process
PID 3376 set thread context of 4008	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4680 schtasks.exe

pid	process
4680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exepowershell.exeabbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe

pid	process
3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
3868	powershell.exe
4008	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
4008	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
3868	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
Token: SeDebugPrivilege	3868	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe

C:\Users\Admin\AppData\Local\Temp\abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
"C:\Users\Admin\AppData\Local\Temp\abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\afVxDcSOLVQXKW.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\afVxDcSOLVQXKW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C04.tmp"
2⤵
- Creates scheduled task(s)
PID:4680

C:\Users\Admin\AppData\Local\Temp\abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
"C:\Users\Admin\AppData\Local\Temp\abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe"
2⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
"C:\Users\Admin\AppData\Local\Temp\abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qydoatvw.xst.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C04.tmp
Filesize
1KB

MD5
2650daa66fbc52ceda8dc024cd0069d6

SHA1
234a1ebb881a68bfc88f7f8f8b1ff339c90e564d

SHA256
4db516fed8cebe1b0e3387c7f0eb2e987d9b6d0b5b89ee11dd9c16c405151d8b

SHA512
40ab08d1636a3839fdb67e5f875bc617556ee364a9643634638609704701060d2dac28642fb7954e3fb020339459a2b0f37e3f0755ec19c60624776bc463ebc5

Download Submit
memory/3376-134-0x0000000005700000-0x0000000005CA4000-memory.dmp

Filesize
5.6MB

Download
memory/3376-135-0x00000000050A0000-0x0000000005132000-memory.dmp

Filesize
584KB

Download
memory/3376-136-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/3376-137-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/3376-138-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/3376-139-0x0000000007640000-0x00000000076DC000-memory.dmp

Filesize
624KB

Download
memory/3376-133-0x0000000000760000-0x0000000000830000-memory.dmp

Filesize
832KB

Download
memory/3868-144-0x0000000002760000-0x0000000002796000-memory.dmp

Filesize
216KB

Download
memory/3868-166-0x0000000006640000-0x0000000006672000-memory.dmp

Filesize
200KB

Download
memory/3868-148-0x0000000004FB0000-0x0000000004FD2000-memory.dmp

Filesize
136KB

Download
memory/3868-150-0x00000000051D0000-0x0000000005236000-memory.dmp

Filesize
408KB

Download
memory/3868-151-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/3868-146-0x0000000005350000-0x0000000005978000-memory.dmp

Filesize
6.2MB

Download
memory/3868-157-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/3868-162-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/3868-185-0x00000000076A0000-0x00000000076A8000-memory.dmp

Filesize
32KB

Download
memory/3868-164-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/3868-165-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/3868-184-0x00000000076C0000-0x00000000076DA000-memory.dmp

Filesize
104KB

Download
memory/3868-167-0x0000000071330000-0x000000007137C000-memory.dmp

Filesize
304KB

Download
memory/3868-177-0x0000000006620000-0x000000000663E000-memory.dmp

Filesize
120KB

Download
memory/3868-178-0x00000000079D0000-0x000000000804A000-memory.dmp

Filesize
6.5MB

Download
memory/3868-179-0x0000000007380000-0x000000000739A000-memory.dmp

Filesize
104KB

Download
memory/3868-180-0x000000007FB20000-0x000000007FB30000-memory.dmp

Filesize
64KB

Download
memory/3868-181-0x0000000007400000-0x000000000740A000-memory.dmp

Filesize
40KB

Download
memory/3868-182-0x0000000007600000-0x0000000007696000-memory.dmp

Filesize
600KB

Download
memory/3868-183-0x00000000075B0000-0x00000000075BE000-memory.dmp

Filesize
56KB

Download
memory/4008-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4008-163-0x00000000015C0000-0x000000000190A000-memory.dmp

Filesize
3.3MB

Download

description	pid	process	target process
PID 3376 wrote to memory of 3868	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe	powershell.exe
PID 3376 wrote to memory of 3868	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe	powershell.exe
PID 3376 wrote to memory of 3868	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe	powershell.exe
PID 3376 wrote to memory of 4680	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe	schtasks.exe
PID 3376 wrote to memory of 4680	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe	schtasks.exe
PID 3376 wrote to memory of 4680	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe	schtasks.exe
PID 3376 wrote to memory of 2268	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
PID 3376 wrote to memory of 2268	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
PID 3376 wrote to memory of 2268	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
PID 3376 wrote to memory of 4008	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
PID 3376 wrote to memory of 4008	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
PID 3376 wrote to memory of 4008	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
PID 3376 wrote to memory of 4008	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
PID 3376 wrote to memory of 4008	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe
PID 3376 wrote to memory of 4008	3376	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe	abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads