formbook | ab8fa0dda1daa490598653ad71df25b26af3dc5b54434c68bccdff3eda13f96e

Analysis

max time kernel
149s
max time network
109s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c85964484c4e3471124dd4dd5ef34df.exe
Size

293KB
MD5

7c85964484c4e3471124dd4dd5ef34df
SHA1

9a98592a83e9d3ba1dcbe52000e63f9940270fd7
SHA256

ab8fa0dda1daa490598653ad71df25b26af3dc5b54434c68bccdff3eda13f96e
SHA512

46f1d69d8a787b946084fbb3caa12a4ae7a723b0591d3fd2be8f0a9915ed3702f7f771dc52e2f008b51bb291a223f3df56d4a3dc789dc88b50d7f281f71a0e0d
SSDEEP

6144:/Ya6ecZBUdAW0HmqIUjrBxEsjolC06nbGY9kbdVMZYIOS+Fgoka:/YQnd+GaLEsfnbGKkDax5+Vka

Score

10^/10

formbook gn35 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gn35

Decoy

igusa.top

1cweb.online

ifoundmymind.com

highlightscorner.africa

kareeberg.com

conjurai.com

airforcevillagesinc.space

3dprintingpro.net

montelent.africa

willowscatsitting.co.uk

dental-implants-64653.com

byunfussy.com

jbpaintsolutions.com

caliner-bebe.com

hjd54c.com

ronabarandgrill.co.uk

financechainz.com

jsqualitycars.com

cortinasagave.store

barrowfordceltic.org.uk

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/428-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/428-75-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1944-81-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/1944-83-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

gpphbrp.exegpphbrp.exe

pid process

1172 gpphbrp.exe
428 gpphbrp.exe
Loads dropped DLL 3 IoCs

Processes:

7c85964484c4e3471124dd4dd5ef34df.exegpphbrp.exe

pid process

1992 7c85964484c4e3471124dd4dd5ef34df.exe
1992 7c85964484c4e3471124dd4dd5ef34df.exe
1172 gpphbrp.exe

pid	process
1172	gpphbrp.exe
428	gpphbrp.exe

pid	process
1992	7c85964484c4e3471124dd4dd5ef34df.exe
1992	7c85964484c4e3471124dd4dd5ef34df.exe
1172	gpphbrp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

gpphbrp.exegpphbrp.exemsiexec.exe

description	pid	process	target process
PID 1172 set thread context of 428	1172	gpphbrp.exe	gpphbrp.exe
PID 428 set thread context of 1256	428	gpphbrp.exe	Explorer.EXE
PID 1944 set thread context of 1256	1944	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

gpphbrp.exemsiexec.exe

pid	process
428	gpphbrp.exe
428	gpphbrp.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe
1944	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

gpphbrp.exegpphbrp.exemsiexec.exe

pid process

1172 gpphbrp.exe
428 gpphbrp.exe
428 gpphbrp.exe
428 gpphbrp.exe
1944 msiexec.exe
1944 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

gpphbrp.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 428 gpphbrp.exe
Token: SeDebugPrivilege 1944 msiexec.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE

pid	process
1256	Explorer.EXE

pid	process
1172	gpphbrp.exe
428	gpphbrp.exe
428	gpphbrp.exe
428	gpphbrp.exe
1944	msiexec.exe
1944	msiexec.exe

description	pid	process
Token: SeDebugPrivilege	428	gpphbrp.exe
Token: SeDebugPrivilege	1944	msiexec.exe

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

7c85964484c4e3471124dd4dd5ef34df.exegpphbrp.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 1992 wrote to memory of 1172	1992	7c85964484c4e3471124dd4dd5ef34df.exe	gpphbrp.exe
PID 1992 wrote to memory of 1172	1992	7c85964484c4e3471124dd4dd5ef34df.exe	gpphbrp.exe
PID 1992 wrote to memory of 1172	1992	7c85964484c4e3471124dd4dd5ef34df.exe	gpphbrp.exe
PID 1992 wrote to memory of 1172	1992	7c85964484c4e3471124dd4dd5ef34df.exe	gpphbrp.exe
PID 1172 wrote to memory of 428	1172	gpphbrp.exe	gpphbrp.exe
PID 1172 wrote to memory of 428	1172	gpphbrp.exe	gpphbrp.exe
PID 1172 wrote to memory of 428	1172	gpphbrp.exe	gpphbrp.exe
PID 1172 wrote to memory of 428	1172	gpphbrp.exe	gpphbrp.exe
PID 1172 wrote to memory of 428	1172	gpphbrp.exe	gpphbrp.exe
PID 1256 wrote to memory of 1944	1256	Explorer.EXE	msiexec.exe
PID 1256 wrote to memory of 1944	1256	Explorer.EXE	msiexec.exe
PID 1256 wrote to memory of 1944	1256	Explorer.EXE	msiexec.exe
PID 1256 wrote to memory of 1944	1256	Explorer.EXE	msiexec.exe
PID 1256 wrote to memory of 1944	1256	Explorer.EXE	msiexec.exe
PID 1256 wrote to memory of 1944	1256	Explorer.EXE	msiexec.exe
PID 1256 wrote to memory of 1944	1256	Explorer.EXE	msiexec.exe
PID 1944 wrote to memory of 1696	1944	msiexec.exe	cmd.exe
PID 1944 wrote to memory of 1696	1944	msiexec.exe	cmd.exe
PID 1944 wrote to memory of 1696	1944	msiexec.exe	cmd.exe
PID 1944 wrote to memory of 1696	1944	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\7c85964484c4e3471124dd4dd5ef34df.exe
"C:\Users\Admin\AppData\Local\Temp\7c85964484c4e3471124dd4dd5ef34df.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
"C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe" C:\Users\Admin\AppData\Local\Temp\hwjgf.bat
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
"C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe"
3⤵
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwjgf.bat
Filesize
5KB

MD5
900c373f6c5be8540eae5a626e47a359

SHA1
2737e9fd6c97348be165d25b07fbcf76459949ad

SHA256
0494586849051993d03464b9917ed4e94b2401557cc2a7158dfb2448ce180f5a

SHA512
e2a5552cbf53d0ef5c19c29ebb82b6470732ada49917f46d86a80900e5cefa7f4894d535de4609da027342d5416ecb2b3cda66d862d3ae94eff43fe95977e50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jlrrrg.a
Filesize
205KB

MD5
71674cfae55662347b48db35362ba924

SHA1
668707609fe97b070604791f76f0d563a94e80b2

SHA256
bfd69cb6188a67e380b526f42377ce2d523c92dbe2d87dd921c6f643ff2fccbc

SHA512
1c10e50d2332af2b8e9b4f98eb55b8add0d527522c21de7c9bee1fcd94a426f09f61c9dcff05be02484ba6357834999622c25993be26c06d616f1c94e64c55a7

Download Submit
\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
memory/428-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-72-0x0000000000810000-0x0000000000B13000-memory.dmp

Filesize
3.0MB

Download
memory/428-73-0x00000000002C0000-0x00000000002D5000-memory.dmp

Filesize
84KB

Download
memory/1256-74-0x00000000069B0000-0x0000000006AC4000-memory.dmp

Filesize
1.1MB

Download
memory/1256-86-0x0000000006BA0000-0x0000000006CCA000-memory.dmp

Filesize
1.2MB

Download
memory/1256-87-0x0000000006BA0000-0x0000000006CCA000-memory.dmp

Filesize
1.2MB

Download
memory/1256-89-0x0000000006BA0000-0x0000000006CCA000-memory.dmp

Filesize
1.2MB

Download
memory/1944-76-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/1944-78-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/1944-80-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/1944-81-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1944-82-0x0000000002350000-0x0000000002653000-memory.dmp

Filesize
3.0MB

Download
memory/1944-83-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1944-85-0x0000000002030000-0x00000000020C4000-memory.dmp

Filesize
592KB

Download