formbook | ab8fa0dda1daa490598653ad71df25b26af3dc5b54434c68bccdff3eda13f96e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c85964484c4e3471124dd4dd5ef34df.exe
Size

293KB
MD5

7c85964484c4e3471124dd4dd5ef34df
SHA1

9a98592a83e9d3ba1dcbe52000e63f9940270fd7
SHA256

ab8fa0dda1daa490598653ad71df25b26af3dc5b54434c68bccdff3eda13f96e
SHA512

46f1d69d8a787b946084fbb3caa12a4ae7a723b0591d3fd2be8f0a9915ed3702f7f771dc52e2f008b51bb291a223f3df56d4a3dc789dc88b50d7f281f71a0e0d
SSDEEP

6144:/Ya6ecZBUdAW0HmqIUjrBxEsjolC06nbGY9kbdVMZYIOS+Fgoka:/YQnd+GaLEsfnbGKkDax5+Vka

Score

10^/10

formbook gn35 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gn35

Decoy

igusa.top

1cweb.online

ifoundmymind.com

highlightscorner.africa

kareeberg.com

conjurai.com

airforcevillagesinc.space

3dprintingpro.net

montelent.africa

willowscatsitting.co.uk

dental-implants-64653.com

byunfussy.com

jbpaintsolutions.com

caliner-bebe.com

hjd54c.com

ronabarandgrill.co.uk

financechainz.com

jsqualitycars.com

cortinasagave.store

barrowfordceltic.org.uk

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3792-141-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3792-147-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3792-153-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1280-158-0x0000000001080000-0x00000000010AF000-memory.dmp	formbook
behavioral2/memory/1280-160-0x0000000001080000-0x00000000010AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

gpphbrp.exegpphbrp.exe

pid process

436 gpphbrp.exe
3792 gpphbrp.exe

pid	process
436	gpphbrp.exe
3792	gpphbrp.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

gpphbrp.exegpphbrp.exeWWAHost.exe

description	pid	process	target process
PID 436 set thread context of 3792	436	gpphbrp.exe	gpphbrp.exe
PID 3792 set thread context of 3172	3792	gpphbrp.exe	Explorer.EXE
PID 3792 set thread context of 3172	3792	gpphbrp.exe	Explorer.EXE
PID 1280 set thread context of 3172	1280	WWAHost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

gpphbrp.exeWWAHost.exe

pid	process
3792	gpphbrp.exe
3792	gpphbrp.exe
3792	gpphbrp.exe
3792	gpphbrp.exe
3792	gpphbrp.exe
3792	gpphbrp.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe
1280	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3172 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

gpphbrp.exegpphbrp.exeWWAHost.exe

pid process

436 gpphbrp.exe
3792 gpphbrp.exe
3792 gpphbrp.exe
3792 gpphbrp.exe
3792 gpphbrp.exe
1280 WWAHost.exe
1280 WWAHost.exe

pid	process
3172	Explorer.EXE

pid	process
436	gpphbrp.exe
3792	gpphbrp.exe
3792	gpphbrp.exe
3792	gpphbrp.exe
3792	gpphbrp.exe
1280	WWAHost.exe
1280	WWAHost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

gpphbrp.exeWWAHost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3792	gpphbrp.exe
Token: SeDebugPrivilege	1280	WWAHost.exe
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

7c85964484c4e3471124dd4dd5ef34df.exegpphbrp.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 1680 wrote to memory of 436	1680	7c85964484c4e3471124dd4dd5ef34df.exe	gpphbrp.exe
PID 1680 wrote to memory of 436	1680	7c85964484c4e3471124dd4dd5ef34df.exe	gpphbrp.exe
PID 1680 wrote to memory of 436	1680	7c85964484c4e3471124dd4dd5ef34df.exe	gpphbrp.exe
PID 436 wrote to memory of 3792	436	gpphbrp.exe	gpphbrp.exe
PID 436 wrote to memory of 3792	436	gpphbrp.exe	gpphbrp.exe
PID 436 wrote to memory of 3792	436	gpphbrp.exe	gpphbrp.exe
PID 436 wrote to memory of 3792	436	gpphbrp.exe	gpphbrp.exe
PID 3172 wrote to memory of 1280	3172	Explorer.EXE	WWAHost.exe
PID 3172 wrote to memory of 1280	3172	Explorer.EXE	WWAHost.exe
PID 3172 wrote to memory of 1280	3172	Explorer.EXE	WWAHost.exe
PID 1280 wrote to memory of 3900	1280	WWAHost.exe	cmd.exe
PID 1280 wrote to memory of 3900	1280	WWAHost.exe	cmd.exe
PID 1280 wrote to memory of 3900	1280	WWAHost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Local\Temp\7c85964484c4e3471124dd4dd5ef34df.exe
"C:\Users\Admin\AppData\Local\Temp\7c85964484c4e3471124dd4dd5ef34df.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
"C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe" C:\Users\Admin\AppData\Local\Temp\hwjgf.bat
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
"C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe"
3⤵
PID:3900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpphbrp.exe
Filesize
138KB

MD5
f9394d6c994da104b69ecfc701cb02a6

SHA1
78ac48ed2c0e529c013afee21b0bb64c163ecdd6

SHA256
77605e28e9752824381fc7e026c9c8e0f115442c1c306d9d1d066280945e8980

SHA512
c4defd186290d2b0b47a1779bf81aa2640f1648707b03a29dbc3d824ca87b6ea8bbfa4d5a06d28568f1dfb939291b25e36da45e69814318784167127a581555b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwjgf.bat
Filesize
5KB

MD5
900c373f6c5be8540eae5a626e47a359

SHA1
2737e9fd6c97348be165d25b07fbcf76459949ad

SHA256
0494586849051993d03464b9917ed4e94b2401557cc2a7158dfb2448ce180f5a

SHA512
e2a5552cbf53d0ef5c19c29ebb82b6470732ada49917f46d86a80900e5cefa7f4894d535de4609da027342d5416ecb2b3cda66d862d3ae94eff43fe95977e50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jlrrrg.a
Filesize
205KB

MD5
71674cfae55662347b48db35362ba924

SHA1
668707609fe97b070604791f76f0d563a94e80b2

SHA256
bfd69cb6188a67e380b526f42377ce2d523c92dbe2d87dd921c6f643ff2fccbc

SHA512
1c10e50d2332af2b8e9b4f98eb55b8add0d527522c21de7c9bee1fcd94a426f09f61c9dcff05be02484ba6357834999622c25993be26c06d616f1c94e64c55a7

Download Submit
memory/1280-158-0x0000000001080000-0x00000000010AF000-memory.dmp

Filesize
188KB

Download
memory/1280-154-0x0000000000310000-0x00000000003EC000-memory.dmp

Filesize
880KB

Download
memory/1280-157-0x0000000000310000-0x00000000003EC000-memory.dmp

Filesize
880KB

Download
memory/1280-179-0x0000000001BC0000-0x0000000001C54000-memory.dmp

Filesize
592KB

Download
memory/1280-160-0x0000000001080000-0x00000000010AF000-memory.dmp

Filesize
188KB

Download
memory/1280-159-0x0000000001E80000-0x00000000021CA000-memory.dmp

Filesize
3.3MB

Download
memory/3172-183-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-189-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-282-0x00000000031B0000-0x00000000031C0000-memory.dmp

Filesize
64KB

Download
memory/3172-277-0x00000000031B0000-0x00000000031C0000-memory.dmp

Filesize
64KB

Download
memory/3172-276-0x0000000007880000-0x0000000007882000-memory.dmp

Filesize
8KB

Download
memory/3172-263-0x0000000007880000-0x0000000007882000-memory.dmp

Filesize
8KB

Download
memory/3172-161-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-162-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-163-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-165-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-164-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-166-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-167-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-168-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-169-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-170-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-171-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-172-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-173-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-174-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-175-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-176-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-178-0x0000000007B30000-0x0000000007B40000-memory.dmp

Filesize
64KB

Download
memory/3172-180-0x00000000092F0000-0x0000000009415000-memory.dmp

Filesize
1.1MB

Download
memory/3172-152-0x0000000009140000-0x0000000009289000-memory.dmp

Filesize
1.3MB

Download
memory/3172-181-0x00000000092F0000-0x0000000009415000-memory.dmp

Filesize
1.1MB

Download
memory/3172-182-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-149-0x0000000008FD0000-0x0000000009132000-memory.dmp

Filesize
1.4MB

Download
memory/3172-184-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-185-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-186-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-187-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-188-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-240-0x00000000031A0000-0x00000000031A2000-memory.dmp

Filesize
8KB

Download
memory/3172-190-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-191-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-192-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-193-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-194-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-195-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-196-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-197-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-198-0x00000000092F0000-0x0000000009415000-memory.dmp

Filesize
1.1MB

Download
memory/3172-200-0x00000000092F0000-0x0000000009415000-memory.dmp

Filesize
1.1MB

Download
memory/3172-201-0x00000000092F0000-0x0000000009415000-memory.dmp

Filesize
1.1MB

Download
memory/3172-207-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-208-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-209-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-210-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-212-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-211-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-213-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-214-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-215-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-216-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-217-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-218-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-219-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-220-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-221-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3172-223-0x00000000031A0000-0x00000000031A2000-memory.dmp

Filesize
8KB

Download
memory/3792-148-0x00000000009E0000-0x00000000009F5000-memory.dmp

Filesize
84KB

Download
memory/3792-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3792-146-0x0000000000AD0000-0x0000000000E1A000-memory.dmp

Filesize
3.3MB

Download
memory/3792-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3792-151-0x0000000000A30000-0x0000000000A45000-memory.dmp

Filesize
84KB

Download
memory/3792-153-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download