formbook | 0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4

General

Target

0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
Size

1.0MB
MD5

ba79f26ac9099e86e4ee3b045c484909
SHA1

3b991533e9a9fb044015e13265dc61028fd19d5f
SHA256

0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4
SHA512

614f898159e4b29f89c142400a2dcffc8e044e0094055f9d36a9569d431b4a2306cbe69742c5b99dce19494f175b806ba03dab39cea55031d073a75dcb516caa
SSDEEP

24576:B4w4yZ1sQDNaCz9HFB6VBf2q+3y6BJQEcXNrYE:GUPaiuVBfm7Q1eE

Score

10^/10

formbook g2fg rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2fg

Decoy

snowcrash.website

pointman.us

newheartvalve.care

drandl.com

sandspringsramblers.com

programagubernamental.online

boja.us

mvrsnike.com

mentallyillmotherhood.com

facom.us

programagubernamental.store

izivente.com

roller-v.fr

amazonbioactives.com

metaverseapple.xyz

5gt-mobilevsverizon.com

gtwebsolutions.co

scottdunn.life

usdp.trade

pikmin.run

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1468-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/268-76-0x0000000002620000-0x0000000002660000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe

description	pid	process	target process
PID 1476 set thread context of 1468	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1676 schtasks.exe

pid	process
1676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exepowershell.exe

pid	process
1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
1468	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
268	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
Token: SeDebugPrivilege	268	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe

C:\Users\Admin\AppData\Local\Temp\0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
"C:\Users\Admin\AppData\Local\Temp\0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rPGwXmLDdzTgJ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rPGwXmLDdzTgJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCED4.tmp"
2⤵
- Creates scheduled task(s)
PID:1676

C:\Users\Admin\AppData\Local\Temp\0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
"C:\Users\Admin\AppData\Local\Temp\0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe"
2⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
"C:\Users\Admin\AppData\Local\Temp\0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe"
2⤵
PID:292

C:\Users\Admin\AppData\Local\Temp\0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
"C:\Users\Admin\AppData\Local\Temp\0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1468

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCED4.tmp
Filesize
1KB

MD5
d7f52727a2ea1565348ae917d854387b

SHA1
634c1b4a9dab790b564dd3d1cad664e9fab555cc

SHA256
968bd0de4e81d6bfb28a6e5762acba3aee042114c9068898a9adffe15e7599dc

SHA512
337e9a170e7bfa8105d64bf45524db2a7b0699656339de455012a988957a8a9dfadc3d1080ae1555fb9b2eb9f3a80131d096a1dc6469116b13f537749867300a

Download Submit
memory/268-76-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/268-75-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/268-74-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/268-73-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/1468-72-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/1468-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1468-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-59-0x00000000061C0000-0x000000000627E000-memory.dmp

Filesize
760KB

Download
memory/1476-65-0x0000000004510000-0x0000000004548000-memory.dmp

Filesize
224KB

Download
memory/1476-54-0x0000000000D60000-0x0000000000E6A000-memory.dmp

Filesize
1.0MB

Download
memory/1476-58-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/1476-57-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download
memory/1476-56-0x0000000005110000-0x0000000005150000-memory.dmp

Filesize
256KB

Download
memory/1476-55-0x0000000005110000-0x0000000005150000-memory.dmp

Filesize
256KB

Download

description	pid	process	target process
PID 1476 wrote to memory of 268	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	powershell.exe
PID 1476 wrote to memory of 268	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	powershell.exe
PID 1476 wrote to memory of 268	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	powershell.exe
PID 1476 wrote to memory of 268	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	powershell.exe
PID 1476 wrote to memory of 1676	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	schtasks.exe
PID 1476 wrote to memory of 1676	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	schtasks.exe
PID 1476 wrote to memory of 1676	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	schtasks.exe
PID 1476 wrote to memory of 1676	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	schtasks.exe
PID 1476 wrote to memory of 1528	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
PID 1476 wrote to memory of 1528	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
PID 1476 wrote to memory of 1528	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
PID 1476 wrote to memory of 1528	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
PID 1476 wrote to memory of 292	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
PID 1476 wrote to memory of 292	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
PID 1476 wrote to memory of 292	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
PID 1476 wrote to memory of 292	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
PID 1476 wrote to memory of 1468	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
PID 1476 wrote to memory of 1468	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
PID 1476 wrote to memory of 1468	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
PID 1476 wrote to memory of 1468	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
PID 1476 wrote to memory of 1468	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
PID 1476 wrote to memory of 1468	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe
PID 1476 wrote to memory of 1468	1476	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe	0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads