formbook | 9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd

General

Target

9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe
Size

285KB
MD5

a413d04a39c86bd0b4ca116227d20a30
SHA1

0d88f2cca0aae58c31add82851c42fa1702cd4cf
SHA256

9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd
SHA512

e6d1662c7f389da0016b338185d4c4c3aae6240759641f8f8b62c07f534fbc956fa213cbd0ed37f607b67e0e38fb4635ee1031ada73c7913da921823284e3318
SSDEEP

6144:36dmbMKjUztT0dAxqLjd07V8y/6+8DXDQ9NA6igSOyxRVMvM:h4AUzt0dAxq/ky+8nGig3yxRuM

Score

10^/10

formbook guloader gtt8 downloader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gtt8

Decoy

42taijijian.com

rehnimiyanales.com

cst247.shop

usdt09.tech

lennartjahn.com

aaabestcbd.com

marketing-digital-france-2.xyz

be4time.com

slotyfly.com

parimaladragonflywellness.life

phonereda.com

01076.win

thehoundlounge.info

high-vent.co.uk

14thfeb.com

onlyforks.info

joseeandtim.com

mylegoclub.com

iuser-findmy.info

uninassaupolopinheiro.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4904-145-0x0000000000400000-0x0000000001654000-memory.dmp	formbook

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe

Loads dropped DLL 1 IoCs

Processes:

9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe

pid process

4868 9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe

pid process

4904 9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe

pid	process
4868	9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe
4904	9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe

description	pid	process	target process
PID 4868 set thread context of 4904	4868	9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe	9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe

pid	process
4904	9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe
4904	9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe

pid process

4868 9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe

description	pid	process	target process
PID 4868 wrote to memory of 4904	4868	9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe	9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe
PID 4868 wrote to memory of 4904	4868	9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe	9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe
PID 4868 wrote to memory of 4904	4868	9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe	9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe
PID 4868 wrote to memory of 4904	4868	9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe	9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe

C:\Users\Admin\AppData\Local\Temp\9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe
"C:\Users\Admin\AppData\Local\Temp\9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4868

C:\Users\Admin\AppData\Local\Temp\9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe
"C:\Users\Admin\AppData\Local\Temp\9d5019cef8a6bc52d94e6b4becf6249f2d202ac90204bbf508f9e62454f2f2fd.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsh6816.tmp\System.dll
Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
memory/4868-140-0x0000000003350000-0x0000000006288000-memory.dmp

Filesize
47.2MB

Download
memory/4868-141-0x0000000003350000-0x0000000006288000-memory.dmp

Filesize
47.2MB

Download
memory/4904-142-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4904-143-0x0000000001660000-0x0000000004598000-memory.dmp

Filesize
47.2MB

Download
memory/4904-144-0x0000000001660000-0x0000000004598000-memory.dmp

Filesize
47.2MB

Download
memory/4904-145-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4904-146-0x0000000001660000-0x0000000004598000-memory.dmp

Filesize
47.2MB

Download
memory/4904-148-0x00000000349E0000-0x0000000034D2A000-memory.dmp

Filesize
3.3MB

Download
memory/4904-147-0x0000000001660000-0x0000000004598000-memory.dmp

Filesize
47.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads