formbook | a3a232eeba1fafa7da4d19cfa4a0dc02b593009499d17a1bac279a8d93c0663d

General

Target

Akbank Hesap Özetiniz.exe
Size

404KB
MD5

5fe77c6027fa23fedabc857258e74dda
SHA1

539ac0da68c1a997d1bac48086758c167fe740a1
SHA256

a3a232eeba1fafa7da4d19cfa4a0dc02b593009499d17a1bac279a8d93c0663d
SHA512

d3b27c18bfc957e72d314394aff6559483957ea4203629298ce24d8c3e68d680b3d0676428e5bb47e37e12b67aab1a8023854acdf19870b086e5472cf2b28673
SSDEEP

12288:ztLWRJQobrqSnXhR/8HwIH4rmxOt93OXQ1swIoQ:z56JJ3nXhR/8QIYSxOtFcQBIoQ

Score

10^/10

formbook guloader fg83 downloader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fg83

Decoy

ghostpreneur.store

banksolutions.biz

dcroofingservicesinc.com

mtotem.online

telefonino.shop

bjbruq.com

sanlimarket.com

ssmreio.com

soilcarbonservices.com

itgandi.com

23-services.com

rtuakl.xyz

shippedparck.hair

aitechscope.com

789v35top1dna.life

visionaryglobalconsulting.com

autosportsrepairs.com

ecoproducefest.info

ballbucketssalesstore.com

81775557.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/3696-165-0x0000000000400000-0x0000000001654000-memory.dmp	formbook
behavioral2/memory/3696-168-0x0000000000400000-0x0000000001654000-memory.dmp	formbook
behavioral2/memory/648-177-0x0000000000F00000-0x0000000000F2F000-memory.dmp	formbook
behavioral2/memory/648-180-0x0000000000F00000-0x0000000000F2F000-memory.dmp	formbook

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Akbank Hesap Özetiniz.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Akbank Hesap Özetiniz.exe

Loads dropped DLL 2 IoCs

pid	Process
5040	Akbank Hesap Özetiniz.exe
5040	Akbank Hesap Özetiniz.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3696	Akbank Hesap Özetiniz.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5040	Akbank Hesap Özetiniz.exe
3696	Akbank Hesap Özetiniz.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5040 set thread context of 3696	5040	Akbank Hesap Özetiniz.exe	90
PID 3696 set thread context of 3156	3696	Akbank Hesap Özetiniz.exe	71
PID 648 set thread context of 3156	648	svchost.exe	71

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\unstirrable\microprint\torose.lit	Akbank Hesap Özetiniz.exe
File opened for modification	C:\Windows\Values157\calinas\Ledendes.Bul	Akbank Hesap Özetiniz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3696	Akbank Hesap Özetiniz.exe
3696	Akbank Hesap Özetiniz.exe
3696	Akbank Hesap Özetiniz.exe
3696	Akbank Hesap Özetiniz.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe
648	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3156	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
5040	Akbank Hesap Özetiniz.exe
3696	Akbank Hesap Özetiniz.exe
3696	Akbank Hesap Özetiniz.exe
3696	Akbank Hesap Özetiniz.exe
648	svchost.exe
648	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3696	Akbank Hesap Özetiniz.exe
Token: SeDebugPrivilege	648	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 3696	5040	Akbank Hesap Özetiniz.exe	90
PID 5040 wrote to memory of 3696	5040	Akbank Hesap Özetiniz.exe	90
PID 5040 wrote to memory of 3696	5040	Akbank Hesap Özetiniz.exe	90
PID 5040 wrote to memory of 3696	5040	Akbank Hesap Özetiniz.exe	90
PID 5040 wrote to memory of 3696	5040	Akbank Hesap Özetiniz.exe	90
PID 3156 wrote to memory of 648	3156	Explorer.EXE	91
PID 3156 wrote to memory of 648	3156	Explorer.EXE	91
PID 3156 wrote to memory of 648	3156	Explorer.EXE	91
PID 648 wrote to memory of 544	648	svchost.exe	92
PID 648 wrote to memory of 544	648	svchost.exe	92
PID 648 wrote to memory of 544	648	svchost.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Users\Admin\AppData\Local\Temp\Akbank Hesap Özetiniz.exe
  "C:\Users\Admin\AppData\Local\Temp\Akbank Hesap Özetiniz.exe"
  2⤵
  - Checks QEMU agent file
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\Akbank Hesap Özetiniz.exe
    "C:\Users\Admin\AppData\Local\Temp\Akbank Hesap Özetiniz.exe"
    3⤵
    - Checks QEMU agent file
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3696
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Akbank Hesap Özetiniz.exe"
    3⤵
    PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsb7DBC.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb7DBC.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb7DBC.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
memory/648-180-0x0000000000F00000-0x0000000000F2F000-memory.dmp

Filesize
188KB

Download
memory/648-183-0x00000000018A0000-0x0000000001933000-memory.dmp

Filesize
588KB

Download
memory/648-179-0x0000000001A00000-0x0000000001D4A000-memory.dmp

Filesize
3.3MB

Download
memory/648-177-0x0000000000F00000-0x0000000000F2F000-memory.dmp

Filesize
188KB

Download
memory/648-176-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/648-173-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/3156-185-0x0000000008B90000-0x0000000008C49000-memory.dmp

Filesize
740KB

Download
memory/3156-184-0x0000000008B90000-0x0000000008C49000-memory.dmp

Filesize
740KB

Download
memory/3156-187-0x0000000008B90000-0x0000000008C49000-memory.dmp

Filesize
740KB

Download
memory/3156-181-0x0000000008800000-0x00000000088F3000-memory.dmp

Filesize
972KB

Download
memory/3156-171-0x0000000008800000-0x00000000088F3000-memory.dmp

Filesize
972KB

Download
memory/3696-148-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3696-152-0x0000000077D85000-0x0000000077D86000-memory.dmp

Filesize
4KB

Download
memory/3696-169-0x00000000000D0000-0x00000000000E4000-memory.dmp

Filesize
80KB

Download
memory/3696-170-0x0000000077CE1000-0x0000000077E01000-memory.dmp

Filesize
1.1MB

Download
memory/3696-167-0x0000000034B90000-0x0000000034EDA000-memory.dmp

Filesize
3.3MB

Download
memory/3696-166-0x0000000001660000-0x0000000004526000-memory.dmp

Filesize
46.8MB

Download
memory/3696-165-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3696-168-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3696-174-0x0000000001660000-0x0000000004526000-memory.dmp

Filesize
46.8MB

Download
memory/3696-151-0x0000000077D68000-0x0000000077D69000-memory.dmp

Filesize
4KB

Download
memory/3696-150-0x0000000001660000-0x0000000004526000-memory.dmp

Filesize
46.8MB

Download
memory/3696-149-0x0000000001660000-0x0000000004526000-memory.dmp

Filesize
46.8MB

Download
memory/5040-147-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/5040-146-0x0000000077CE1000-0x0000000077E01000-memory.dmp

Filesize
1.1MB

Download
memory/5040-145-0x00000000031E0000-0x00000000060A6000-memory.dmp

Filesize
46.8MB

Download
memory/5040-144-0x00000000031E0000-0x00000000060A6000-memory.dmp

Filesize
46.8MB

Download

Analysis

Sharing