formbook | 7998814b84f210689bf322b6867119f150c8cc76439cdc3632c8e212fd91f5e9

General

Target

Request For Price and Availability_PDF____.exe
Size

554KB
MD5

7247c2f218df48a7bd824f33f86b1760
SHA1

675a63f975c572ce3c761688a8224e80bce90cd0
SHA256

3c37386f3be133776e9754f751b88396a17d0030105646d373e82e8e0a79fe3c
SHA512

4051997473e621298980c0a0e44548f3bd648c70ac79afb10e96ea995570f3754a600aec823abab285dd370b033f8913642316f0c87e7d97b210ee30582ea372
SSDEEP

12288:8ud04ufv0zINbr57FQ6gUNYitOrlrFpIrlO+A:Rd+f3BQ6gUGVlrgr

Score

10^/10

formbook gg62 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gg62

Decoy

refrigerators-pk.today

jajifi.fun

fivonworld.com

rangbangs.com

server-dell.com

jefevirtual.com

jobode.info

grindhardgarage.com

gaoxiba168.com

thekotturfund.com

taberla.com

santorinieshop.com

ajptqqex.click

johnjaen.com

innovantdev.com

mjofvsea2.com

yun0796.com

rokovoko.nexus

tuabogado.gratis

jqinnovation.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4708-9-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4708-14-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4708-18-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1684-23-0x0000000000C90000-0x0000000000CBF000-memory.dmp	formbook
behavioral2/memory/1684-26-0x0000000000C90000-0x0000000000CBF000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

Request For Price and Availability_PDF____.exeRequest For Price and Availability_PDF____.exeNETSTAT.EXE

description	pid	process	target process
PID 4716 set thread context of 4708	4716	Request For Price and Availability_PDF____.exe	Request For Price and Availability_PDF____.exe
PID 4708 set thread context of 3268	4708	Request For Price and Availability_PDF____.exe	Explorer.EXE
PID 4708 set thread context of 3268	4708	Request For Price and Availability_PDF____.exe	Explorer.EXE
PID 1684 set thread context of 3268	1684	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXE

pid process

1684 NETSTAT.EXE

pid	process
1684	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

Request For Price and Availability_PDF____.exeNETSTAT.EXE

pid	process
4708	Request For Price and Availability_PDF____.exe
4708	Request For Price and Availability_PDF____.exe
4708	Request For Price and Availability_PDF____.exe
4708	Request For Price and Availability_PDF____.exe
4708	Request For Price and Availability_PDF____.exe
4708	Request For Price and Availability_PDF____.exe
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE
1684	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3268 Explorer.EXE

pid	process
3268	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Request For Price and Availability_PDF____.exeNETSTAT.EXE

pid	process
4708	Request For Price and Availability_PDF____.exe
4708	Request For Price and Availability_PDF____.exe
4708	Request For Price and Availability_PDF____.exe
4708	Request For Price and Availability_PDF____.exe
1684	NETSTAT.EXE
1684	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Request For Price and Availability_PDF____.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 4708 Request For Price and Availability_PDF____.exe
Token: SeDebugPrivilege 1684 NETSTAT.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3268 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4708	Request For Price and Availability_PDF____.exe
Token: SeDebugPrivilege	1684	NETSTAT.EXE

pid	process
3268	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Request For Price and Availability_PDF____.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 4716 wrote to memory of 4708	4716	Request For Price and Availability_PDF____.exe	Request For Price and Availability_PDF____.exe
PID 4716 wrote to memory of 4708	4716	Request For Price and Availability_PDF____.exe	Request For Price and Availability_PDF____.exe
PID 4716 wrote to memory of 4708	4716	Request For Price and Availability_PDF____.exe	Request For Price and Availability_PDF____.exe
PID 4716 wrote to memory of 4708	4716	Request For Price and Availability_PDF____.exe	Request For Price and Availability_PDF____.exe
PID 4716 wrote to memory of 4708	4716	Request For Price and Availability_PDF____.exe	Request For Price and Availability_PDF____.exe
PID 4716 wrote to memory of 4708	4716	Request For Price and Availability_PDF____.exe	Request For Price and Availability_PDF____.exe
PID 3268 wrote to memory of 1684	3268	Explorer.EXE	NETSTAT.EXE
PID 3268 wrote to memory of 1684	3268	Explorer.EXE	NETSTAT.EXE
PID 3268 wrote to memory of 1684	3268	Explorer.EXE	NETSTAT.EXE
PID 1684 wrote to memory of 1876	1684	NETSTAT.EXE	cmd.exe
PID 1684 wrote to memory of 1876	1684	NETSTAT.EXE	cmd.exe
PID 1684 wrote to memory of 1876	1684	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3268

C:\Users\Admin\AppData\Local\Temp\Request For Price and Availability_PDF____.exe
"C:\Users\Admin\AppData\Local\Temp\Request For Price and Availability_PDF____.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4716

C:\Users\Admin\AppData\Local\Temp\Request For Price and Availability_PDF____.exe
"C:\Users\Admin\AppData\Local\Temp\Request For Price and Availability_PDF____.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:3408

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Request For Price and Availability_PDF____.exe"
3⤵
PID:1876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-21-0x0000000000C40000-0x0000000000C4B000-memory.dmp

Filesize
44KB

Download
memory/1684-29-0x0000000001490000-0x0000000001524000-memory.dmp

Filesize
592KB

Download
memory/1684-26-0x0000000000C90000-0x0000000000CBF000-memory.dmp

Filesize
188KB

Download
memory/1684-25-0x00000000016F0000-0x0000000001A3A000-memory.dmp

Filesize
3.3MB

Download
memory/1684-23-0x0000000000C90000-0x0000000000CBF000-memory.dmp

Filesize
188KB

Download
memory/1684-22-0x0000000000C40000-0x0000000000C4B000-memory.dmp

Filesize
44KB

Download
memory/3268-24-0x0000000008D80000-0x0000000008EF4000-memory.dmp

Filesize
1.5MB

Download
memory/3268-16-0x0000000008D80000-0x0000000008EF4000-memory.dmp

Filesize
1.5MB

Download
memory/3268-33-0x0000000009800000-0x000000000990B000-memory.dmp

Filesize
1.0MB

Download
memory/3268-31-0x0000000009800000-0x000000000990B000-memory.dmp

Filesize
1.0MB

Download
memory/3268-30-0x0000000009800000-0x000000000990B000-memory.dmp

Filesize
1.0MB

Download
memory/3268-27-0x00000000096C0000-0x00000000097F2000-memory.dmp

Filesize
1.2MB

Download
memory/3268-20-0x00000000096C0000-0x00000000097F2000-memory.dmp

Filesize
1.2MB

Download
memory/4708-19-0x00000000016F0000-0x0000000001705000-memory.dmp

Filesize
84KB

Download
memory/4708-15-0x0000000001470000-0x0000000001485000-memory.dmp

Filesize
84KB

Download
memory/4708-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4708-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4708-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4708-12-0x0000000001750000-0x0000000001A9A000-memory.dmp

Filesize
3.3MB

Download
memory/4716-4-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/4716-5-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/4716-0-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/4716-3-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/4716-2-0x0000000005AB0000-0x0000000006054000-memory.dmp

Filesize
5.6MB

Download
memory/4716-6-0x0000000005890000-0x000000000592C000-memory.dmp

Filesize
624KB

Download
memory/4716-1-0x0000000000B70000-0x0000000000C00000-memory.dmp

Filesize
576KB

Download
memory/4716-11-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/4716-7-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/4716-8-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads