formbook | 2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764

General

Target

2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
Size

859KB
MD5

68f382de8e30540a2757aff591a4bf6f
SHA1

487134fd86371426bf0982ba40da9ffd4b44d7dd
SHA256

2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764
SHA512

5fff99e691e17aedae9df6e4896af790886f82e45086dee1f6a454ed35df4f5c29084830d491e213f276d191f2ab813a52e62cc72f84f33ce9fc0998f423603a
SSDEEP

12288:ZqXsd0wFzNFJmpjIjNh3fEWupqdmTX1CAiNGs/Or:ZqXsdRlHojIZxfEW2wm

Score

10^/10

formbook zgrat g2fg rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2fg

Decoy

snowcrash.website

pointman.us

newheartvalve.care

drandl.com

sandspringsramblers.com

programagubernamental.online

boja.us

mvrsnike.com

mentallyillmotherhood.com

facom.us

programagubernamental.store

izivente.com

roller-v.fr

amazonbioactives.com

metaverseapple.xyz

5gt-mobilevsverizon.com

gtwebsolutions.co

scottdunn.life

usdp.trade

pikmin.run

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1508-10-0x000000000B1D0000-0x000000000B25E000-memory.dmp	family_zgrat_v1

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1860-23-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe

description	pid	process	target process
PID 1508 set thread context of 1860	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2636 schtasks.exe

pid	process
2636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exepowershell.exe2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe

pid	process
1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
4944	powershell.exe
4944	powershell.exe
1860	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
1860	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
1860	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
4944	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exe2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe

description	pid	process
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe

C:\Users\Admin\AppData\Local\Temp\2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
"C:\Users\Admin\AppData\Local\Temp\2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SxfIUEdouwqNB.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SxfIUEdouwqNB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF0F3.tmp"
2⤵
- Creates scheduled task(s)
PID:2636

C:\Users\Admin\AppData\Local\Temp\2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
"C:\Users\Admin\AppData\Local\Temp\2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe"
2⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
"C:\Users\Admin\AppData\Local\Temp\2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe"
2⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
"C:\Users\Admin\AppData\Local\Temp\2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3956 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:1404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_suoxj3bf.mh1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF0F3.tmp
Filesize
1KB

MD5
34f1f1a7f4dd058fddcc42a1747cb706

SHA1
a54bb684c5d7cba6ea97f219eb5db104297d3b47

SHA256
27a302effb85fd469019c1d36dcb4a41298ca32403b5a05d940255c334848c1e

SHA512
87c26e2dfa2ea07dbece73afc0571484c09b5595a00c11091c7ecd5a8e3232c3b3b09e0e7398b472b1e3d1dc7cd52946b1af666fb18d470ebde453da99f2ff66

Download Submit
memory/1508-27-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1508-11-0x000000000B320000-0x000000000B3BC000-memory.dmp

Filesize
624KB

Download
memory/1508-1-0x0000000000CA0000-0x0000000000D7E000-memory.dmp

Filesize
888KB

Download
memory/1508-5-0x0000000005910000-0x000000000591A000-memory.dmp

Filesize
40KB

Download
memory/1508-6-0x0000000005C20000-0x0000000005C3A000-memory.dmp

Filesize
104KB

Download
memory/1508-7-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1508-8-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/1508-4-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/1508-10-0x000000000B1D0000-0x000000000B25E000-memory.dmp

Filesize
568KB

Download
memory/1508-22-0x000000000B2C0000-0x000000000B2F4000-memory.dmp

Filesize
208KB

Download
memory/1508-15-0x000000000B430000-0x000000000B496000-memory.dmp

Filesize
408KB

Download
memory/1508-3-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/1508-0-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1508-9-0x0000000006C70000-0x0000000006C7C000-memory.dmp

Filesize
48KB

Download
memory/1508-2-0x0000000005C40000-0x00000000061E4000-memory.dmp

Filesize
5.6MB

Download
memory/1860-26-0x0000000001180000-0x00000000014CA000-memory.dmp

Filesize
3.3MB

Download
memory/1860-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-17-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/4944-54-0x0000000006580000-0x0000000006623000-memory.dmp

Filesize
652KB

Download
memory/4944-21-0x0000000005050000-0x0000000005678000-memory.dmp

Filesize
6.2MB

Download
memory/4944-18-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4944-19-0x0000000004970000-0x00000000049A6000-memory.dmp

Filesize
216KB

Download
memory/4944-28-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/4944-38-0x0000000005B00000-0x0000000005E54000-memory.dmp

Filesize
3.3MB

Download
memory/4944-39-0x0000000006020000-0x000000000603E000-memory.dmp

Filesize
120KB

Download
memory/4944-40-0x0000000006050000-0x000000000609C000-memory.dmp

Filesize
304KB

Download
memory/4944-41-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/4944-42-0x0000000006530000-0x0000000006562000-memory.dmp

Filesize
200KB

Download
memory/4944-43-0x0000000071050000-0x000000007109C000-memory.dmp

Filesize
304KB

Download
memory/4944-53-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/4944-25-0x0000000004F30000-0x0000000004F52000-memory.dmp

Filesize
136KB

Download
memory/4944-55-0x00000000078F0000-0x0000000007F6A000-memory.dmp

Filesize
6.5MB

Download
memory/4944-56-0x00000000072B0000-0x00000000072CA000-memory.dmp

Filesize
104KB

Download
memory/4944-57-0x0000000007320000-0x000000000732A000-memory.dmp

Filesize
40KB

Download
memory/4944-58-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/4944-59-0x0000000007520000-0x00000000075B6000-memory.dmp

Filesize
600KB

Download
memory/4944-60-0x00000000074C0000-0x00000000074D1000-memory.dmp

Filesize
68KB

Download
memory/4944-61-0x00000000074E0000-0x00000000074EE000-memory.dmp

Filesize
56KB

Download
memory/4944-62-0x00000000074F0000-0x0000000007504000-memory.dmp

Filesize
80KB

Download
memory/4944-63-0x00000000075F0000-0x000000000760A000-memory.dmp

Filesize
104KB

Download
memory/4944-64-0x00000000075D0000-0x00000000075D8000-memory.dmp

Filesize
32KB

Download
memory/4944-67-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download

description	pid	process	target process
PID 1508 wrote to memory of 4944	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	powershell.exe
PID 1508 wrote to memory of 4944	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	powershell.exe
PID 1508 wrote to memory of 4944	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	powershell.exe
PID 1508 wrote to memory of 2636	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	schtasks.exe
PID 1508 wrote to memory of 2636	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	schtasks.exe
PID 1508 wrote to memory of 2636	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	schtasks.exe
PID 1508 wrote to memory of 4356	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
PID 1508 wrote to memory of 4356	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
PID 1508 wrote to memory of 4356	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
PID 1508 wrote to memory of 3076	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
PID 1508 wrote to memory of 3076	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
PID 1508 wrote to memory of 3076	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
PID 1508 wrote to memory of 1860	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
PID 1508 wrote to memory of 1860	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
PID 1508 wrote to memory of 1860	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
PID 1508 wrote to memory of 1860	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
PID 1508 wrote to memory of 1860	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe
PID 1508 wrote to memory of 1860	1508	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe	2a669943885bf4566bfd7dca997ec406b34368450e1b41a01cfc65c0de92d764.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads