formbook | b7def3af905789a4ecedcc226d91592d8bc758ce8c5458d62ef435707de8670f

General

Target

Statement Of Account.exe
Size

772KB
MD5

da68e8ff4e0c0d00c613fa9301cf4a37
SHA1

7456cf2540dce6403407b532c502ce5abb07e9ec
SHA256

b7def3af905789a4ecedcc226d91592d8bc758ce8c5458d62ef435707de8670f
SHA512

3ac31e76311ad1acec983dedb6f2142471a6225bb279a5c9425fd75a15971d2e635ec4d7dfc8a060b1d647ef67d168504452a4acf4500047f31c63c932de99f6
SSDEEP

12288:xSNhWU2EOum32U5Gt68PG+SAJYyEQzHmt5xCohEotOJ6E+L+BtN:xSLrvUGt07MY9xCohEl8LaN

Score

10^/10

formbook gs12 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gs12

Decoy

juniavilela.com

italiahealth.club

freefoodpro.com

qqmotor.co

mosahacatering.com

wocc.club

tourly360.com

airzf.com

eternalknot1008.com

pons.cc

zdryueva.com

bodution.website

vip8g100013.top

3box.club

bestoffersinoneplace.com

tronbank.club

hlysh.live

allfireofferapp.sbs

goldenvistaservices.com

theconfidencebl-youprint.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4844-23-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4844-41-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3432-100-0x00000000004F0000-0x000000000051F000-memory.dmp	formbook
behavioral2/memory/3432-102-0x00000000004F0000-0x000000000051F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Statement Of Account.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	Statement Of Account.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Statement Of Account.exeRegSvcs.exeNETSTAT.EXE

description	pid	process	target process
PID 2780 set thread context of 4844	2780	Statement Of Account.exe	RegSvcs.exe
PID 4844 set thread context of 3364	4844	RegSvcs.exe	Explorer.EXE
PID 3432 set thread context of 3364	3432	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2440 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXE

pid process

3432 NETSTAT.EXE

pid	process
2440	schtasks.exe

pid	process
3432	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeRegSvcs.exeNETSTAT.EXE

pid	process
5268	powershell.exe
5268	powershell.exe
5616	powershell.exe
5616	powershell.exe
4844	RegSvcs.exe
4844	RegSvcs.exe
4844	RegSvcs.exe
4844	RegSvcs.exe
4844	RegSvcs.exe
4844	RegSvcs.exe
5268	powershell.exe
5616	powershell.exe
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE
3432	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exeNETSTAT.EXE

pid process

4844 RegSvcs.exe
4844 RegSvcs.exe
4844 RegSvcs.exe
3432 NETSTAT.EXE
3432 NETSTAT.EXE

pid	process
4844	RegSvcs.exe
4844	RegSvcs.exe
4844	RegSvcs.exe
3432	NETSTAT.EXE
3432	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exepowershell.exeRegSvcs.exeExplorer.EXENETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	5268	powershell.exe
Token: SeDebugPrivilege	5616	powershell.exe
Token: SeDebugPrivilege	4844	RegSvcs.exe
Token: SeShutdownPrivilege	3364	Explorer.EXE
Token: SeCreatePagefilePrivilege	3364	Explorer.EXE
Token: SeShutdownPrivilege	3364	Explorer.EXE
Token: SeCreatePagefilePrivilege	3364	Explorer.EXE
Token: SeDebugPrivilege	3432	NETSTAT.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3364 Explorer.EXE

pid	process
3364	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Statement Of Account.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 2780 wrote to memory of 5268	2780	Statement Of Account.exe	powershell.exe
PID 2780 wrote to memory of 5268	2780	Statement Of Account.exe	powershell.exe
PID 2780 wrote to memory of 5268	2780	Statement Of Account.exe	powershell.exe
PID 2780 wrote to memory of 5616	2780	Statement Of Account.exe	powershell.exe
PID 2780 wrote to memory of 5616	2780	Statement Of Account.exe	powershell.exe
PID 2780 wrote to memory of 5616	2780	Statement Of Account.exe	powershell.exe
PID 2780 wrote to memory of 2440	2780	Statement Of Account.exe	schtasks.exe
PID 2780 wrote to memory of 2440	2780	Statement Of Account.exe	schtasks.exe
PID 2780 wrote to memory of 2440	2780	Statement Of Account.exe	schtasks.exe
PID 2780 wrote to memory of 4844	2780	Statement Of Account.exe	RegSvcs.exe
PID 2780 wrote to memory of 4844	2780	Statement Of Account.exe	RegSvcs.exe
PID 2780 wrote to memory of 4844	2780	Statement Of Account.exe	RegSvcs.exe
PID 2780 wrote to memory of 4844	2780	Statement Of Account.exe	RegSvcs.exe
PID 2780 wrote to memory of 4844	2780	Statement Of Account.exe	RegSvcs.exe
PID 2780 wrote to memory of 4844	2780	Statement Of Account.exe	RegSvcs.exe
PID 3364 wrote to memory of 3432	3364	Explorer.EXE	NETSTAT.EXE
PID 3364 wrote to memory of 3432	3364	Explorer.EXE	NETSTAT.EXE
PID 3364 wrote to memory of 3432	3364	Explorer.EXE	NETSTAT.EXE
PID 3432 wrote to memory of 3196	3432	NETSTAT.EXE	cmd.exe
PID 3432 wrote to memory of 3196	3432	NETSTAT.EXE	cmd.exe
PID 3432 wrote to memory of 3196	3432	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Temp\Statement Of Account.exe
"C:\Users\Admin\AppData\Local\Temp\Statement Of Account.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Statement Of Account.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SdYCcXyq.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5616

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SdYCcXyq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5515.tmp"
3⤵
- Creates scheduled task(s)
PID:2440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:3196

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Command and Scripting Interpreter

1

T1059

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
3b08be707955ec74ae32001f9400023d

SHA1
0906ddf411da2e1d099cecb9a409a24d04485a13

SHA256
72aa021b322347e89ef5d9bfa95f3c179243b7586be1347e3b58d565dea637db

SHA512
1435eea1d4a0c041e4e3fee6b5ea760610b676c45905068c9b7524389a3fffa73e9447153c60bd385e4b79f3bb06539642ee9a191afd34291a0a6ebda07b94da

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5dd0u2i4.r4b.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5515.tmp
Filesize
1KB

MD5
aaacf5e74570111d7c444d7bebaa3356

SHA1
14754aa3918fbbd0e313ca130f5d59abbb11b136

SHA256
cf9eef63a0bff8466b5955c9f43803339c18f1fb9ef8a5b57a3808a5aaefbea9

SHA512
ab151ce367b0fc68ca3debb7bb013f2a446efdbdda486286732960c040ee0c345556066195383cf7dcbbb69e38307a4e092368821b64599cf698aadf494aaf5f

Download Submit
memory/2780-7-0x0000000005CF0000-0x0000000005CFE000-memory.dmp

Filesize
56KB

Download
memory/2780-4-0x0000000005D10000-0x0000000005D20000-memory.dmp

Filesize
64KB

Download
memory/2780-6-0x0000000005CB0000-0x0000000005CC8000-memory.dmp

Filesize
96KB

Download
memory/2780-0-0x0000000000FE0000-0x00000000010A8000-memory.dmp

Filesize
800KB

Download
memory/2780-8-0x0000000005D00000-0x0000000005D14000-memory.dmp

Filesize
80KB

Download
memory/2780-9-0x0000000005440000-0x00000000054B6000-memory.dmp

Filesize
472KB

Download
memory/2780-10-0x00000000094C0000-0x000000000955C000-memory.dmp

Filesize
624KB

Download
memory/2780-5-0x0000000005B00000-0x0000000005B0A000-memory.dmp

Filesize
40KB

Download
memory/2780-1-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/2780-2-0x00000000060E0000-0x0000000006684000-memory.dmp

Filesize
5.6MB

Download
memory/2780-31-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/2780-3-0x0000000005A40000-0x0000000005AD2000-memory.dmp

Filesize
584KB

Download
memory/3364-111-0x0000000006EA0000-0x0000000006F6C000-memory.dmp

Filesize
816KB

Download
memory/3364-107-0x0000000006EA0000-0x0000000006F6C000-memory.dmp

Filesize
816KB

Download
memory/3364-52-0x0000000002670000-0x0000000002757000-memory.dmp

Filesize
924KB

Download
memory/3364-108-0x0000000006EA0000-0x0000000006F6C000-memory.dmp

Filesize
816KB

Download
memory/3432-99-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/3432-102-0x00000000004F0000-0x000000000051F000-memory.dmp

Filesize
188KB

Download
memory/3432-104-0x0000000000A70000-0x0000000000B03000-memory.dmp

Filesize
588KB

Download
memory/3432-98-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/3432-101-0x0000000000DA0000-0x00000000010EA000-memory.dmp

Filesize
3.3MB

Download
memory/3432-100-0x00000000004F0000-0x000000000051F000-memory.dmp

Filesize
188KB

Download
memory/4844-32-0x00000000012A0000-0x00000000015EA000-memory.dmp

Filesize
3.3MB

Download
memory/4844-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-42-0x0000000000D30000-0x0000000000D44000-memory.dmp

Filesize
80KB

Download
memory/5268-53-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/5268-88-0x0000000007AB0000-0x0000000007AC4000-memory.dmp

Filesize
80KB

Download
memory/5268-16-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/5268-15-0x0000000002C20000-0x0000000002C56000-memory.dmp

Filesize
216KB

Download
memory/5268-57-0x000000007F1E0000-0x000000007F1F0000-memory.dmp

Filesize
64KB

Download
memory/5268-59-0x00000000753D0000-0x000000007541C000-memory.dmp

Filesize
304KB

Download
memory/5268-17-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/5268-19-0x0000000005730000-0x0000000005D58000-memory.dmp

Filesize
6.2MB

Download
memory/5268-81-0x0000000007710000-0x00000000077B3000-memory.dmp

Filesize
652KB

Download
memory/5268-80-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/5268-18-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/5268-83-0x0000000007EB0000-0x000000000852A000-memory.dmp

Filesize
6.5MB

Download
memory/5268-24-0x0000000005680000-0x00000000056A2000-memory.dmp

Filesize
136KB

Download
memory/5268-84-0x00000000078E0000-0x00000000078EA000-memory.dmp

Filesize
40KB

Download
memory/5268-85-0x0000000007AF0000-0x0000000007B86000-memory.dmp

Filesize
600KB

Download
memory/5268-33-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/5268-87-0x0000000007AA0000-0x0000000007AAE000-memory.dmp

Filesize
56KB

Download
memory/5268-96-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/5268-89-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

Filesize
104KB

Download
memory/5268-90-0x0000000007B90000-0x0000000007B98000-memory.dmp

Filesize
32KB

Download
memory/5616-22-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/5616-97-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/5616-54-0x0000000005E00000-0x0000000005E4C000-memory.dmp

Filesize
304KB

Download
memory/5616-38-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/5616-86-0x00000000072F0000-0x0000000007301000-memory.dmp

Filesize
68KB

Download
memory/5616-82-0x0000000006EE0000-0x0000000006EFA000-memory.dmp

Filesize
104KB

Download
memory/5616-40-0x00000000057D0000-0x0000000005B24000-memory.dmp

Filesize
3.3MB

Download
memory/5616-20-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/5616-78-0x0000000006D20000-0x0000000006D3E000-memory.dmp

Filesize
120KB

Download
memory/5616-79-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/5616-58-0x00000000753D0000-0x000000007541C000-memory.dmp

Filesize
304KB

Download
memory/5616-56-0x0000000006D60000-0x0000000006D92000-memory.dmp

Filesize
200KB

Download
memory/5616-55-0x000000007F120000-0x000000007F130000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads