formbook | 8db1d8b3a8eb2032f2ee904c2cfb19f81bdf51f35f1aa479b1499a22f33ccb9a

General

Target

f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e.exe
Size

241KB
MD5

f93308a9428065a3ff3d75c40d64de09
SHA1

d4d42dea5dd2047d5df137c2e5fcb9aed7c58218
SHA256

f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e
SHA512

dc38a57fd1dffdf72ee2b5a90006790e7a55f6bca22c08215eb007e582513964dcedbaa8fe3a5676a2cf5d708a429b1bbdd0c00c636cbf27d52e9cccde2890c2
SSDEEP

6144:HNeZmxExGrK6smi9FnGg4gZ6+TzLg0tWtowfvlAv4+OIVR:HNlxEGrVHkGgXkSzLz+owFAvCq

Score

10^/10

formbook r1e3 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

r1e3

Decoy

floorwaves.com

leshigou.top

2y3jq.com

karobazaar.com

cookdd9.com

xn--9kqu10bhqv.top

hollieforson.com

peachso.com

gerberry.info

abslikepro.com

lesourire-official.com

dfhgxi.icu

lightofcg.com

hismozart.com

nieuwemaniervanleven.com

trimble-gs-112-cable-reel.com

putacandleinit.com

gopenly.xyz

northcountyneuropsychology.com

thekittyherbalist.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2976-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2976-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1804-24-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
3060	gvwpfsvx.exe
2976	gvwpfsvx.exe

Loads dropped DLL 2 IoCs

pid	Process
2860	f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e.exe
3060	gvwpfsvx.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3060 set thread context of 2976	3060	gvwpfsvx.exe	31
PID 2976 set thread context of 1248	2976	gvwpfsvx.exe	21
PID 1804 set thread context of 1248	1804	rundll32.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvwpfsvx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2976	gvwpfsvx.exe
2976	gvwpfsvx.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2976	gvwpfsvx.exe
2976	gvwpfsvx.exe
2976	gvwpfsvx.exe
1804	rundll32.exe
1804	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	gvwpfsvx.exe
Token: SeDebugPrivilege	1804	rundll32.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 3060	2860	f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e.exe	30
PID 2860 wrote to memory of 3060	2860	f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e.exe	30
PID 2860 wrote to memory of 3060	2860	f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e.exe	30
PID 2860 wrote to memory of 3060	2860	f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e.exe	30
PID 3060 wrote to memory of 2976	3060	gvwpfsvx.exe	31
PID 3060 wrote to memory of 2976	3060	gvwpfsvx.exe	31
PID 3060 wrote to memory of 2976	3060	gvwpfsvx.exe	31
PID 3060 wrote to memory of 2976	3060	gvwpfsvx.exe	31
PID 3060 wrote to memory of 2976	3060	gvwpfsvx.exe	31
PID 3060 wrote to memory of 2976	3060	gvwpfsvx.exe	31
PID 3060 wrote to memory of 2976	3060	gvwpfsvx.exe	31
PID 1248 wrote to memory of 1804	1248	Explorer.EXE	32
PID 1248 wrote to memory of 1804	1248	Explorer.EXE	32
PID 1248 wrote to memory of 1804	1248	Explorer.EXE	32
PID 1248 wrote to memory of 1804	1248	Explorer.EXE	32
PID 1248 wrote to memory of 1804	1248	Explorer.EXE	32
PID 1248 wrote to memory of 1804	1248	Explorer.EXE	32
PID 1248 wrote to memory of 1804	1248	Explorer.EXE	32
PID 1804 wrote to memory of 1768	1804	rundll32.exe	33
PID 1804 wrote to memory of 1768	1804	rundll32.exe	33
PID 1804 wrote to memory of 1768	1804	rundll32.exe	33
PID 1804 wrote to memory of 1768	1804	rundll32.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e.exe
  "C:\Users\Admin\AppData\Local\Temp\f709663edaef8f4578cca9fa6de27c39e7748350c4d737182380a041c51dba2e.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\gvwpfsvx.exe
    C:\Users\Admin\AppData\Local\Temp\gvwpfsvx.exe C:\Users\Admin\AppData\Local\Temp\uhsrada
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\gvwpfsvx.exe
      C:\Users\Admin\AppData\Local\Temp\gvwpfsvx.exe C:\Users\Admin\AppData\Local\Temp\uhsrada
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2976
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\gvwpfsvx.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uhsrada

Filesize
5KB

MD5
c0cffc798da9e392003e1cca2edd4011

SHA1
45eeb3a41ad0de57deee757b77139d9203c30a43

SHA256
a34a5545eedeb20a2e252b02fa2de89831c2644ea2d46a7313d885b0c107fd9a

SHA512
a8d37b395ad70119d00b4cd84aeb3904e4e89403c27d352f20b13aa38772c976f784fc1f7842d39c9a2403b8889c4eb507fe42f8e27d1ae3e0c8254e9ebed612

Download Submit
C:\Users\Admin\AppData\Local\Temp\uraaz2snehz0dg

Filesize
212KB

MD5
49a6bb438a3c1f01095adf7dbbeeea27

SHA1
a46b35093b08cec2065f6e622790ba093d10f825

SHA256
baef02274fcd4d2a5a8a9caf3d8c14b7aa1e1ef97bca407f46c6077f99aa1199

SHA512
9b9eea79c65e8ec5169e5829e653a1dc0ec3671f799be0150aaadf072f5d68860c29bd4f766593551bc751436c9545f96718ec39d1f47fac01f84fdbc5cdeaf6

Download Submit
\Users\Admin\AppData\Local\Temp\gvwpfsvx.exe

Filesize
5KB

MD5
7736fb3049e387bf3b1c1a45dab8b94a

SHA1
d6d7bb9087a9900c824fea643e6e84aed3a62cff

SHA256
a53f89fbe86157a1979d0db0748e39d4785666668bb6372156c8724492112ca5

SHA512
5c022f1ada7c8f75f123789a7dae6ae12329641e7cbc7884f1967aa600b89daf2e37eeaef9e0af33c75dd33f424525211de061b6764892b59e7cd5528f91a570

Download Submit
memory/1248-16-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1248-25-0x0000000004E70000-0x0000000004F7D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-17-0x0000000004E70000-0x0000000004F7D000-memory.dmp

Filesize
1.1MB

Download
memory/1804-21-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/1804-20-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/1804-23-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/1804-24-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/2976-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-9-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing