formbook | 180444e71cfbd639cea07e4cdc28099a444839f5ad3eb024b87dc9664fdfd5ec

General

Target

Doc_74657456348374.xlsx.exe
Size

731KB
MD5

1e8f1e78b590bd90b327429d233c2fe9
SHA1

83eb02aa8a04deb275763d0ca93b130241d241a2
SHA256

180444e71cfbd639cea07e4cdc28099a444839f5ad3eb024b87dc9664fdfd5ec
SHA512

fb6133a86040405c7063effed12866f9964ff3fe323726624806c3f718296de9fa9930235acb4ef28090fa2bc9c5194bc4f0bb9e0b29399f0ffc936c40025c55

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.mczx.net/hpg3/

Decoy

icheapwdshop.com

ilhemayad.com

visionaries-global.com

bondibootybuilder.com

largeprintonline.com

imoney.life

yin.finance

serrurier-depannage-lyon.com

bettar.xyz

robet89.com

sxqfuisju.icu

dveri-interior.com

propertyexpertsmiami.com

tawetap.com

agencykiller.pro

usableclassics.com

elocdigital.com

tronelite.com

aeshahcosmetics.com

comproticket.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/400-9-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/400-10-0x000000000041D030-mapping.dmp	xloader
behavioral1/memory/1028-11-0x0000000000000000-mapping.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

920 cmd.exe

pid	process
920	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Doc_74657456348374.xlsx.exeDoc_74657456348374.xlsx.exesystray.exe

description	pid	process	target process
PID 1204 set thread context of 400	1204	Doc_74657456348374.xlsx.exe	Doc_74657456348374.xlsx.exe
PID 400 set thread context of 1264	400	Doc_74657456348374.xlsx.exe	Explorer.EXE
PID 400 set thread context of 1264	400	Doc_74657456348374.xlsx.exe	Explorer.EXE
PID 1028 set thread context of 1264	1028	systray.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1684 schtasks.exe

pid	process
1684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

Doc_74657456348374.xlsx.exesystray.exe

pid	process
400	Doc_74657456348374.xlsx.exe
400	Doc_74657456348374.xlsx.exe
400	Doc_74657456348374.xlsx.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe
1028	systray.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Doc_74657456348374.xlsx.exesystray.exe

pid	process
400	Doc_74657456348374.xlsx.exe
400	Doc_74657456348374.xlsx.exe
400	Doc_74657456348374.xlsx.exe
400	Doc_74657456348374.xlsx.exe
1028	systray.exe
1028	systray.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Doc_74657456348374.xlsx.exesystray.exe

description pid process

Token: SeDebugPrivilege 400 Doc_74657456348374.xlsx.exe
Token: SeDebugPrivilege 1028 systray.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	400	Doc_74657456348374.xlsx.exe
Token: SeDebugPrivilege	1028	systray.exe

pid	process
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Doc_74657456348374.xlsx.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 1204 wrote to memory of 1684	1204	Doc_74657456348374.xlsx.exe	schtasks.exe
PID 1204 wrote to memory of 1684	1204	Doc_74657456348374.xlsx.exe	schtasks.exe
PID 1204 wrote to memory of 1684	1204	Doc_74657456348374.xlsx.exe	schtasks.exe
PID 1204 wrote to memory of 1684	1204	Doc_74657456348374.xlsx.exe	schtasks.exe
PID 1204 wrote to memory of 400	1204	Doc_74657456348374.xlsx.exe	Doc_74657456348374.xlsx.exe
PID 1204 wrote to memory of 400	1204	Doc_74657456348374.xlsx.exe	Doc_74657456348374.xlsx.exe
PID 1204 wrote to memory of 400	1204	Doc_74657456348374.xlsx.exe	Doc_74657456348374.xlsx.exe
PID 1204 wrote to memory of 400	1204	Doc_74657456348374.xlsx.exe	Doc_74657456348374.xlsx.exe
PID 1204 wrote to memory of 400	1204	Doc_74657456348374.xlsx.exe	Doc_74657456348374.xlsx.exe
PID 1204 wrote to memory of 400	1204	Doc_74657456348374.xlsx.exe	Doc_74657456348374.xlsx.exe
PID 1204 wrote to memory of 400	1204	Doc_74657456348374.xlsx.exe	Doc_74657456348374.xlsx.exe
PID 1264 wrote to memory of 1028	1264	Explorer.EXE	systray.exe
PID 1264 wrote to memory of 1028	1264	Explorer.EXE	systray.exe
PID 1264 wrote to memory of 1028	1264	Explorer.EXE	systray.exe
PID 1264 wrote to memory of 1028	1264	Explorer.EXE	systray.exe
PID 1028 wrote to memory of 920	1028	systray.exe	cmd.exe
PID 1028 wrote to memory of 920	1028	systray.exe	cmd.exe
PID 1028 wrote to memory of 920	1028	systray.exe	cmd.exe
PID 1028 wrote to memory of 920	1028	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\Doc_74657456348374.xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\Doc_74657456348374.xlsx.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vGJzEtsAZlyR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB413.tmp"
3⤵
- Creates scheduled task(s)
PID:1684

C:\Users\Admin\AppData\Local\Temp\Doc_74657456348374.xlsx.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Doc_74657456348374.xlsx.exe"
3⤵
- Deletes itself
PID:920

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB413.tmp
MD5
04bb7edf5f4be6b6a25879a88e12326b

SHA1
bd3e77470cfdcda3312da6a8a408f4ac56be952a

SHA256
5ce02fb616808b773e4f627cfa858f363e7e59e8bb42aa66569f6c83f101ce59

SHA512
15096a8bd9aa2abee33cd17dbef89b2014635dfa0f9d2107d33ccbc898115fdd66529a31c6f8f7dbe6c1f4b9f820ff80eeee044099cf4250c11a5b3a43c2c385

Download Submit
memory/400-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/400-10-0x000000000041D030-mapping.dmp

Download
memory/920-13-0x0000000000000000-mapping.dmp

Download
memory/1028-11-0x0000000000000000-mapping.dmp

Download
memory/1028-12-0x0000000000FF0000-0x0000000000FF5000-memory.dmp

Filesize
20KB

Download
memory/1028-14-0x0000000004160000-0x00000000042B8000-memory.dmp

Filesize
1.3MB

Download
memory/1204-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1204-3-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/1204-5-0x0000000000840000-0x000000000084E000-memory.dmp

Filesize
56KB

Download
memory/1204-6-0x0000000005730000-0x00000000057B2000-memory.dmp

Filesize
520KB

Download
memory/1684-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads