formbook | b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a

General

Target

order no. 43453.exe
Size

888KB
MD5

6ec0ad707cfd679db91e380648658a1c
SHA1

6522654f789b6da6045c244187c776401ae61b35
SHA256

b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
SHA512

0255a358f7307400f4511d0cf6ef848291bdce447a2aff3dae239664cc80b4c3c74ccf674a0da0f7c64ef395181da07e46ed0b146574d5c9232e4c8e36c6aeb7

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.valiantbranch.com/0wdn/

Decoy

inclusivefamilybookshop.com

hollyjmillsphotography.com

mojavewellnessaz.com

cookies-x.info

trainingkanban.com

tempoborough.life

mayalv.com

mbsgiftstore.com

vanjele.com

serieshaha.com

jlbstructural.com

topkids.asia

thejoyofleather.com

qvujxa.com

anythinginworld.com

danielablason.com

smartphoneloops.com

thisisauckland.com

cityelectricals.com

revati-thenoir.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1484-9-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1484-10-0x000000000041D110-mapping.dmp	xloader
behavioral1/memory/884-12-0x0000000000000000-mapping.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1132 cmd.exe

pid	process
1132	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

order no. 43453.exeorder no. 43453.execolorcpl.exe

description	pid	process	target process
PID 1036 set thread context of 1484	1036	order no. 43453.exe	order no. 43453.exe
PID 1484 set thread context of 1196	1484	order no. 43453.exe	Explorer.EXE
PID 1484 set thread context of 1196	1484	order no. 43453.exe	Explorer.EXE
PID 884 set thread context of 1196	884	colorcpl.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

584 schtasks.exe

pid	process
584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

order no. 43453.execolorcpl.exe

pid	process
1484	order no. 43453.exe
1484	order no. 43453.exe
1484	order no. 43453.exe
884	colorcpl.exe
884	colorcpl.exe
884	colorcpl.exe
884	colorcpl.exe
884	colorcpl.exe
884	colorcpl.exe
884	colorcpl.exe
884	colorcpl.exe
884	colorcpl.exe
884	colorcpl.exe
884	colorcpl.exe
884	colorcpl.exe
884	colorcpl.exe
884	colorcpl.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

order no. 43453.execolorcpl.exe

pid process

1484 order no. 43453.exe
1484 order no. 43453.exe
1484 order no. 43453.exe
1484 order no. 43453.exe
884 colorcpl.exe
884 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

order no. 43453.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 1484 order no. 43453.exe
Token: SeDebugPrivilege 884 colorcpl.exe

description	pid	process
Token: SeDebugPrivilege	1484	order no. 43453.exe
Token: SeDebugPrivilege	884	colorcpl.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

order no. 43453.exeorder no. 43453.execolorcpl.exe

description	pid	process	target process
PID 1036 wrote to memory of 584	1036	order no. 43453.exe	schtasks.exe
PID 1036 wrote to memory of 584	1036	order no. 43453.exe	schtasks.exe
PID 1036 wrote to memory of 584	1036	order no. 43453.exe	schtasks.exe
PID 1036 wrote to memory of 584	1036	order no. 43453.exe	schtasks.exe
PID 1036 wrote to memory of 1484	1036	order no. 43453.exe	order no. 43453.exe
PID 1036 wrote to memory of 1484	1036	order no. 43453.exe	order no. 43453.exe
PID 1036 wrote to memory of 1484	1036	order no. 43453.exe	order no. 43453.exe
PID 1036 wrote to memory of 1484	1036	order no. 43453.exe	order no. 43453.exe
PID 1036 wrote to memory of 1484	1036	order no. 43453.exe	order no. 43453.exe
PID 1036 wrote to memory of 1484	1036	order no. 43453.exe	order no. 43453.exe
PID 1036 wrote to memory of 1484	1036	order no. 43453.exe	order no. 43453.exe
PID 1484 wrote to memory of 884	1484	order no. 43453.exe	colorcpl.exe
PID 1484 wrote to memory of 884	1484	order no. 43453.exe	colorcpl.exe
PID 1484 wrote to memory of 884	1484	order no. 43453.exe	colorcpl.exe
PID 1484 wrote to memory of 884	1484	order no. 43453.exe	colorcpl.exe
PID 884 wrote to memory of 1132	884	colorcpl.exe	cmd.exe
PID 884 wrote to memory of 1132	884	colorcpl.exe	cmd.exe
PID 884 wrote to memory of 1132	884	colorcpl.exe	cmd.exe
PID 884 wrote to memory of 1132	884	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\order no. 43453.exe
"C:\Users\Admin\AppData\Local\Temp\order no. 43453.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZlxSqEyhCzs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2E03.tmp"
3⤵
- Creates scheduled task(s)
PID:584

C:\Users\Admin\AppData\Local\Temp\order no. 43453.exe
"C:\Users\Admin\AppData\Local\Temp\order no. 43453.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\order no. 43453.exe"
5⤵
- Deletes itself
PID:1132

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2E03.tmp
MD5
ef08fcaf233ff6a1f0e0d8fd29e8aaca

SHA1
ffbe1494b0658f06df1edb6205ab6e55fcfdd04c

SHA256
66272917242f4a1d4975a9791e4df185e397961ce8b05c32c3c4201e4cb6f832

SHA512
6c47832f50be85835375acddb2dffa3a462bc5c53a7bd780153315b63faeab2ea959d9c8b3e76421565df8fd535051d149bf66c8f8ca18019d1476872272b502

Download Submit
memory/584-7-0x0000000000000000-mapping.dmp

Download
memory/884-15-0x0000000004470000-0x000000000455F000-memory.dmp

Filesize
956KB

Download
memory/884-13-0x00000000007E0000-0x00000000007F8000-memory.dmp

Filesize
96KB

Download
memory/884-12-0x0000000000000000-mapping.dmp

Download
memory/1036-6-0x0000000005490000-0x00000000054F7000-memory.dmp

Filesize
412KB

Download
memory/1036-2-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1036-5-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/1036-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1132-14-0x0000000000000000-mapping.dmp

Download
memory/1196-11-0x0000000006F30000-0x000000000707A000-memory.dmp

Filesize
1.3MB

Download
memory/1196-16-0x0000000003CA0000-0x0000000003D82000-memory.dmp

Filesize
904KB

Download
memory/1484-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1484-10-0x000000000041D110-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads