formbook | b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a

General

Target

order no. 43453.exe
Size

888KB
MD5

6ec0ad707cfd679db91e380648658a1c
SHA1

6522654f789b6da6045c244187c776401ae61b35
SHA256

b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
SHA512

0255a358f7307400f4511d0cf6ef848291bdce447a2aff3dae239664cc80b4c3c74ccf674a0da0f7c64ef395181da07e46ed0b146574d5c9232e4c8e36c6aeb7

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.valiantbranch.com/0wdn/

Decoy

inclusivefamilybookshop.com

hollyjmillsphotography.com

mojavewellnessaz.com

cookies-x.info

trainingkanban.com

tempoborough.life

mayalv.com

mbsgiftstore.com

vanjele.com

serieshaha.com

jlbstructural.com

topkids.asia

thejoyofleather.com

qvujxa.com

anythinginworld.com

danielablason.com

smartphoneloops.com

thisisauckland.com

cityelectricals.com

revati-thenoir.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1412-14-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1412-15-0x000000000041D110-mapping.dmp	xloader
behavioral2/memory/1392-16-0x0000000000000000-mapping.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

order no. 43453.exeorder no. 43453.exenetsh.exe

description	pid	process	target process
PID 492 set thread context of 1412	492	order no. 43453.exe	order no. 43453.exe
PID 1412 set thread context of 3128	1412	order no. 43453.exe	Explorer.EXE
PID 1412 set thread context of 3128	1412	order no. 43453.exe	Explorer.EXE
PID 1392 set thread context of 3128	1392	netsh.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3812 schtasks.exe

pid	process
3812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

order no. 43453.exenetsh.exe

pid	process
1412	order no. 43453.exe
1412	order no. 43453.exe
1412	order no. 43453.exe
1412	order no. 43453.exe
1412	order no. 43453.exe
1412	order no. 43453.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe
1392	netsh.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

order no. 43453.exenetsh.exe

pid process

1412 order no. 43453.exe
1412 order no. 43453.exe
1412 order no. 43453.exe
1412 order no. 43453.exe
1392 netsh.exe
1392 netsh.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

order no. 43453.exenetsh.exe

description pid process

Token: SeDebugPrivilege 1412 order no. 43453.exe
Token: SeDebugPrivilege 1392 netsh.exe

description	pid	process
Token: SeDebugPrivilege	1412	order no. 43453.exe
Token: SeDebugPrivilege	1392	netsh.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

order no. 43453.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 492 wrote to memory of 3812	492	order no. 43453.exe	schtasks.exe
PID 492 wrote to memory of 3812	492	order no. 43453.exe	schtasks.exe
PID 492 wrote to memory of 3812	492	order no. 43453.exe	schtasks.exe
PID 492 wrote to memory of 1412	492	order no. 43453.exe	order no. 43453.exe
PID 492 wrote to memory of 1412	492	order no. 43453.exe	order no. 43453.exe
PID 492 wrote to memory of 1412	492	order no. 43453.exe	order no. 43453.exe
PID 492 wrote to memory of 1412	492	order no. 43453.exe	order no. 43453.exe
PID 492 wrote to memory of 1412	492	order no. 43453.exe	order no. 43453.exe
PID 492 wrote to memory of 1412	492	order no. 43453.exe	order no. 43453.exe
PID 3128 wrote to memory of 1392	3128	Explorer.EXE	netsh.exe
PID 3128 wrote to memory of 1392	3128	Explorer.EXE	netsh.exe
PID 3128 wrote to memory of 1392	3128	Explorer.EXE	netsh.exe
PID 1392 wrote to memory of 2252	1392	netsh.exe	cmd.exe
PID 1392 wrote to memory of 2252	1392	netsh.exe	cmd.exe
PID 1392 wrote to memory of 2252	1392	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\order no. 43453.exe
"C:\Users\Admin\AppData\Local\Temp\order no. 43453.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZlxSqEyhCzs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp30A6.tmp"
3⤵
- Creates scheduled task(s)
PID:3812

C:\Users\Admin\AppData\Local\Temp\order no. 43453.exe
"C:\Users\Admin\AppData\Local\Temp\order no. 43453.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\order no. 43453.exe"
3⤵
PID:2252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp30A6.tmp
MD5
942ab6bfe8e4542d5836d999fba0f727

SHA1
e52dcbd09a7e862e1c3c08745f2406317997b0b7

SHA256
004952a9f2b63e350ec8ac9f775a732e0b08fc55e2753a93269812c01ffab3f4

SHA512
cb308ad220d9945393de7a8b65ac70fc0028359abae743d099396dc7aeef826ccbd13327e297ca3cd6d23848ae28e40ad7dec22a1a37890a26cdf42f1eba46db

Download Submit
memory/492-11-0x0000000006290000-0x00000000062F7000-memory.dmp

Filesize
412KB

Download
memory/492-8-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/492-2-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/492-7-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/492-3-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/492-9-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/492-10-0x00000000053C0000-0x00000000053D2000-memory.dmp

Filesize
72KB

Download
memory/492-5-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/492-6-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/1392-16-0x0000000000000000-mapping.dmp

Download
memory/1392-17-0x00000000008D0000-0x00000000008EE000-memory.dmp

Filesize
120KB

Download
memory/1392-18-0x00000000008D0000-0x00000000008EE000-memory.dmp

Filesize
120KB

Download
memory/1392-20-0x0000000005590000-0x0000000005666000-memory.dmp

Filesize
856KB

Download
memory/1412-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1412-15-0x000000000041D110-mapping.dmp

Download
memory/2252-19-0x0000000000000000-mapping.dmp

Download
memory/3812-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads