formbook | e4141a1f1d7e56f4196a1cea4d0804d0206d858e452012fd36e5d1c0eac81c3d

General

Target

DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
Size

1.1MB
MD5

eb2002937cb72b457e35ce221ebf299e
SHA1

be5027e99c4f251652b533e768167ee5a40fc7e2
SHA256

e4141a1f1d7e56f4196a1cea4d0804d0206d858e452012fd36e5d1c0eac81c3d
SHA512

850e03147c2ea65119eff125dd4e6e5dc002721f22e3bcccacb1ad54661235a5244b86c2cc59e25737f81ba221a53411f025235376a22620373f4def8bc4e272

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.believe.academy/me2z/

Decoy

rampdauto.com

noriharte.com

harborfreightcreditcard.com

tktspyhwz.icu

cagehosting.com

hgfte.club

fullnessspa.com

link-repair.com

rrjyds.com

edevletdestekcardmerkez.com

sprayingmachines.com

janerowenlester.com

velocityworkflow.com

kcrm.computer

kjbubeng.com

virtualhockeyconference.com

trugrits.com

creativesociallight.com

dnaswabtesting.com

willpool.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/928-14-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/928-15-0x000000000041D090-mapping.dmp	xloader
behavioral2/memory/4000-17-0x0000000000000000-mapping.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

DHL SHIPPING AND TRACKING DOCUMENT_PDF.exeDHL SHIPPING AND TRACKING DOCUMENT_PDF.execmd.exe

description	pid	process	target process
PID 984 set thread context of 928	984	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
PID 928 set thread context of 2144	928	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe	Explorer.EXE
PID 4000 set thread context of 2144	4000	cmd.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

208 schtasks.exe

pid	process
208	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

DHL SHIPPING AND TRACKING DOCUMENT_PDF.execmd.exe

pid	process
928	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
928	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
928	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
928	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe
4000	cmd.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

DHL SHIPPING AND TRACKING DOCUMENT_PDF.execmd.exe

pid	process
928	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
928	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
928	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
4000	cmd.exe
4000	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DHL SHIPPING AND TRACKING DOCUMENT_PDF.execmd.exe

description pid process

Token: SeDebugPrivilege 928 DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
Token: SeDebugPrivilege 4000 cmd.exe

description	pid	process
Token: SeDebugPrivilege	928	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
Token: SeDebugPrivilege	4000	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

DHL SHIPPING AND TRACKING DOCUMENT_PDF.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 984 wrote to memory of 208	984	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe	schtasks.exe
PID 984 wrote to memory of 208	984	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe	schtasks.exe
PID 984 wrote to memory of 208	984	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe	schtasks.exe
PID 984 wrote to memory of 928	984	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
PID 984 wrote to memory of 928	984	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
PID 984 wrote to memory of 928	984	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
PID 984 wrote to memory of 928	984	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
PID 984 wrote to memory of 928	984	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
PID 984 wrote to memory of 928	984	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe	DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
PID 2144 wrote to memory of 4000	2144	Explorer.EXE	cmd.exe
PID 2144 wrote to memory of 4000	2144	Explorer.EXE	cmd.exe
PID 2144 wrote to memory of 4000	2144	Explorer.EXE	cmd.exe
PID 4000 wrote to memory of 3776	4000	cmd.exe	cmd.exe
PID 4000 wrote to memory of 3776	4000	cmd.exe	cmd.exe
PID 4000 wrote to memory of 3776	4000	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ndyNgiAFxyaGRA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E1C.tmp"
3⤵
- Creates scheduled task(s)
PID:208

C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING AND TRACKING DOCUMENT_PDF.exe"
3⤵
PID:3776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6E1C.tmp
MD5
18a13caedce6a6cd00b72f7a8439281d

SHA1
27072d7add1a408102a7f8e0627ea36454df1b34

SHA256
8f383be469013d12691a8b1ec6f67437e9599d695337189592abec5511ee0e92

SHA512
385e1e6d62279cac8d228826f1ec21927bf285ae735e529378395229149d5b6af139dbe321e8cce31d5786cbb8f0f14c193552810afc5e1b825e67acbb6282aa

Download Submit
memory/208-12-0x0000000000000000-mapping.dmp

Download
memory/928-15-0x000000000041D090-mapping.dmp

Download
memory/928-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/984-7-0x0000000007E80000-0x0000000007E81000-memory.dmp

Filesize
4KB

Download
memory/984-8-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/984-9-0x0000000008020000-0x0000000008021000-memory.dmp

Filesize
4KB

Download
memory/984-10-0x00000000031D0000-0x00000000031E2000-memory.dmp

Filesize
72KB

Download
memory/984-11-0x0000000005D90000-0x0000000005DF8000-memory.dmp

Filesize
416KB

Download
memory/984-2-0x0000000073840000-0x0000000073F2E000-memory.dmp

Filesize
6.9MB

Download
memory/984-6-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/984-5-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/984-3-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/3776-20-0x0000000000000000-mapping.dmp

Download
memory/4000-17-0x0000000000000000-mapping.dmp

Download
memory/4000-18-0x0000000001320000-0x0000000001379000-memory.dmp

Filesize
356KB

Download
memory/4000-19-0x0000000001320000-0x0000000001379000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads