formbook | afaa365ef87b1aa804d330d56de9cee53e284870221ddf9aae2c36774e69e9af

General

Target

Revise Order.exe
Size

868KB
MD5

467fcc237db53f7bb42eac881adde0ba
SHA1

bd09e1cb4167721ab3c73f66a947201f13132378
SHA256

afaa365ef87b1aa804d330d56de9cee53e284870221ddf9aae2c36774e69e9af
SHA512

98a256583937fb716288c8990c46fba7e19d476f86c1be530510d8d76f78c869dbe6329262f10f903ce0cc13622231f23bb4372098125dede5c2e192791d986f

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.lensinlens.com/ehxh/

Decoy

financialaccompany.com

face2bouk.com

blazedisinfecting.com

providaconsultinggroup.com

distriautosdelpacifico.com

myaduhelm.com

thangmaygiatot.com

nuevasantatecla.com

endpedophiles.com

alwanps.com

anzi-studio.com

twoswinginghammers.com

curbedinc.com

purecleantn.com

4levelsplit.com

talklinecall.com

egypte-vakanties.com

xzntfwof.icu

sosyoclassic.com

adjoalearningacademy.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1224-7-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1224-8-0x000000000041D050-mapping.dmp	xloader
behavioral1/memory/592-9-0x0000000000000000-mapping.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

848 cmd.exe

pid	process
848	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Revise Order.exeRevise Order.exewscript.exe

description	pid	process	target process
PID 932 set thread context of 1224	932	Revise Order.exe	Revise Order.exe
PID 1224 set thread context of 1276	1224	Revise Order.exe	Explorer.EXE
PID 1224 set thread context of 1276	1224	Revise Order.exe	Explorer.EXE
PID 592 set thread context of 1276	592	wscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

Revise Order.exewscript.exe

pid	process
1224	Revise Order.exe
1224	Revise Order.exe
1224	Revise Order.exe
592	wscript.exe
592	wscript.exe
592	wscript.exe
592	wscript.exe
592	wscript.exe
592	wscript.exe
592	wscript.exe
592	wscript.exe
592	wscript.exe
592	wscript.exe
592	wscript.exe
592	wscript.exe
592	wscript.exe
592	wscript.exe
592	wscript.exe
592	wscript.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Revise Order.exewscript.exe

pid process

1224 Revise Order.exe
1224 Revise Order.exe
1224 Revise Order.exe
1224 Revise Order.exe
592 wscript.exe
592 wscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Revise Order.exewscript.exe

description pid process

Token: SeDebugPrivilege 1224 Revise Order.exe
Token: SeDebugPrivilege 592 wscript.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1224	Revise Order.exe
Token: SeDebugPrivilege	592	wscript.exe

pid	process
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE

pid	process
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Revise Order.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 932 wrote to memory of 1224	932	Revise Order.exe	Revise Order.exe
PID 932 wrote to memory of 1224	932	Revise Order.exe	Revise Order.exe
PID 932 wrote to memory of 1224	932	Revise Order.exe	Revise Order.exe
PID 932 wrote to memory of 1224	932	Revise Order.exe	Revise Order.exe
PID 932 wrote to memory of 1224	932	Revise Order.exe	Revise Order.exe
PID 932 wrote to memory of 1224	932	Revise Order.exe	Revise Order.exe
PID 932 wrote to memory of 1224	932	Revise Order.exe	Revise Order.exe
PID 1276 wrote to memory of 592	1276	Explorer.EXE	wscript.exe
PID 1276 wrote to memory of 592	1276	Explorer.EXE	wscript.exe
PID 1276 wrote to memory of 592	1276	Explorer.EXE	wscript.exe
PID 1276 wrote to memory of 592	1276	Explorer.EXE	wscript.exe
PID 592 wrote to memory of 848	592	wscript.exe	cmd.exe
PID 592 wrote to memory of 848	592	wscript.exe	cmd.exe
PID 592 wrote to memory of 848	592	wscript.exe	cmd.exe
PID 592 wrote to memory of 848	592	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\Revise Order.exe
"C:\Users\Admin\AppData\Local\Temp\Revise Order.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\Revise Order.exe
"C:\Users\Admin\AppData\Local\Temp\Revise Order.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1684

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1676

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1592

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:268

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1016

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1468

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:556

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1336

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Revise Order.exe"
3⤵
- Deletes itself
PID:848

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-9-0x0000000000000000-mapping.dmp

Download
memory/592-10-0x0000000000850000-0x0000000000876000-memory.dmp

Filesize
152KB

Download
memory/592-12-0x0000000004600000-0x0000000004780000-memory.dmp

Filesize
1.5MB

Download
memory/848-11-0x0000000000000000-mapping.dmp

Download
memory/932-2-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/932-3-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/932-5-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/932-6-0x0000000005600000-0x0000000005668000-memory.dmp

Filesize
416KB

Download
memory/1224-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1224-8-0x000000000041D050-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads