formbook | 9548c6a9da2d6cee9d27565c0055be4429cabfae9287ab3e525aaba66fd67032

General

Target

ab62532db045fc659e00887f83800dd1.exe
Size

1.0MB
MD5

ab62532db045fc659e00887f83800dd1
SHA1

ffe9b4472a606730610d7fe3241292db91ed8879
SHA256

9548c6a9da2d6cee9d27565c0055be4429cabfae9287ab3e525aaba66fd67032
SHA512

e11bb17e2052831ef68a8301ea684668c8ef9300b80611cc0342c38cab4f6528143026885244eb4d5e5b84f5ae411a95981ab72348fdba2a4db86a5030745535

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.herbmedia.net/csv8/

Decoy

slgacha.com

oohdough.com

6983ylc.com

aykassociate.com

latin-hotspot.com

starrockindia.com

beamsubway.com

queensboutique1000.com

madbaddie.com

bhoomimart.com

ankitparivar.com

aldanasanchezmx.com

citest1597669833.com

cristianofreitas.com

myplantus.com

counterfeitmilk.com

8xf39.com

pregnantwomens.com

yyyut6.com

stnanguo.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1344-9-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1344-10-0x000000000041D0C0-mapping.dmp	xloader
behavioral1/memory/1512-11-0x0000000000000000-mapping.dmp	xloader

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

ab62532db045fc659e00887f83800dd1.exevbc.execmd.exe

description	pid	process	target process
PID 1676 set thread context of 1344	1676	ab62532db045fc659e00887f83800dd1.exe	vbc.exe
PID 1344 set thread context of 1248	1344	vbc.exe	Explorer.EXE
PID 1512 set thread context of 1248	1512	cmd.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1584 schtasks.exe

pid	process
1584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

ab62532db045fc659e00887f83800dd1.exevbc.execmd.exe

pid	process
1676	ab62532db045fc659e00887f83800dd1.exe
1344	vbc.exe
1344	vbc.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe
1512	cmd.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.execmd.exe

pid process

1344 vbc.exe
1344 vbc.exe
1344 vbc.exe
1512 cmd.exe
1512 cmd.exe

pid	process
1344	vbc.exe
1344	vbc.exe
1344	vbc.exe
1512	cmd.exe
1512	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ab62532db045fc659e00887f83800dd1.exevbc.execmd.exe

description	pid	process
Token: SeDebugPrivilege	1676	ab62532db045fc659e00887f83800dd1.exe
Token: SeDebugPrivilege	1344	vbc.exe
Token: SeDebugPrivilege	1512	cmd.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

ab62532db045fc659e00887f83800dd1.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1676 wrote to memory of 1584	1676	ab62532db045fc659e00887f83800dd1.exe	schtasks.exe
PID 1676 wrote to memory of 1584	1676	ab62532db045fc659e00887f83800dd1.exe	schtasks.exe
PID 1676 wrote to memory of 1584	1676	ab62532db045fc659e00887f83800dd1.exe	schtasks.exe
PID 1676 wrote to memory of 1584	1676	ab62532db045fc659e00887f83800dd1.exe	schtasks.exe
PID 1676 wrote to memory of 1344	1676	ab62532db045fc659e00887f83800dd1.exe	vbc.exe
PID 1676 wrote to memory of 1344	1676	ab62532db045fc659e00887f83800dd1.exe	vbc.exe
PID 1676 wrote to memory of 1344	1676	ab62532db045fc659e00887f83800dd1.exe	vbc.exe
PID 1676 wrote to memory of 1344	1676	ab62532db045fc659e00887f83800dd1.exe	vbc.exe
PID 1676 wrote to memory of 1344	1676	ab62532db045fc659e00887f83800dd1.exe	vbc.exe
PID 1676 wrote to memory of 1344	1676	ab62532db045fc659e00887f83800dd1.exe	vbc.exe
PID 1676 wrote to memory of 1344	1676	ab62532db045fc659e00887f83800dd1.exe	vbc.exe
PID 1248 wrote to memory of 1512	1248	Explorer.EXE	cmd.exe
PID 1248 wrote to memory of 1512	1248	Explorer.EXE	cmd.exe
PID 1248 wrote to memory of 1512	1248	Explorer.EXE	cmd.exe
PID 1248 wrote to memory of 1512	1248	Explorer.EXE	cmd.exe
PID 1512 wrote to memory of 916	1512	cmd.exe	cmd.exe
PID 1512 wrote to memory of 916	1512	cmd.exe	cmd.exe
PID 1512 wrote to memory of 916	1512	cmd.exe	cmd.exe
PID 1512 wrote to memory of 916	1512	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\ab62532db045fc659e00887f83800dd1.exe
"C:\Users\Admin\AppData\Local\Temp\ab62532db045fc659e00887f83800dd1.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GbXrJAAtY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1803.tmp"
3⤵
- Creates scheduled task(s)
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:916

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1803.tmp
MD5
fb685573ff5a20c7d343fcd6b2d09bd7

SHA1
9febb06e7f6d732e4d8ec048bed663ebab4fd24e

SHA256
a1103ebd09e55bf4e037ff8b421367fc3c54f127dd775f9499384c6b900afba5

SHA512
6187877178149fe5e71fc486f90311f49af96fe96d23f85665ff94b612bb53a5a7458d088f2584669de7901567d0f125d5d1af12bd5d98294ccbfd59cc0ef6a6

Download Submit
memory/916-13-0x0000000000000000-mapping.dmp

Download
memory/1344-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1344-10-0x000000000041D0C0-mapping.dmp

Download
memory/1512-11-0x0000000000000000-mapping.dmp

Download
memory/1512-12-0x000000004A140000-0x000000004A18C000-memory.dmp

Filesize
304KB

Download
memory/1512-14-0x0000000005190000-0x00000000052C6000-memory.dmp

Filesize
1.2MB

Download
memory/1584-7-0x0000000000000000-mapping.dmp

Download
memory/1676-2-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1676-3-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1676-5-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/1676-6-0x00000000005A0000-0x000000000061A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads