formbook | ee4b567e9ec4039e3494f812a70c14c02865b600a2356e3f5906ac520242839f

General

Target

FtLroeD5Kmr6rNC.exe
Size

734KB
MD5

c8208e09703f024933544517fb4db4a3
SHA1

0f6b53720c7556d04c5fed4b07084f86fd115480
SHA256

ee4b567e9ec4039e3494f812a70c14c02865b600a2356e3f5906ac520242839f
SHA512

637668d98a88d73b496fb5c3fb928ab018ece33947cacf8ca7cb42d3874967d07cc995357b8710bc451d1301bb0e41e5000cdfa4f56548f7b983313fd49b358e

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.asicprominer.com/umSa/

Decoy

lessensations.com

growcerybank.com

rvworkforce.com

djangosports.com

jgrosinger.com

tongjiash.com

rianebrady.com

xiaoxu.info

allwaysautism.com

couturev.com

dantedikhali.com

sagamoreca.com

sandisyardsale.com

happizi.com

moonchildboxco.store

maquillajembp.com

sojubythebay.com

verdexwellness.com

authenticperiod.cloud

bitpreserve.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3056-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3056-13-0x000000000041D060-mapping.dmp	xloader
behavioral2/memory/2688-15-0x0000000000000000-mapping.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

FtLroeD5Kmr6rNC.exeFtLroeD5Kmr6rNC.execolorcpl.exe

description	pid	process	target process
PID 60 set thread context of 3056	60	FtLroeD5Kmr6rNC.exe	FtLroeD5Kmr6rNC.exe
PID 3056 set thread context of 3012	3056	FtLroeD5Kmr6rNC.exe	Explorer.EXE
PID 3056 set thread context of 3012	3056	FtLroeD5Kmr6rNC.exe	Explorer.EXE
PID 2688 set thread context of 3012	2688	colorcpl.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

FtLroeD5Kmr6rNC.exeFtLroeD5Kmr6rNC.execolorcpl.exe

pid	process
60	FtLroeD5Kmr6rNC.exe
60	FtLroeD5Kmr6rNC.exe
60	FtLroeD5Kmr6rNC.exe
60	FtLroeD5Kmr6rNC.exe
3056	FtLroeD5Kmr6rNC.exe
3056	FtLroeD5Kmr6rNC.exe
3056	FtLroeD5Kmr6rNC.exe
3056	FtLroeD5Kmr6rNC.exe
3056	FtLroeD5Kmr6rNC.exe
3056	FtLroeD5Kmr6rNC.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe
2688	colorcpl.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

FtLroeD5Kmr6rNC.execolorcpl.exe

pid process

3056 FtLroeD5Kmr6rNC.exe
3056 FtLroeD5Kmr6rNC.exe
3056 FtLroeD5Kmr6rNC.exe
3056 FtLroeD5Kmr6rNC.exe
2688 colorcpl.exe
2688 colorcpl.exe

pid	process
3056	FtLroeD5Kmr6rNC.exe
3056	FtLroeD5Kmr6rNC.exe
3056	FtLroeD5Kmr6rNC.exe
3056	FtLroeD5Kmr6rNC.exe
2688	colorcpl.exe
2688	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

FtLroeD5Kmr6rNC.exeFtLroeD5Kmr6rNC.execolorcpl.exe

description	pid	process
Token: SeDebugPrivilege	60	FtLroeD5Kmr6rNC.exe
Token: SeDebugPrivilege	3056	FtLroeD5Kmr6rNC.exe
Token: SeDebugPrivilege	2688	colorcpl.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

FtLroeD5Kmr6rNC.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 60 wrote to memory of 2384	60	FtLroeD5Kmr6rNC.exe	FtLroeD5Kmr6rNC.exe
PID 60 wrote to memory of 2384	60	FtLroeD5Kmr6rNC.exe	FtLroeD5Kmr6rNC.exe
PID 60 wrote to memory of 2384	60	FtLroeD5Kmr6rNC.exe	FtLroeD5Kmr6rNC.exe
PID 60 wrote to memory of 2216	60	FtLroeD5Kmr6rNC.exe	FtLroeD5Kmr6rNC.exe
PID 60 wrote to memory of 2216	60	FtLroeD5Kmr6rNC.exe	FtLroeD5Kmr6rNC.exe
PID 60 wrote to memory of 2216	60	FtLroeD5Kmr6rNC.exe	FtLroeD5Kmr6rNC.exe
PID 60 wrote to memory of 3056	60	FtLroeD5Kmr6rNC.exe	FtLroeD5Kmr6rNC.exe
PID 60 wrote to memory of 3056	60	FtLroeD5Kmr6rNC.exe	FtLroeD5Kmr6rNC.exe
PID 60 wrote to memory of 3056	60	FtLroeD5Kmr6rNC.exe	FtLroeD5Kmr6rNC.exe
PID 60 wrote to memory of 3056	60	FtLroeD5Kmr6rNC.exe	FtLroeD5Kmr6rNC.exe
PID 60 wrote to memory of 3056	60	FtLroeD5Kmr6rNC.exe	FtLroeD5Kmr6rNC.exe
PID 60 wrote to memory of 3056	60	FtLroeD5Kmr6rNC.exe	FtLroeD5Kmr6rNC.exe
PID 3012 wrote to memory of 2688	3012	Explorer.EXE	colorcpl.exe
PID 3012 wrote to memory of 2688	3012	Explorer.EXE	colorcpl.exe
PID 3012 wrote to memory of 2688	3012	Explorer.EXE	colorcpl.exe
PID 2688 wrote to memory of 512	2688	colorcpl.exe	cmd.exe
PID 2688 wrote to memory of 512	2688	colorcpl.exe	cmd.exe
PID 2688 wrote to memory of 512	2688	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe
  "C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe
    "C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe"
    3⤵
    PID:2384
- - C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe
    "C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe"
    3⤵
    PID:2216
- - C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe
    "C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe"
    3⤵
    PID:512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-11-0x0000000000CF0000-0x0000000000D57000-memory.dmp

Filesize
412KB

Download
memory/60-9-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/60-5-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/60-6-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/60-2-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/60-8-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/60-3-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/60-10-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/60-7-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/512-18-0x0000000000000000-mapping.dmp

Download
memory/2688-15-0x0000000000000000-mapping.dmp

Download
memory/2688-16-0x0000000000B90000-0x0000000000BA9000-memory.dmp

Filesize
100KB

Download
memory/2688-17-0x0000000000B90000-0x0000000000BA9000-memory.dmp

Filesize
100KB

Download
memory/2688-19-0x0000000006A60000-0x0000000006B35000-memory.dmp

Filesize
852KB

Download
memory/3056-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3056-13-0x000000000041D060-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads