formbook | 767b1b32d4ac4cec73967590ca5b28c3e0f4d709c0773e3f4021774f15a2483a

General

Target

92ff500a693078263908c83b4b290481.exe
Size

569KB
MD5

92ff500a693078263908c83b4b290481
SHA1

fa5dcc6012c71490efdf320791a90c7a18958a95
SHA256

767b1b32d4ac4cec73967590ca5b28c3e0f4d709c0773e3f4021774f15a2483a
SHA512

8478c8b88309d55c83ab4a5f3af0367f19bb02a2b62db4a790ff7e867aa0ffe422cd4d177bbd3ad25d19cd0049ed196ec3910a72c7e3935fed0991cc783f0d1d

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.herbmedia.net/csv8/

Decoy

slgacha.com

oohdough.com

6983ylc.com

aykassociate.com

latin-hotspot.com

starrockindia.com

beamsubway.com

queensboutique1000.com

madbaddie.com

bhoomimart.com

ankitparivar.com

aldanasanchezmx.com

citest1597669833.com

cristianofreitas.com

myplantus.com

counterfeitmilk.com

8xf39.com

pregnantwomens.com

yyyut6.com

stnanguo.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1828-9-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1828-10-0x000000000041D0C0-mapping.dmp	xloader
behavioral1/memory/564-11-0x0000000000000000-mapping.dmp	xloader

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

92ff500a693078263908c83b4b290481.exevbc.exemsdt.exe

description	pid	process	target process
PID 648 set thread context of 1828	648	92ff500a693078263908c83b4b290481.exe	vbc.exe
PID 1828 set thread context of 1192	1828	vbc.exe	Explorer.EXE
PID 564 set thread context of 1192	564	msdt.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1652 schtasks.exe

pid	process
1652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

92ff500a693078263908c83b4b290481.exevbc.exemsdt.exe

pid	process
648	92ff500a693078263908c83b4b290481.exe
1828	vbc.exe
1828	vbc.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe
564	msdt.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exemsdt.exe

pid process

1828 vbc.exe
1828 vbc.exe
1828 vbc.exe
564 msdt.exe
564 msdt.exe

pid	process
1828	vbc.exe
1828	vbc.exe
1828	vbc.exe
564	msdt.exe
564	msdt.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

92ff500a693078263908c83b4b290481.exevbc.exemsdt.exe

description	pid	process
Token: SeDebugPrivilege	648	92ff500a693078263908c83b4b290481.exe
Token: SeDebugPrivilege	1828	vbc.exe
Token: SeDebugPrivilege	564	msdt.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1192 Explorer.EXE
1192 Explorer.EXE
1192 Explorer.EXE
1192 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1192 Explorer.EXE
1192 Explorer.EXE
1192 Explorer.EXE
1192 Explorer.EXE

pid	process
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE

pid	process
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

92ff500a693078263908c83b4b290481.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 648 wrote to memory of 1652	648	92ff500a693078263908c83b4b290481.exe	schtasks.exe
PID 648 wrote to memory of 1652	648	92ff500a693078263908c83b4b290481.exe	schtasks.exe
PID 648 wrote to memory of 1652	648	92ff500a693078263908c83b4b290481.exe	schtasks.exe
PID 648 wrote to memory of 1652	648	92ff500a693078263908c83b4b290481.exe	schtasks.exe
PID 648 wrote to memory of 1828	648	92ff500a693078263908c83b4b290481.exe	vbc.exe
PID 648 wrote to memory of 1828	648	92ff500a693078263908c83b4b290481.exe	vbc.exe
PID 648 wrote to memory of 1828	648	92ff500a693078263908c83b4b290481.exe	vbc.exe
PID 648 wrote to memory of 1828	648	92ff500a693078263908c83b4b290481.exe	vbc.exe
PID 648 wrote to memory of 1828	648	92ff500a693078263908c83b4b290481.exe	vbc.exe
PID 648 wrote to memory of 1828	648	92ff500a693078263908c83b4b290481.exe	vbc.exe
PID 648 wrote to memory of 1828	648	92ff500a693078263908c83b4b290481.exe	vbc.exe
PID 1192 wrote to memory of 564	1192	Explorer.EXE	msdt.exe
PID 1192 wrote to memory of 564	1192	Explorer.EXE	msdt.exe
PID 1192 wrote to memory of 564	1192	Explorer.EXE	msdt.exe
PID 1192 wrote to memory of 564	1192	Explorer.EXE	msdt.exe
PID 564 wrote to memory of 1080	564	msdt.exe	cmd.exe
PID 564 wrote to memory of 1080	564	msdt.exe	cmd.exe
PID 564 wrote to memory of 1080	564	msdt.exe	cmd.exe
PID 564 wrote to memory of 1080	564	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\92ff500a693078263908c83b4b290481.exe
"C:\Users\Admin\AppData\Local\Temp\92ff500a693078263908c83b4b290481.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JcEEHoQdnETCO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp849B.tmp"
3⤵
- Creates scheduled task(s)
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1080

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp849B.tmp
MD5
6650bf2f44240b096d1b807f4c413457

SHA1
58160b254875bbf08ae22cc15d03fb514c012e5a

SHA256
1cad80e9d172173046fcc07d4c1a80bf25ad5c176e3b2f794fb3ce1ed1ba64cd

SHA512
c4ef528824cc568c99be86525e5bbda8a3820292694de88ac780baf1d60fa43af86cad93a03594b57d8e0b2b321f15fbb5b2b8dd180055ad25d82fe5d69b5052

Download Submit
memory/564-11-0x0000000000000000-mapping.dmp

Download
memory/564-12-0x0000000000480000-0x0000000000574000-memory.dmp

Filesize
976KB

Download
memory/564-14-0x0000000004DC0000-0x0000000004F02000-memory.dmp

Filesize
1.3MB

Download
memory/648-2-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/648-3-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/648-5-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/648-6-0x0000000004BF0000-0x0000000004C6A000-memory.dmp

Filesize
488KB

Download
memory/1080-13-0x0000000000000000-mapping.dmp

Download
memory/1652-7-0x0000000000000000-mapping.dmp

Download
memory/1828-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1828-10-0x000000000041D0C0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads