formbook | 767b1b32d4ac4cec73967590ca5b28c3e0f4d709c0773e3f4021774f15a2483a

General

Target

92ff500a693078263908c83b4b290481.exe
Size

569KB
MD5

92ff500a693078263908c83b4b290481
SHA1

fa5dcc6012c71490efdf320791a90c7a18958a95
SHA256

767b1b32d4ac4cec73967590ca5b28c3e0f4d709c0773e3f4021774f15a2483a
SHA512

8478c8b88309d55c83ab4a5f3af0367f19bb02a2b62db4a790ff7e867aa0ffe422cd4d177bbd3ad25d19cd0049ed196ec3910a72c7e3935fed0991cc783f0d1d

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.herbmedia.net/csv8/

Decoy

slgacha.com

oohdough.com

6983ylc.com

aykassociate.com

latin-hotspot.com

starrockindia.com

beamsubway.com

queensboutique1000.com

madbaddie.com

bhoomimart.com

ankitparivar.com

aldanasanchezmx.com

citest1597669833.com

cristianofreitas.com

myplantus.com

counterfeitmilk.com

8xf39.com

pregnantwomens.com

yyyut6.com

stnanguo.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3552-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3552-14-0x000000000041D0C0-mapping.dmp	xloader
behavioral2/memory/1988-15-0x0000000000000000-mapping.dmp	xloader

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

92ff500a693078263908c83b4b290481.exevbc.exemstsc.exe

description	pid	process	target process
PID 1924 set thread context of 3552	1924	92ff500a693078263908c83b4b290481.exe	vbc.exe
PID 3552 set thread context of 3000	3552	vbc.exe	Explorer.EXE
PID 1988 set thread context of 3000	1988	mstsc.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2844 schtasks.exe

pid	process
2844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

vbc.exemstsc.exe

pid	process
3552	vbc.exe
3552	vbc.exe
3552	vbc.exe
3552	vbc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe
1988	mstsc.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exemstsc.exe

pid process

3552 vbc.exe
3552 vbc.exe
3552 vbc.exe
1988 mstsc.exe
1988 mstsc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exeExplorer.EXEmstsc.exe

description	pid	process
Token: SeDebugPrivilege	3552	vbc.exe
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeDebugPrivilege	1988	mstsc.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3000 Explorer.EXE

pid	process
3000	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

92ff500a693078263908c83b4b290481.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 1924 wrote to memory of 2844	1924	92ff500a693078263908c83b4b290481.exe	schtasks.exe
PID 1924 wrote to memory of 2844	1924	92ff500a693078263908c83b4b290481.exe	schtasks.exe
PID 1924 wrote to memory of 2844	1924	92ff500a693078263908c83b4b290481.exe	schtasks.exe
PID 1924 wrote to memory of 3552	1924	92ff500a693078263908c83b4b290481.exe	vbc.exe
PID 1924 wrote to memory of 3552	1924	92ff500a693078263908c83b4b290481.exe	vbc.exe
PID 1924 wrote to memory of 3552	1924	92ff500a693078263908c83b4b290481.exe	vbc.exe
PID 1924 wrote to memory of 3552	1924	92ff500a693078263908c83b4b290481.exe	vbc.exe
PID 1924 wrote to memory of 3552	1924	92ff500a693078263908c83b4b290481.exe	vbc.exe
PID 1924 wrote to memory of 3552	1924	92ff500a693078263908c83b4b290481.exe	vbc.exe
PID 3000 wrote to memory of 1988	3000	Explorer.EXE	mstsc.exe
PID 3000 wrote to memory of 1988	3000	Explorer.EXE	mstsc.exe
PID 3000 wrote to memory of 1988	3000	Explorer.EXE	mstsc.exe
PID 1988 wrote to memory of 2744	1988	mstsc.exe	cmd.exe
PID 1988 wrote to memory of 2744	1988	mstsc.exe	cmd.exe
PID 1988 wrote to memory of 2744	1988	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\92ff500a693078263908c83b4b290481.exe
"C:\Users\Admin\AppData\Local\Temp\92ff500a693078263908c83b4b290481.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JcEEHoQdnETCO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1463.tmp"
3⤵
- Creates scheduled task(s)
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1463.tmp
MD5
a952ff45e054d16c68eb08f9ea790303

SHA1
b8fc672cb2fb948b79544e5510657ac959459a22

SHA256
e8ddda06941592fcf733a973c64e14eb3d1ffcbb801050a662a9eb694b100b1a

SHA512
e30d510d9c855ff8f64d47593cd10f5fdbcc3ddb4b9da8a95dbb93524ab688ea262f821a47c786f6979820be2c22bc9e315d4fe83a989a0a51e6f13b4175ab40

Download Submit
memory/1924-3-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/1924-5-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/1924-6-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/1924-7-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/1924-8-0x0000000005460000-0x000000000546E000-memory.dmp

Filesize
56KB

Download
memory/1924-9-0x00000000060E0000-0x000000000615A000-memory.dmp

Filesize
488KB

Download
memory/1924-10-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/1924-2-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1988-15-0x0000000000000000-mapping.dmp

Download
memory/1988-16-0x0000000000E00000-0x00000000010FC000-memory.dmp

Filesize
3.0MB

Download
memory/1988-17-0x0000000000E00000-0x00000000010FC000-memory.dmp

Filesize
3.0MB

Download
memory/2744-18-0x0000000000000000-mapping.dmp

Download
memory/2844-11-0x0000000000000000-mapping.dmp

Download
memory/3552-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3552-14-0x000000000041D0C0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads