formbook | 43822089dc4bbbe3800a980d2ac64435c0b00dd18648c0fd56dda65b11af5a35

General

Target

spptqzbEyNlEJvj.exe
Size

801KB
MD5

fac6e34cc6144304a2a4c9f59ad426cb
SHA1

c28d46950f2f4f163fca3fb042d33ab23a7c81e1
SHA256

43822089dc4bbbe3800a980d2ac64435c0b00dd18648c0fd56dda65b11af5a35
SHA512

3fbc3a9e6d707468d53cf5e0244b5e4c58a85e822605a4cd71b127620736a90d23915a5ba5eaaed825cd55da61e64b7efde7a2c8e6dd6909fa17acff1eb78ccc

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.asicprominer.com/umSa/

Decoy

lessensations.com

growcerybank.com

rvworkforce.com

djangosports.com

jgrosinger.com

tongjiash.com

rianebrady.com

xiaoxu.info

allwaysautism.com

couturev.com

dantedikhali.com

sagamoreca.com

sandisyardsale.com

happizi.com

moonchildboxco.store

maquillajembp.com

sojubythebay.com

verdexwellness.com

authenticperiod.cloud

bitpreserve.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3300-2-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3300-3-0x000000000041D060-mapping.dmp	xloader
behavioral2/memory/648-4-0x0000000000000000-mapping.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

spptqzbEyNlEJvj.exespptqzbEyNlEJvj.exewscript.exe

description	pid	process	target process
PID 4772 set thread context of 3300	4772	spptqzbEyNlEJvj.exe	spptqzbEyNlEJvj.exe
PID 3300 set thread context of 2576	3300	spptqzbEyNlEJvj.exe	Explorer.EXE
PID 648 set thread context of 2576	648	wscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

spptqzbEyNlEJvj.exewscript.exe

pid	process
3300	spptqzbEyNlEJvj.exe
3300	spptqzbEyNlEJvj.exe
3300	spptqzbEyNlEJvj.exe
3300	spptqzbEyNlEJvj.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe
648	wscript.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

spptqzbEyNlEJvj.exewscript.exe

pid process

3300 spptqzbEyNlEJvj.exe
3300 spptqzbEyNlEJvj.exe
3300 spptqzbEyNlEJvj.exe
648 wscript.exe
648 wscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

spptqzbEyNlEJvj.exewscript.exe

description pid process

Token: SeDebugPrivilege 3300 spptqzbEyNlEJvj.exe
Token: SeDebugPrivilege 648 wscript.exe

description	pid	process
Token: SeDebugPrivilege	3300	spptqzbEyNlEJvj.exe
Token: SeDebugPrivilege	648	wscript.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

spptqzbEyNlEJvj.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 4772 wrote to memory of 3300	4772	spptqzbEyNlEJvj.exe	spptqzbEyNlEJvj.exe
PID 4772 wrote to memory of 3300	4772	spptqzbEyNlEJvj.exe	spptqzbEyNlEJvj.exe
PID 4772 wrote to memory of 3300	4772	spptqzbEyNlEJvj.exe	spptqzbEyNlEJvj.exe
PID 4772 wrote to memory of 3300	4772	spptqzbEyNlEJvj.exe	spptqzbEyNlEJvj.exe
PID 4772 wrote to memory of 3300	4772	spptqzbEyNlEJvj.exe	spptqzbEyNlEJvj.exe
PID 4772 wrote to memory of 3300	4772	spptqzbEyNlEJvj.exe	spptqzbEyNlEJvj.exe
PID 2576 wrote to memory of 648	2576	Explorer.EXE	wscript.exe
PID 2576 wrote to memory of 648	2576	Explorer.EXE	wscript.exe
PID 2576 wrote to memory of 648	2576	Explorer.EXE	wscript.exe
PID 648 wrote to memory of 904	648	wscript.exe	cmd.exe
PID 648 wrote to memory of 904	648	wscript.exe	cmd.exe
PID 648 wrote to memory of 904	648	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\spptqzbEyNlEJvj.exe
  "C:\Users\Admin\AppData\Local\Temp\spptqzbEyNlEJvj.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Users\Admin\AppData\Local\Temp\spptqzbEyNlEJvj.exe
    "C:\Users\Admin\AppData\Local\Temp\spptqzbEyNlEJvj.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3300
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\spptqzbEyNlEJvj.exe"
    3⤵
    PID:904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/648-4-0x0000000000000000-mapping.dmp

Download
memory/648-5-0x00000000010A0000-0x00000000010C7000-memory.dmp

Filesize
156KB

Download
memory/648-6-0x00000000010A0000-0x00000000010C7000-memory.dmp

Filesize
156KB

Download
memory/648-8-0x00000000071D0000-0x000000000735F000-memory.dmp

Filesize
1.6MB

Download
memory/904-7-0x0000000000000000-mapping.dmp

Download
memory/3300-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3300-3-0x000000000041D060-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads