formbook | 41440a2e9db109558bde920dddba0eee3a5f269eef4c0d80eedf6a0bf0445a70

General

Target

cd925558146dc80ccf028ce0e9a5c542.exe
Size

850KB
MD5

cd925558146dc80ccf028ce0e9a5c542
SHA1

e91a37336f7c2accce48b407f622e1c2bfb7c76f
SHA256

41440a2e9db109558bde920dddba0eee3a5f269eef4c0d80eedf6a0bf0445a70
SHA512

54df05cc95e14b18c85f1621960ce32e4590b6a7ff06ac365369c3609a32a9dd9559a0ffd584532a1fa6fe591579415722159ac76c1b8bdfa9400034b72a88f4

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.h-v-biz.com/c8so/

Decoy

floeperformancegear.com

youtubeincreaser.com

cbb-is.com

bullsbikeusa.com

mama-asobitai.com

parkdaleliving.com

kinneintl.com

byrondramos.com

topangashaman.com

channel1057.com

nuancedigitalsolutions.com

kumheekim.com

erikating.com

ulinekorea.com

giftoes.com

blacknation.info

eventsdonevirtually.com

mx190501.com

bingent.info

seronofertilitymeds.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3432-11-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3432-12-0x000000000041CFE0-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

cd925558146dc80ccf028ce0e9a5c542.exe

description pid process target process

PID 4764 set thread context of 3432 4764 cd925558146dc80ccf028ce0e9a5c542.exe cd925558146dc80ccf028ce0e9a5c542.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

cd925558146dc80ccf028ce0e9a5c542.execd925558146dc80ccf028ce0e9a5c542.exe

pid process

4764 cd925558146dc80ccf028ce0e9a5c542.exe
3432 cd925558146dc80ccf028ce0e9a5c542.exe
3432 cd925558146dc80ccf028ce0e9a5c542.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cd925558146dc80ccf028ce0e9a5c542.exe

description pid process

Token: SeDebugPrivilege 4764 cd925558146dc80ccf028ce0e9a5c542.exe

description	pid	process	target process
PID 4764 set thread context of 3432	4764	cd925558146dc80ccf028ce0e9a5c542.exe	cd925558146dc80ccf028ce0e9a5c542.exe

pid	process
4764	cd925558146dc80ccf028ce0e9a5c542.exe
3432	cd925558146dc80ccf028ce0e9a5c542.exe
3432	cd925558146dc80ccf028ce0e9a5c542.exe

description	pid	process
Token: SeDebugPrivilege	4764	cd925558146dc80ccf028ce0e9a5c542.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cd925558146dc80ccf028ce0e9a5c542.exe

description	pid	process	target process
PID 4764 wrote to memory of 3432	4764	cd925558146dc80ccf028ce0e9a5c542.exe	cd925558146dc80ccf028ce0e9a5c542.exe
PID 4764 wrote to memory of 3432	4764	cd925558146dc80ccf028ce0e9a5c542.exe	cd925558146dc80ccf028ce0e9a5c542.exe
PID 4764 wrote to memory of 3432	4764	cd925558146dc80ccf028ce0e9a5c542.exe	cd925558146dc80ccf028ce0e9a5c542.exe
PID 4764 wrote to memory of 3432	4764	cd925558146dc80ccf028ce0e9a5c542.exe	cd925558146dc80ccf028ce0e9a5c542.exe
PID 4764 wrote to memory of 3432	4764	cd925558146dc80ccf028ce0e9a5c542.exe	cd925558146dc80ccf028ce0e9a5c542.exe
PID 4764 wrote to memory of 3432	4764	cd925558146dc80ccf028ce0e9a5c542.exe	cd925558146dc80ccf028ce0e9a5c542.exe

C:\Users\Admin\AppData\Local\Temp\cd925558146dc80ccf028ce0e9a5c542.exe
"C:\Users\Admin\AppData\Local\Temp\cd925558146dc80ccf028ce0e9a5c542.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\cd925558146dc80ccf028ce0e9a5c542.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3432

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3432-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3432-12-0x000000000041CFE0-mapping.dmp

Download
memory/4764-2-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download
memory/4764-3-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4764-5-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/4764-6-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/4764-7-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/4764-8-0x00000000050D0000-0x00000000050DE000-memory.dmp

Filesize
56KB

Download
memory/4764-9-0x0000000007310000-0x00000000073A1000-memory.dmp

Filesize
580KB

Download
memory/4764-10-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing