formbook | edcbf58883f09441ef7eb461421b7ec33655663420ba2722ef5c45b62600f25c

General

Target

93c377f5008833ebaf3f50983084a0e5.exe
Size

561KB
MD5

93c377f5008833ebaf3f50983084a0e5
SHA1

0fe9b1de40e7f16c6b4654549a035e363f7844f5
SHA256

edcbf58883f09441ef7eb461421b7ec33655663420ba2722ef5c45b62600f25c
SHA512

ef08c4d8f766bf231b9bfaf2c7e8e6ed7470b7487886fe6859fef63040d754658b4cb6d6c05cbbfc2ddcafd03a8f61eb7530746d2df7a73c39482b2123380fa9

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.learnhour.net/eaud/

Decoy

modshiro.com

mademarketingoss.com

austinjourls.info

wayupteam.com

crossingfinger.com

interseptors.com

gigashit.com

livetigo.com

halamankuningindonesia.com

windhammills.com

aylinahmet.com

mbacexonan.website

shopboxbarcelona.com

youyeslive.com

coonlinesportsbooks.com

guorunme.com

putlocker2.site

pencueaidnetwork.com

likevector.com

vulcanudachi-proclub.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1656-7-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1656-8-0x000000000041D030-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

93c377f5008833ebaf3f50983084a0e5.exe

description pid process target process

PID 784 set thread context of 1656 784 93c377f5008833ebaf3f50983084a0e5.exe 93c377f5008833ebaf3f50983084a0e5.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

93c377f5008833ebaf3f50983084a0e5.exe

pid process

1656 93c377f5008833ebaf3f50983084a0e5.exe

description	pid	process	target process
PID 784 set thread context of 1656	784	93c377f5008833ebaf3f50983084a0e5.exe	93c377f5008833ebaf3f50983084a0e5.exe

pid	process
1656	93c377f5008833ebaf3f50983084a0e5.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

93c377f5008833ebaf3f50983084a0e5.exe

description	pid	process	target process
PID 784 wrote to memory of 1656	784	93c377f5008833ebaf3f50983084a0e5.exe	93c377f5008833ebaf3f50983084a0e5.exe
PID 784 wrote to memory of 1656	784	93c377f5008833ebaf3f50983084a0e5.exe	93c377f5008833ebaf3f50983084a0e5.exe
PID 784 wrote to memory of 1656	784	93c377f5008833ebaf3f50983084a0e5.exe	93c377f5008833ebaf3f50983084a0e5.exe
PID 784 wrote to memory of 1656	784	93c377f5008833ebaf3f50983084a0e5.exe	93c377f5008833ebaf3f50983084a0e5.exe
PID 784 wrote to memory of 1656	784	93c377f5008833ebaf3f50983084a0e5.exe	93c377f5008833ebaf3f50983084a0e5.exe
PID 784 wrote to memory of 1656	784	93c377f5008833ebaf3f50983084a0e5.exe	93c377f5008833ebaf3f50983084a0e5.exe
PID 784 wrote to memory of 1656	784	93c377f5008833ebaf3f50983084a0e5.exe	93c377f5008833ebaf3f50983084a0e5.exe

C:\Users\Admin\AppData\Local\Temp\93c377f5008833ebaf3f50983084a0e5.exe
"C:\Users\Admin\AppData\Local\Temp\93c377f5008833ebaf3f50983084a0e5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\93c377f5008833ebaf3f50983084a0e5.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-2-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/784-3-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/784-5-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/784-6-0x0000000005580000-0x00000000055F6000-memory.dmp

Filesize
472KB

Download
memory/1656-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1656-8-0x000000000041D030-mapping.dmp

Download

Analysis

Sharing