formbook | b96e65c2c4d2cdbe32d98e9f24a1e5f1d74bdaa0f47088cc70d48f4be730dc55

General

Target

ed0bbf9e05f2a65461df693133b7a9c2.exe
Size

1.4MB
MD5

ed0bbf9e05f2a65461df693133b7a9c2
SHA1

89eb1e20c43836da2c7f5a3ff8d51af83a08c116
SHA256

b96e65c2c4d2cdbe32d98e9f24a1e5f1d74bdaa0f47088cc70d48f4be730dc55
SHA512

6eac3e00dfb7aabb4b96d0d17c02585d46638ff4006ff07cefd36fcc7cee2a4ba669a338ba8632823b62d644adfb82c884a7bdc44f89a696636c019922ddcc2a

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.rizrvd.com/bw82/

Decoy

fundamentaliemef.com

gallerybrows.com

leadeligey.com

octoberx2.online

climaxnovels.com

gdsjgf.com

curateherstories.com

blacksailus.com

yjpps.com

gmobilet.com

fcoins.club

foreverlive2027.com

healthyfifties.com

wmarquezy.com

housebulb.com

thebabyfriendly.com

primajayaintiperkasa.com

learnplaychess.com

chrisbubser.digital

xn--avenr-wsa.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1652-7-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1652-8-0x000000000041CFF0-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

ed0bbf9e05f2a65461df693133b7a9c2.exe

description pid process target process

PID 936 set thread context of 1652 936 ed0bbf9e05f2a65461df693133b7a9c2.exe ed0bbf9e05f2a65461df693133b7a9c2.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ed0bbf9e05f2a65461df693133b7a9c2.exe

pid process

1652 ed0bbf9e05f2a65461df693133b7a9c2.exe

description	pid	process	target process
PID 936 set thread context of 1652	936	ed0bbf9e05f2a65461df693133b7a9c2.exe	ed0bbf9e05f2a65461df693133b7a9c2.exe

pid	process
1652	ed0bbf9e05f2a65461df693133b7a9c2.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

ed0bbf9e05f2a65461df693133b7a9c2.exe

description	pid	process	target process
PID 936 wrote to memory of 1652	936	ed0bbf9e05f2a65461df693133b7a9c2.exe	ed0bbf9e05f2a65461df693133b7a9c2.exe
PID 936 wrote to memory of 1652	936	ed0bbf9e05f2a65461df693133b7a9c2.exe	ed0bbf9e05f2a65461df693133b7a9c2.exe
PID 936 wrote to memory of 1652	936	ed0bbf9e05f2a65461df693133b7a9c2.exe	ed0bbf9e05f2a65461df693133b7a9c2.exe
PID 936 wrote to memory of 1652	936	ed0bbf9e05f2a65461df693133b7a9c2.exe	ed0bbf9e05f2a65461df693133b7a9c2.exe
PID 936 wrote to memory of 1652	936	ed0bbf9e05f2a65461df693133b7a9c2.exe	ed0bbf9e05f2a65461df693133b7a9c2.exe
PID 936 wrote to memory of 1652	936	ed0bbf9e05f2a65461df693133b7a9c2.exe	ed0bbf9e05f2a65461df693133b7a9c2.exe
PID 936 wrote to memory of 1652	936	ed0bbf9e05f2a65461df693133b7a9c2.exe	ed0bbf9e05f2a65461df693133b7a9c2.exe

C:\Users\Admin\AppData\Local\Temp\ed0bbf9e05f2a65461df693133b7a9c2.exe
"C:\Users\Admin\AppData\Local\Temp\ed0bbf9e05f2a65461df693133b7a9c2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Local\Temp\ed0bbf9e05f2a65461df693133b7a9c2.exe
"C:\Users\Admin\AppData\Local\Temp\ed0bbf9e05f2a65461df693133b7a9c2.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/936-2-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/936-3-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/936-5-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/936-6-0x0000000001280000-0x00000000012E6000-memory.dmp

Filesize
408KB

Download
memory/1652-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1652-8-0x000000000041CFF0-mapping.dmp

Download

Analysis

Sharing