formbook | 26b068137a8264f4aba9c3617a289417ead13d0c9d53f86a3158c1d113dbf86d

Resubmissions

17-01-2021 17:41

210117-k1qw448nfe 10

15-01-2021 07:16

210115-49ldfwaptn 10

Analysis

max time kernel
6s
max time network
13s
platform
windows7_x64
resource
win7v20201028
submitted
15-01-2021 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO#416421.exe
Size

176KB
MD5

18ec4947cbfb82bda1635a855b9b4763
SHA1

6083fb410e0bd21b5bc0f635861758b2747821ab
SHA256

26b068137a8264f4aba9c3617a289417ead13d0c9d53f86a3158c1d113dbf86d
SHA512

3283e0b3e64df7b60b6a71f524f83b107a7ce9d577a147da3a0490bd61c5ffd373887730b33ca347cbf21608ac5cb3bbf6d6d1338377d64eaab5ff8cc5963c72

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

http://www.tzmm.net/wpsb/

Decoy

0817ls.com

drawbeirut.com

respiteready.com

yufkayurek.com

poss-plus.com

distributesimilar.com

mcmendzlawns.com

bingent.info

wellnessandcomfort.com

humilityhope.com

recetasfes.com

olala.asia

epochryphal.com

room-lettings-onlines.club

lvc.xyz

reicolee.com

davidmarkphotovideo.photography

corpuschristicarbuyers.com

tutorialyoutube.com

ativ.pro

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1316-3-0x0000000000070000-0x0000000000098000-memory.dmp	xloader
behavioral1/memory/1316-4-0x000000000008D040-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO#416421.exe

description pid process target process

PID 324 set thread context of 1316 324 PO#416421.exe PO#416421.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1188 1316 WerFault.exe PO#416421.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1188 WerFault.exe
1188 WerFault.exe
1188 WerFault.exe
1188 WerFault.exe
1188 WerFault.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

PO#416421.exe

pid process

324 PO#416421.exe
324 PO#416421.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1188 WerFault.exe

description	pid	process	target process
PID 324 set thread context of 1316	324	PO#416421.exe	PO#416421.exe

pid	pid_target	process	target process
1188	1316	WerFault.exe	PO#416421.exe

pid	process
1188	WerFault.exe
1188	WerFault.exe
1188	WerFault.exe
1188	WerFault.exe
1188	WerFault.exe

pid	process
324	PO#416421.exe
324	PO#416421.exe

description	pid	process
Token: SeDebugPrivilege	1188	WerFault.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

PO#416421.exePO#416421.exe

description	pid	process	target process
PID 324 wrote to memory of 1968	324	PO#416421.exe	cmd.exe
PID 324 wrote to memory of 1968	324	PO#416421.exe	cmd.exe
PID 324 wrote to memory of 1968	324	PO#416421.exe	cmd.exe
PID 324 wrote to memory of 1968	324	PO#416421.exe	cmd.exe
PID 324 wrote to memory of 1316	324	PO#416421.exe	PO#416421.exe
PID 324 wrote to memory of 1316	324	PO#416421.exe	PO#416421.exe
PID 324 wrote to memory of 1316	324	PO#416421.exe	PO#416421.exe
PID 324 wrote to memory of 1316	324	PO#416421.exe	PO#416421.exe
PID 324 wrote to memory of 1316	324	PO#416421.exe	PO#416421.exe
PID 1316 wrote to memory of 1188	1316	PO#416421.exe	WerFault.exe
PID 1316 wrote to memory of 1188	1316	PO#416421.exe	WerFault.exe
PID 1316 wrote to memory of 1188	1316	PO#416421.exe	WerFault.exe
PID 1316 wrote to memory of 1188	1316	PO#416421.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PO#416421.exe
"C:\Users\Admin\AppData\Local\Temp\PO#416421.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\PO#416421.exe
"C:\Users\Admin\AppData\Local\Temp\PO#416421.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 36
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1188-5-0x0000000000000000-mapping.dmp

Download
memory/1188-6-0x00000000021B0000-0x00000000021C1000-memory.dmp

Filesize
68KB

Download
memory/1188-7-0x0000000002580000-0x0000000002591000-memory.dmp

Filesize
68KB

Download
memory/1316-3-0x0000000000070000-0x0000000000098000-memory.dmp

Filesize
160KB

Download
memory/1316-4-0x000000000008D040-mapping.dmp

Download
memory/1968-2-0x0000000000000000-mapping.dmp

Download