formbook | 26b068137a8264f4aba9c3617a289417ead13d0c9d53f86a3158c1d113dbf86d

General

Target

PO#416421.exe
Size

176KB
MD5

18ec4947cbfb82bda1635a855b9b4763
SHA1

6083fb410e0bd21b5bc0f635861758b2747821ab
SHA256

26b068137a8264f4aba9c3617a289417ead13d0c9d53f86a3158c1d113dbf86d
SHA512

3283e0b3e64df7b60b6a71f524f83b107a7ce9d577a147da3a0490bd61c5ffd373887730b33ca347cbf21608ac5cb3bbf6d6d1338377d64eaab5ff8cc5963c72

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.tzmm.net/wpsb/

Decoy

0817ls.com

drawbeirut.com

respiteready.com

yufkayurek.com

poss-plus.com

distributesimilar.com

mcmendzlawns.com

bingent.info

wellnessandcomfort.com

humilityhope.com

recetasfes.com

olala.asia

epochryphal.com

room-lettings-onlines.club

lvc.xyz

reicolee.com

davidmarkphotovideo.photography

corpuschristicarbuyers.com

tutorialyoutube.com

ativ.pro

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1912-3-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/1912-4-0x000000000041D040-mapping.dmp	xloader
behavioral2/memory/2144-6-0x0000000000000000-mapping.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

PO#416421.exePO#416421.execmmon32.exe

description	pid	process	target process
PID 3992 set thread context of 1912	3992	PO#416421.exe	PO#416421.exe
PID 1912 set thread context of 3036	1912	PO#416421.exe	Explorer.EXE
PID 1912 set thread context of 3036	1912	PO#416421.exe	Explorer.EXE
PID 2144 set thread context of 3036	2144	cmmon32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

PO#416421.execmmon32.exe

pid	process
1912	PO#416421.exe
1912	PO#416421.exe
1912	PO#416421.exe
1912	PO#416421.exe
1912	PO#416421.exe
1912	PO#416421.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe
2144	cmmon32.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

PO#416421.exePO#416421.execmmon32.exe

pid process

3992 PO#416421.exe
1912 PO#416421.exe
1912 PO#416421.exe
1912 PO#416421.exe
1912 PO#416421.exe
2144 cmmon32.exe
2144 cmmon32.exe

pid	process
3992	PO#416421.exe
1912	PO#416421.exe
1912	PO#416421.exe
1912	PO#416421.exe
1912	PO#416421.exe
2144	cmmon32.exe
2144	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

PO#416421.execmmon32.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1912	PO#416421.exe
Token: SeDebugPrivilege	2144	cmmon32.exe
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3036 Explorer.EXE

pid	process
3036	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

PO#416421.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 3992 wrote to memory of 1228	3992	PO#416421.exe	cmd.exe
PID 3992 wrote to memory of 1228	3992	PO#416421.exe	cmd.exe
PID 3992 wrote to memory of 1228	3992	PO#416421.exe	cmd.exe
PID 3992 wrote to memory of 1912	3992	PO#416421.exe	PO#416421.exe
PID 3992 wrote to memory of 1912	3992	PO#416421.exe	PO#416421.exe
PID 3992 wrote to memory of 1912	3992	PO#416421.exe	PO#416421.exe
PID 3992 wrote to memory of 1912	3992	PO#416421.exe	PO#416421.exe
PID 3036 wrote to memory of 2144	3036	Explorer.EXE	cmmon32.exe
PID 3036 wrote to memory of 2144	3036	Explorer.EXE	cmmon32.exe
PID 3036 wrote to memory of 2144	3036	Explorer.EXE	cmmon32.exe
PID 2144 wrote to memory of 3820	2144	cmmon32.exe	cmd.exe
PID 2144 wrote to memory of 3820	2144	cmmon32.exe	cmd.exe
PID 2144 wrote to memory of 3820	2144	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\PO#416421.exe
"C:\Users\Admin\AppData\Local\Temp\PO#416421.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\PO#416421.exe
"C:\Users\Admin\AppData\Local\Temp\PO#416421.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2696

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2672

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2704

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2708

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2712

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO#416421.exe"
3⤵
PID:3820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1228-2-0x0000000000000000-mapping.dmp

Download
memory/1912-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1912-4-0x000000000041D040-mapping.dmp

Download
memory/2144-6-0x0000000000000000-mapping.dmp

Download
memory/2144-7-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2144-8-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/3036-11-0x00000000053F0000-0x0000000005537000-memory.dmp

Filesize
1.3MB

Download
memory/3820-9-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads