formbook | 034a88044cda55e5e899dda57067450bb725109dcfc9147d6ae41d7b08584734

General

Target

LOWE COPY.exe
Size

952KB
MD5

22f9f9ee353bd2cb4fa8402de52626c2
SHA1

8ce8dc75f001d54a622844034d4159268c4bf994
SHA256

034a88044cda55e5e899dda57067450bb725109dcfc9147d6ae41d7b08584734
SHA512

5b29c736ed127800283526cb0538059da973d930d174bd344b0cd5a80e68cbbc586252a88f3e52e115eb9ad757dc734b6c068734e68b024d1487541e60e1e27c

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.a-emeservice.com/m8ec/

Decoy

thomascraigwealth.com

melbournemedicalhealth.net

tdxcoin.com

lukassbprojects.net

aldemallc.com

moqawalat-kuwait.com

txcsco.com

jobcarepro.com

sedotwcmedanmurah.com

niconthenine.com

radliffrehab.com

infiniteechogroup.com

stellantis-luxury-rent.com

ibusehat.info

resellerauctions.com

softwarexprogrammers.com

bumpnlifestyle.com

mintmacher.com

partapprintercare.com

justrightinsurance.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2360-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2360-13-0x000000000041D0A0-mapping.dmp	xloader
behavioral2/memory/1308-14-0x0000000000000000-mapping.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

LOWE COPY.exeLOWE COPY.exeipconfig.exe

description	pid	process	target process
PID 540 set thread context of 2360	540	LOWE COPY.exe	LOWE COPY.exe
PID 2360 set thread context of 3048	2360	LOWE COPY.exe	Explorer.EXE
PID 1308 set thread context of 3048	1308	ipconfig.exe	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1308 ipconfig.exe

pid	process
1308	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

LOWE COPY.exeLOWE COPY.exeipconfig.exe

pid	process
540	LOWE COPY.exe
540	LOWE COPY.exe
2360	LOWE COPY.exe
2360	LOWE COPY.exe
2360	LOWE COPY.exe
2360	LOWE COPY.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe
1308	ipconfig.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

LOWE COPY.exeipconfig.exe

pid process

2360 LOWE COPY.exe
2360 LOWE COPY.exe
2360 LOWE COPY.exe
1308 ipconfig.exe
1308 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

LOWE COPY.exeLOWE COPY.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 540 LOWE COPY.exe
Token: SeDebugPrivilege 2360 LOWE COPY.exe
Token: SeDebugPrivilege 1308 ipconfig.exe

pid	process
2360	LOWE COPY.exe
2360	LOWE COPY.exe
2360	LOWE COPY.exe
1308	ipconfig.exe
1308	ipconfig.exe

description	pid	process
Token: SeDebugPrivilege	540	LOWE COPY.exe
Token: SeDebugPrivilege	2360	LOWE COPY.exe
Token: SeDebugPrivilege	1308	ipconfig.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

LOWE COPY.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 540 wrote to memory of 3920	540	LOWE COPY.exe	LOWE COPY.exe
PID 540 wrote to memory of 3920	540	LOWE COPY.exe	LOWE COPY.exe
PID 540 wrote to memory of 3920	540	LOWE COPY.exe	LOWE COPY.exe
PID 540 wrote to memory of 2360	540	LOWE COPY.exe	LOWE COPY.exe
PID 540 wrote to memory of 2360	540	LOWE COPY.exe	LOWE COPY.exe
PID 540 wrote to memory of 2360	540	LOWE COPY.exe	LOWE COPY.exe
PID 540 wrote to memory of 2360	540	LOWE COPY.exe	LOWE COPY.exe
PID 540 wrote to memory of 2360	540	LOWE COPY.exe	LOWE COPY.exe
PID 540 wrote to memory of 2360	540	LOWE COPY.exe	LOWE COPY.exe
PID 3048 wrote to memory of 1308	3048	Explorer.EXE	ipconfig.exe
PID 3048 wrote to memory of 1308	3048	Explorer.EXE	ipconfig.exe
PID 3048 wrote to memory of 1308	3048	Explorer.EXE	ipconfig.exe
PID 1308 wrote to memory of 1240	1308	ipconfig.exe	cmd.exe
PID 1308 wrote to memory of 1240	1308	ipconfig.exe	cmd.exe
PID 1308 wrote to memory of 1240	1308	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\LOWE COPY.exe
"C:\Users\Admin\AppData\Local\Temp\LOWE COPY.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\LOWE COPY.exe
"C:\Users\Admin\AppData\Local\Temp\LOWE COPY.exe"
3⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\LOWE COPY.exe
"C:\Users\Admin\AppData\Local\Temp\LOWE COPY.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\LOWE COPY.exe"
3⤵
PID:1240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/540-11-0x0000000006530000-0x0000000006591000-memory.dmp

Filesize
388KB

Download
memory/540-9-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/540-5-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/540-6-0x0000000005DA0000-0x0000000005DA1000-memory.dmp

Filesize
4KB

Download
memory/540-2-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/540-8-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/540-3-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/540-10-0x0000000005910000-0x0000000005922000-memory.dmp

Filesize
72KB

Download
memory/540-7-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/1240-17-0x0000000000000000-mapping.dmp

Download
memory/1308-14-0x0000000000000000-mapping.dmp

Download
memory/1308-15-0x00000000000A0000-0x00000000000AB000-memory.dmp

Filesize
44KB

Download
memory/1308-16-0x00000000000A0000-0x00000000000AB000-memory.dmp

Filesize
44KB

Download
memory/1308-18-0x0000000005030000-0x00000000050DE000-memory.dmp

Filesize
696KB

Download
memory/2360-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-13-0x000000000041D0A0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads