formbook | 5b895b1fe7b66a92588a06eba17a83022da0b539dd9c2eaafbf6082a656f7b57

General

Target

Invoice_20210115122010.scr
Size

295KB
MD5

ca4bbc7aa2c2cd0bf193b1fe0bbd2d49
SHA1

dd82900ef5f0023ebee0c44a7fd0d8bdfea6f635
SHA256

5b895b1fe7b66a92588a06eba17a83022da0b539dd9c2eaafbf6082a656f7b57
SHA512

0968a8deed84c3d6b7b8a77ade86582f67fc276450268414d695c17d7eb78f091e18107185fbb0f3bc269f928aa8763903c5fa37ece68af4863869b63ef040cd

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.elevatedenterprizes.com/h3qo/

Decoy

dhflow.com

jyindex.com

ezcleanhandle.com

trungtamcongdong.online

simsprotectionagency.com

easylivemeet.com

blackvikingfashionhouse.com

52banxue.com

girlsinit.com

drhemo.com

freethefarmers.com

velvetrosephotography.com

geometricbotaniclas.com

skyandspirit.com

deltacomunicacao.com

mucademy.com

jaboilfieldsolutions.net

howtowinatblackjacknow.com

anytimegrowth.com

simranluthra.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3824-4-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3824-5-0x000000000041D0E0-mapping.dmp	xloader
behavioral2/memory/668-7-0x0000000000000000-mapping.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

Invoice_20210115122010.scrInvoice_20210115122010.scrraserver.exe

description	pid	process	target process
PID 988 set thread context of 3824	988	Invoice_20210115122010.scr	Invoice_20210115122010.scr
PID 3824 set thread context of 2784	3824	Invoice_20210115122010.scr	Explorer.EXE
PID 668 set thread context of 2784	668	raserver.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

Invoice_20210115122010.scrraserver.exe

pid	process
3824	Invoice_20210115122010.scr
3824	Invoice_20210115122010.scr
3824	Invoice_20210115122010.scr
3824	Invoice_20210115122010.scr
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Invoice_20210115122010.scrInvoice_20210115122010.scrraserver.exe

pid	process
988	Invoice_20210115122010.scr
3824	Invoice_20210115122010.scr
3824	Invoice_20210115122010.scr
3824	Invoice_20210115122010.scr
668	raserver.exe
668	raserver.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Invoice_20210115122010.scrraserver.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3824	Invoice_20210115122010.scr
Token: SeDebugPrivilege	668	raserver.exe
Token: SeShutdownPrivilege	2784	Explorer.EXE
Token: SeCreatePagefilePrivilege	2784	Explorer.EXE
Token: SeShutdownPrivilege	2784	Explorer.EXE
Token: SeCreatePagefilePrivilege	2784	Explorer.EXE
Token: SeShutdownPrivilege	2784	Explorer.EXE
Token: SeCreatePagefilePrivilege	2784	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2784 Explorer.EXE

pid	process
2784	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Invoice_20210115122010.scrExplorer.EXEraserver.exe

description	pid	process	target process
PID 988 wrote to memory of 2392	988	Invoice_20210115122010.scr	cmd.exe
PID 988 wrote to memory of 2392	988	Invoice_20210115122010.scr	cmd.exe
PID 988 wrote to memory of 2392	988	Invoice_20210115122010.scr	cmd.exe
PID 988 wrote to memory of 2880	988	Invoice_20210115122010.scr	cmd.exe
PID 988 wrote to memory of 2880	988	Invoice_20210115122010.scr	cmd.exe
PID 988 wrote to memory of 2880	988	Invoice_20210115122010.scr	cmd.exe
PID 988 wrote to memory of 3824	988	Invoice_20210115122010.scr	Invoice_20210115122010.scr
PID 988 wrote to memory of 3824	988	Invoice_20210115122010.scr	Invoice_20210115122010.scr
PID 988 wrote to memory of 3824	988	Invoice_20210115122010.scr	Invoice_20210115122010.scr
PID 988 wrote to memory of 3824	988	Invoice_20210115122010.scr	Invoice_20210115122010.scr
PID 2784 wrote to memory of 668	2784	Explorer.EXE	raserver.exe
PID 2784 wrote to memory of 668	2784	Explorer.EXE	raserver.exe
PID 2784 wrote to memory of 668	2784	Explorer.EXE	raserver.exe
PID 668 wrote to memory of 3580	668	raserver.exe	cmd.exe
PID 668 wrote to memory of 3580	668	raserver.exe	cmd.exe
PID 668 wrote to memory of 3580	668	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Local\Temp\Invoice_20210115122010.scr
"C:\Users\Admin\AppData\Local\Temp\Invoice_20210115122010.scr" /S
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\Invoice_20210115122010.scr
"C:\Users\Admin\AppData\Local\Temp\Invoice_20210115122010.scr" /S
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Invoice_20210115122010.scr"
3⤵
PID:3580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-7-0x0000000000000000-mapping.dmp

Download
memory/668-8-0x00000000011F0000-0x000000000120F000-memory.dmp

Filesize
124KB

Download
memory/668-9-0x00000000011F0000-0x000000000120F000-memory.dmp

Filesize
124KB

Download
memory/668-11-0x0000000006700000-0x000000000685E000-memory.dmp

Filesize
1.4MB

Download
memory/2392-2-0x0000000000000000-mapping.dmp

Download
memory/2880-3-0x0000000000000000-mapping.dmp

Download
memory/3580-10-0x0000000000000000-mapping.dmp

Download
memory/3824-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3824-5-0x000000000041D0E0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads