formbook | 58b012a7c77564704af9bc88d272f1aa68c6789c84a146d0f566304c370bc89a

General

Target

Shipping Document PL&BL Draft.exe
Size

329KB
MD5

9a35a8f3f77ce5b039c3a8c2763270cd
SHA1

b72765fb0cc02184cfe77401addef4305315e50c
SHA256

58b012a7c77564704af9bc88d272f1aa68c6789c84a146d0f566304c370bc89a
SHA512

91897cdbeda39e71b588ca38a22c58fecbbb95d791886df668f57a5f31db0d9fe0e9c610a5a4b2817df1bbe69c43639ba376402d898fc6125866efe654643b99

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.elevatedenterprizes.com/h3qo/

Decoy

dhflow.com

jyindex.com

ezcleanhandle.com

trungtamcongdong.online

simsprotectionagency.com

easylivemeet.com

blackvikingfashionhouse.com

52banxue.com

girlsinit.com

drhemo.com

freethefarmers.com

velvetrosephotography.com

geometricbotaniclas.com

skyandspirit.com

deltacomunicacao.com

mucademy.com

jaboilfieldsolutions.net

howtowinatblackjacknow.com

anytimegrowth.com

simranluthra.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1540-4-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1540-5-0x000000000041D0E0-mapping.dmp	xloader
behavioral1/memory/640-8-0x0000000000000000-mapping.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

584 cmd.exe

pid	process
584	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Shipping Document PL&BL Draft.exeShipping Document PL&BL Draft.execolorcpl.exe

description	pid	process	target process
PID 1972 set thread context of 1540	1972	Shipping Document PL&BL Draft.exe	Shipping Document PL&BL Draft.exe
PID 1540 set thread context of 1388	1540	Shipping Document PL&BL Draft.exe	Explorer.EXE
PID 1540 set thread context of 1388	1540	Shipping Document PL&BL Draft.exe	Explorer.EXE
PID 640 set thread context of 1388	640	colorcpl.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

Shipping Document PL&BL Draft.execolorcpl.exe

pid	process
1540	Shipping Document PL&BL Draft.exe
1540	Shipping Document PL&BL Draft.exe
1540	Shipping Document PL&BL Draft.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe
640	colorcpl.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Shipping Document PL&BL Draft.exeShipping Document PL&BL Draft.execolorcpl.exe

pid	process
1972	Shipping Document PL&BL Draft.exe
1540	Shipping Document PL&BL Draft.exe
1540	Shipping Document PL&BL Draft.exe
1540	Shipping Document PL&BL Draft.exe
1540	Shipping Document PL&BL Draft.exe
640	colorcpl.exe
640	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Shipping Document PL&BL Draft.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 1540 Shipping Document PL&BL Draft.exe
Token: SeDebugPrivilege 640 colorcpl.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1388 Explorer.EXE
1388 Explorer.EXE
1388 Explorer.EXE
1388 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1388 Explorer.EXE
1388 Explorer.EXE
1388 Explorer.EXE
1388 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1540	Shipping Document PL&BL Draft.exe
Token: SeDebugPrivilege	640	colorcpl.exe

pid	process
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE

pid	process
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE
1388	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Shipping Document PL&BL Draft.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 1972 wrote to memory of 1476	1972	Shipping Document PL&BL Draft.exe	cmd.exe
PID 1972 wrote to memory of 1476	1972	Shipping Document PL&BL Draft.exe	cmd.exe
PID 1972 wrote to memory of 1476	1972	Shipping Document PL&BL Draft.exe	cmd.exe
PID 1972 wrote to memory of 1476	1972	Shipping Document PL&BL Draft.exe	cmd.exe
PID 1972 wrote to memory of 1496	1972	Shipping Document PL&BL Draft.exe	cmd.exe
PID 1972 wrote to memory of 1496	1972	Shipping Document PL&BL Draft.exe	cmd.exe
PID 1972 wrote to memory of 1496	1972	Shipping Document PL&BL Draft.exe	cmd.exe
PID 1972 wrote to memory of 1496	1972	Shipping Document PL&BL Draft.exe	cmd.exe
PID 1972 wrote to memory of 1540	1972	Shipping Document PL&BL Draft.exe	Shipping Document PL&BL Draft.exe
PID 1972 wrote to memory of 1540	1972	Shipping Document PL&BL Draft.exe	Shipping Document PL&BL Draft.exe
PID 1972 wrote to memory of 1540	1972	Shipping Document PL&BL Draft.exe	Shipping Document PL&BL Draft.exe
PID 1972 wrote to memory of 1540	1972	Shipping Document PL&BL Draft.exe	Shipping Document PL&BL Draft.exe
PID 1972 wrote to memory of 1540	1972	Shipping Document PL&BL Draft.exe	Shipping Document PL&BL Draft.exe
PID 1388 wrote to memory of 640	1388	Explorer.EXE	colorcpl.exe
PID 1388 wrote to memory of 640	1388	Explorer.EXE	colorcpl.exe
PID 1388 wrote to memory of 640	1388	Explorer.EXE	colorcpl.exe
PID 1388 wrote to memory of 640	1388	Explorer.EXE	colorcpl.exe
PID 640 wrote to memory of 584	640	colorcpl.exe	cmd.exe
PID 640 wrote to memory of 584	640	colorcpl.exe	cmd.exe
PID 640 wrote to memory of 584	640	colorcpl.exe	cmd.exe
PID 640 wrote to memory of 584	640	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:928

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1212

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1660

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1860

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1684

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1672

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:268

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:332

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"
3⤵
- Deletes itself
PID:584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-10-0x0000000000000000-mapping.dmp

Download
memory/640-8-0x0000000000000000-mapping.dmp

Download
memory/640-9-0x0000000000E60000-0x0000000000E78000-memory.dmp

Filesize
96KB

Download
memory/640-11-0x00000000042E0000-0x00000000043D7000-memory.dmp

Filesize
988KB

Download
memory/1388-7-0x0000000006D40000-0x0000000006E83000-memory.dmp

Filesize
1.3MB

Download
memory/1476-2-0x0000000000000000-mapping.dmp

Download
memory/1496-3-0x0000000000000000-mapping.dmp

Download
memory/1540-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1540-5-0x000000000041D0E0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads