formbook | c41c3e04f58d643f5d30f52077a53a8c151d835aa44da144b9165a0297314f14

General

Target

78977c6e1352baf3e4659e10724ac05f.exe
Size

644KB
MD5

78977c6e1352baf3e4659e10724ac05f
SHA1

7a81e17504370035e70e0452b772fef857e5e169
SHA256

c41c3e04f58d643f5d30f52077a53a8c151d835aa44da144b9165a0297314f14
SHA512

f83606e8789dbc00321eb48a8521c4e75f48ca2fc0b6f60cb90ad9ff58e8b5cf3102a4382a806a4b5c30986446d7cb2b9df684e74b47f3da95eec5fd676e4559

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.learnhour.net/eaud/

Decoy

modshiro.com

mademarketingoss.com

austinjourls.info

wayupteam.com

crossingfinger.com

interseptors.com

gigashit.com

livetigo.com

halamankuningindonesia.com

windhammills.com

aylinahmet.com

mbacexonan.website

shopboxbarcelona.com

youyeslive.com

coonlinesportsbooks.com

guorunme.com

putlocker2.site

pencueaidnetwork.com

likevector.com

vulcanudachi-proclub.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1396-7-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1396-8-0x000000000041D030-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

78977c6e1352baf3e4659e10724ac05f.exe

description pid process target process

PID 932 set thread context of 1396 932 78977c6e1352baf3e4659e10724ac05f.exe 78977c6e1352baf3e4659e10724ac05f.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

78977c6e1352baf3e4659e10724ac05f.exe78977c6e1352baf3e4659e10724ac05f.exe

pid process

932 78977c6e1352baf3e4659e10724ac05f.exe
932 78977c6e1352baf3e4659e10724ac05f.exe
1396 78977c6e1352baf3e4659e10724ac05f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

78977c6e1352baf3e4659e10724ac05f.exe

description pid process

Token: SeDebugPrivilege 932 78977c6e1352baf3e4659e10724ac05f.exe

description	pid	process	target process
PID 932 set thread context of 1396	932	78977c6e1352baf3e4659e10724ac05f.exe	78977c6e1352baf3e4659e10724ac05f.exe

pid	process
932	78977c6e1352baf3e4659e10724ac05f.exe
932	78977c6e1352baf3e4659e10724ac05f.exe
1396	78977c6e1352baf3e4659e10724ac05f.exe

description	pid	process
Token: SeDebugPrivilege	932	78977c6e1352baf3e4659e10724ac05f.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

78977c6e1352baf3e4659e10724ac05f.exe

description	pid	process	target process
PID 932 wrote to memory of 904	932	78977c6e1352baf3e4659e10724ac05f.exe	78977c6e1352baf3e4659e10724ac05f.exe
PID 932 wrote to memory of 904	932	78977c6e1352baf3e4659e10724ac05f.exe	78977c6e1352baf3e4659e10724ac05f.exe
PID 932 wrote to memory of 904	932	78977c6e1352baf3e4659e10724ac05f.exe	78977c6e1352baf3e4659e10724ac05f.exe
PID 932 wrote to memory of 904	932	78977c6e1352baf3e4659e10724ac05f.exe	78977c6e1352baf3e4659e10724ac05f.exe
PID 932 wrote to memory of 1396	932	78977c6e1352baf3e4659e10724ac05f.exe	78977c6e1352baf3e4659e10724ac05f.exe
PID 932 wrote to memory of 1396	932	78977c6e1352baf3e4659e10724ac05f.exe	78977c6e1352baf3e4659e10724ac05f.exe
PID 932 wrote to memory of 1396	932	78977c6e1352baf3e4659e10724ac05f.exe	78977c6e1352baf3e4659e10724ac05f.exe
PID 932 wrote to memory of 1396	932	78977c6e1352baf3e4659e10724ac05f.exe	78977c6e1352baf3e4659e10724ac05f.exe
PID 932 wrote to memory of 1396	932	78977c6e1352baf3e4659e10724ac05f.exe	78977c6e1352baf3e4659e10724ac05f.exe
PID 932 wrote to memory of 1396	932	78977c6e1352baf3e4659e10724ac05f.exe	78977c6e1352baf3e4659e10724ac05f.exe
PID 932 wrote to memory of 1396	932	78977c6e1352baf3e4659e10724ac05f.exe	78977c6e1352baf3e4659e10724ac05f.exe

C:\Users\Admin\AppData\Local\Temp\78977c6e1352baf3e4659e10724ac05f.exe
"C:\Users\Admin\AppData\Local\Temp\78977c6e1352baf3e4659e10724ac05f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\78977c6e1352baf3e4659e10724ac05f.exe
"{path}"
2⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\78977c6e1352baf3e4659e10724ac05f.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1396

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/932-2-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/932-3-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/932-5-0x00000000002E0000-0x00000000002EE000-memory.dmp

Filesize
56KB

Download
memory/932-6-0x00000000056C0000-0x000000000574E000-memory.dmp

Filesize
568KB

Download
memory/1396-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1396-8-0x000000000041D030-mapping.dmp

Download

Analysis

Sharing