formbook | 098a33a70506458d7e349d06aac9ca3e3a2a3f73efa39d82942eeff3adc24509

General

Target

YUAN PAYMENT.exe
Size

1.2MB
MD5

c3548520f4207f36dff807aaca9374d7
SHA1

a9e11e5e8624b789a8e7dd2d6b4e8d8a86b8fae5
SHA256

098a33a70506458d7e349d06aac9ca3e3a2a3f73efa39d82942eeff3adc24509
SHA512

5260a481fb96f905782b3e65db67d6e7e7216ca39da05980b724af1acbb2681ff69a405f5999f0e2685b9c20a7a833f0ed3a56ca512e99e08507305b84e9df25

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.a-emeservice.com/m8ec/

Decoy

thomascraigwealth.com

melbournemedicalhealth.net

tdxcoin.com

lukassbprojects.net

aldemallc.com

moqawalat-kuwait.com

txcsco.com

jobcarepro.com

sedotwcmedanmurah.com

niconthenine.com

radliffrehab.com

infiniteechogroup.com

stellantis-luxury-rent.com

ibusehat.info

resellerauctions.com

softwarexprogrammers.com

bumpnlifestyle.com

mintmacher.com

partapprintercare.com

justrightinsurance.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1268-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1268-13-0x000000000041D0A0-mapping.dmp	xloader
behavioral2/memory/3960-14-0x0000000000000000-mapping.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

YUAN PAYMENT.exeYUAN PAYMENT.exehelp.exe

description	pid	process	target process
PID 3988 set thread context of 1268	3988	YUAN PAYMENT.exe	YUAN PAYMENT.exe
PID 1268 set thread context of 3036	1268	YUAN PAYMENT.exe	Explorer.EXE
PID 3960 set thread context of 3036	3960	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

YUAN PAYMENT.exehelp.exe

pid	process
1268	YUAN PAYMENT.exe
1268	YUAN PAYMENT.exe
1268	YUAN PAYMENT.exe
1268	YUAN PAYMENT.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe
3960	help.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

YUAN PAYMENT.exehelp.exe

pid process

1268 YUAN PAYMENT.exe
1268 YUAN PAYMENT.exe
1268 YUAN PAYMENT.exe
3960 help.exe
3960 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

YUAN PAYMENT.exehelp.exe

description pid process

Token: SeDebugPrivilege 1268 YUAN PAYMENT.exe
Token: SeDebugPrivilege 3960 help.exe

description	pid	process
Token: SeDebugPrivilege	1268	YUAN PAYMENT.exe
Token: SeDebugPrivilege	3960	help.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

YUAN PAYMENT.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 3988 wrote to memory of 1268	3988	YUAN PAYMENT.exe	YUAN PAYMENT.exe
PID 3988 wrote to memory of 1268	3988	YUAN PAYMENT.exe	YUAN PAYMENT.exe
PID 3988 wrote to memory of 1268	3988	YUAN PAYMENT.exe	YUAN PAYMENT.exe
PID 3988 wrote to memory of 1268	3988	YUAN PAYMENT.exe	YUAN PAYMENT.exe
PID 3988 wrote to memory of 1268	3988	YUAN PAYMENT.exe	YUAN PAYMENT.exe
PID 3988 wrote to memory of 1268	3988	YUAN PAYMENT.exe	YUAN PAYMENT.exe
PID 3036 wrote to memory of 3960	3036	Explorer.EXE	help.exe
PID 3036 wrote to memory of 3960	3036	Explorer.EXE	help.exe
PID 3036 wrote to memory of 3960	3036	Explorer.EXE	help.exe
PID 3960 wrote to memory of 3932	3960	help.exe	cmd.exe
PID 3960 wrote to memory of 3932	3960	help.exe	cmd.exe
PID 3960 wrote to memory of 3932	3960	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\YUAN PAYMENT.exe
"C:\Users\Admin\AppData\Local\Temp\YUAN PAYMENT.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Local\Temp\YUAN PAYMENT.exe
"C:\Users\Admin\AppData\Local\Temp\YUAN PAYMENT.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\YUAN PAYMENT.exe"
3⤵
PID:3932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1268-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1268-13-0x000000000041D0A0-mapping.dmp

Download
memory/3932-17-0x0000000000000000-mapping.dmp

Download
memory/3960-16-0x0000000000050000-0x0000000000057000-memory.dmp

Filesize
28KB

Download
memory/3960-15-0x0000000000050000-0x0000000000057000-memory.dmp

Filesize
28KB

Download
memory/3960-14-0x0000000000000000-mapping.dmp

Download
memory/3988-6-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/3988-10-0x0000000002B60000-0x0000000002B73000-memory.dmp

Filesize
76KB

Download
memory/3988-11-0x0000000000F70000-0x0000000000FD5000-memory.dmp

Filesize
404KB

Download
memory/3988-9-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/3988-8-0x00000000077D0000-0x00000000077D1000-memory.dmp

Filesize
4KB

Download
memory/3988-7-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/3988-2-0x00000000738E0000-0x0000000073FCE000-memory.dmp

Filesize
6.9MB

Download
memory/3988-5-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/3988-3-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads