formbook | 73384c630a5bcbb5201f567aa142fc712df5c2ceb9b61c301a5e4a025af2b3ca

General

Target

TEC20201601.exe
Size

1.2MB
MD5

19682ff802fd6fc13c896ba4572e9edc
SHA1

c52eed4a18f23464ef7c8968c4a7cad63564d2e6
SHA256

73384c630a5bcbb5201f567aa142fc712df5c2ceb9b61c301a5e4a025af2b3ca
SHA512

31b65796fa7de32a80ab5244edea91642cca0b3161bd82a93d5601bd1f9b28b5de6a6647a053dfcfca2d10a54165dcdff9f221cb49690707b9a4a85719a56dc1

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.a-emeservice.com/m8ec/

Decoy

thomascraigwealth.com

melbournemedicalhealth.net

tdxcoin.com

lukassbprojects.net

aldemallc.com

moqawalat-kuwait.com

txcsco.com

jobcarepro.com

sedotwcmedanmurah.com

niconthenine.com

radliffrehab.com

infiniteechogroup.com

stellantis-luxury-rent.com

ibusehat.info

resellerauctions.com

softwarexprogrammers.com

bumpnlifestyle.com

mintmacher.com

partapprintercare.com

justrightinsurance.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2392-8-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2392-9-0x000000000041D0A0-mapping.dmp	xloader
behavioral2/memory/1760-16-0x0000000000A00000-0x0000000000A29000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

TEC20201601.exeTEC20201601.exechkdsk.exe

description	pid	process	target process
PID 812 set thread context of 2392	812	TEC20201601.exe	TEC20201601.exe
PID 2392 set thread context of 3048	2392	TEC20201601.exe	Explorer.EXE
PID 1760 set thread context of 3048	1760	chkdsk.exe	Explorer.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

TEC20201601.exechkdsk.exe

pid	process
2392	TEC20201601.exe
2392	TEC20201601.exe
2392	TEC20201601.exe
2392	TEC20201601.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

TEC20201601.exechkdsk.exe

pid process

2392 TEC20201601.exe
2392 TEC20201601.exe
2392 TEC20201601.exe
1760 chkdsk.exe
1760 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

TEC20201601.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 2392 TEC20201601.exe
Token: SeDebugPrivilege 1760 chkdsk.exe

description	pid	process
Token: SeDebugPrivilege	2392	TEC20201601.exe
Token: SeDebugPrivilege	1760	chkdsk.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

TEC20201601.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 812 wrote to memory of 2392	812	TEC20201601.exe	TEC20201601.exe
PID 812 wrote to memory of 2392	812	TEC20201601.exe	TEC20201601.exe
PID 812 wrote to memory of 2392	812	TEC20201601.exe	TEC20201601.exe
PID 812 wrote to memory of 2392	812	TEC20201601.exe	TEC20201601.exe
PID 812 wrote to memory of 2392	812	TEC20201601.exe	TEC20201601.exe
PID 812 wrote to memory of 2392	812	TEC20201601.exe	TEC20201601.exe
PID 3048 wrote to memory of 1760	3048	Explorer.EXE	chkdsk.exe
PID 3048 wrote to memory of 1760	3048	Explorer.EXE	chkdsk.exe
PID 3048 wrote to memory of 1760	3048	Explorer.EXE	chkdsk.exe
PID 1760 wrote to memory of 2812	1760	chkdsk.exe	cmd.exe
PID 1760 wrote to memory of 2812	1760	chkdsk.exe	cmd.exe
PID 1760 wrote to memory of 2812	1760	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\TEC20201601.exe
"C:\Users\Admin\AppData\Local\Temp\TEC20201601.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Local\Temp\TEC20201601.exe
"C:\Users\Admin\AppData\Local\Temp\TEC20201601.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\TEC20201601.exe"
3⤵
PID:2812

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/812-7-0x0000000002871000-0x0000000002872000-memory.dmp

Filesize
4KB

Download
memory/812-2-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1760-14-0x0000000000000000-mapping.dmp

Download
memory/1760-19-0x0000000000F80000-0x0000000001010000-memory.dmp

Filesize
576KB

Download
memory/1760-17-0x0000000000BD0000-0x0000000000EF0000-memory.dmp

Filesize
3.1MB

Download
memory/1760-16-0x0000000000A00000-0x0000000000A29000-memory.dmp

Filesize
164KB

Download
memory/1760-15-0x0000000001180000-0x000000000118A000-memory.dmp

Filesize
40KB

Download
memory/2392-9-0x000000000041D0A0-mapping.dmp

Download
memory/2392-11-0x0000000000E90000-0x00000000011B0000-memory.dmp

Filesize
3.1MB

Download
memory/2392-12-0x0000000000E10000-0x0000000000E21000-memory.dmp

Filesize
68KB

Download
memory/2392-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2812-18-0x0000000000000000-mapping.dmp

Download
memory/3048-13-0x0000000005960000-0x0000000005AB1000-memory.dmp

Filesize
1.3MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads