formbook | 7aa2116b5dcb055987e0e18b5e2f869eae15f6093adfd55b6a6d28b8be53dcb4

General

Target

SUNEJ PAYMENT.exe
Size

939KB
MD5

b6b8a1ad3d8f308457b07b88afeab4cd
SHA1

f49329c30a3870c5b4c0b988197045140a6d5c23
SHA256

7aa2116b5dcb055987e0e18b5e2f869eae15f6093adfd55b6a6d28b8be53dcb4
SHA512

7fc6887f80879d04ceac0b4a59f9cb5161a8f52474afa4f14394051ff4d2c2a63e9afd1729824a8ac39c4767e56a086e70072b4913096e3a1c18e8c26451b6d7

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.a-emeservice.com/m8ec/

Decoy

thomascraigwealth.com

melbournemedicalhealth.net

tdxcoin.com

lukassbprojects.net

aldemallc.com

moqawalat-kuwait.com

txcsco.com

jobcarepro.com

sedotwcmedanmurah.com

niconthenine.com

radliffrehab.com

infiniteechogroup.com

stellantis-luxury-rent.com

ibusehat.info

resellerauctions.com

softwarexprogrammers.com

bumpnlifestyle.com

mintmacher.com

partapprintercare.com

justrightinsurance.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4220-4-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4220-5-0x000000000041D0A0-mapping.dmp	xloader
behavioral2/memory/3156-15-0x0000000000560000-0x0000000000589000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

SUNEJ PAYMENT.exeSUNEJ PAYMENT.exeNETSTAT.EXE

description	pid	process	target process
PID 4648 set thread context of 4220	4648	SUNEJ PAYMENT.exe	SUNEJ PAYMENT.exe
PID 4220 set thread context of 3108	4220	SUNEJ PAYMENT.exe	Explorer.EXE
PID 4220 set thread context of 3108	4220	SUNEJ PAYMENT.exe	Explorer.EXE
PID 3156 set thread context of 3108	3156	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

3156 NETSTAT.EXE

pid	process
3156	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

SUNEJ PAYMENT.exeNETSTAT.EXE

pid	process
4220	SUNEJ PAYMENT.exe
4220	SUNEJ PAYMENT.exe
4220	SUNEJ PAYMENT.exe
4220	SUNEJ PAYMENT.exe
4220	SUNEJ PAYMENT.exe
4220	SUNEJ PAYMENT.exe
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE
3156	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

SUNEJ PAYMENT.exeNETSTAT.EXE

pid process

4220 SUNEJ PAYMENT.exe
4220 SUNEJ PAYMENT.exe
4220 SUNEJ PAYMENT.exe
4220 SUNEJ PAYMENT.exe
3156 NETSTAT.EXE
3156 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SUNEJ PAYMENT.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 4220 SUNEJ PAYMENT.exe
Token: SeDebugPrivilege 3156 NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	4220	SUNEJ PAYMENT.exe
Token: SeDebugPrivilege	3156	NETSTAT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SUNEJ PAYMENT.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 4648 wrote to memory of 4220	4648	SUNEJ PAYMENT.exe	SUNEJ PAYMENT.exe
PID 4648 wrote to memory of 4220	4648	SUNEJ PAYMENT.exe	SUNEJ PAYMENT.exe
PID 4648 wrote to memory of 4220	4648	SUNEJ PAYMENT.exe	SUNEJ PAYMENT.exe
PID 4648 wrote to memory of 4220	4648	SUNEJ PAYMENT.exe	SUNEJ PAYMENT.exe
PID 4648 wrote to memory of 4220	4648	SUNEJ PAYMENT.exe	SUNEJ PAYMENT.exe
PID 4648 wrote to memory of 4220	4648	SUNEJ PAYMENT.exe	SUNEJ PAYMENT.exe
PID 3108 wrote to memory of 3156	3108	Explorer.EXE	NETSTAT.EXE
PID 3108 wrote to memory of 3156	3108	Explorer.EXE	NETSTAT.EXE
PID 3108 wrote to memory of 3156	3108	Explorer.EXE	NETSTAT.EXE
PID 3156 wrote to memory of 3276	3156	NETSTAT.EXE	cmd.exe
PID 3156 wrote to memory of 3276	3156	NETSTAT.EXE	cmd.exe
PID 3156 wrote to memory of 3276	3156	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Users\Admin\AppData\Local\Temp\SUNEJ PAYMENT.exe
"C:\Users\Admin\AppData\Local\Temp\SUNEJ PAYMENT.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\SUNEJ PAYMENT.exe
"C:\Users\Admin\AppData\Local\Temp\SUNEJ PAYMENT.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3956

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3988

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4028

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4080

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3264

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\SUNEJ PAYMENT.exe"
3⤵
PID:3276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3108-19-0x00000000068B0000-0x000000000699B000-memory.dmp

Filesize
940KB

Download
memory/3108-9-0x0000000006BC0000-0x0000000006D1B000-memory.dmp

Filesize
1.4MB

Download
memory/3108-11-0x00000000032A0000-0x0000000003376000-memory.dmp

Filesize
856KB

Download
memory/3156-12-0x0000000000000000-mapping.dmp

Download
memory/3156-17-0x0000000002E70000-0x0000000002F00000-memory.dmp

Filesize
576KB

Download
memory/3156-16-0x0000000003010000-0x0000000003330000-memory.dmp

Filesize
3.1MB

Download
memory/3156-15-0x0000000000560000-0x0000000000589000-memory.dmp

Filesize
164KB

Download
memory/3156-14-0x0000000000E60000-0x0000000000E6B000-memory.dmp

Filesize
44KB

Download
memory/3276-13-0x0000000000000000-mapping.dmp

Download
memory/4220-8-0x0000000000B50000-0x0000000000B61000-memory.dmp

Filesize
68KB

Download
memory/4220-10-0x0000000000C90000-0x0000000000CA1000-memory.dmp

Filesize
68KB

Download
memory/4220-7-0x0000000001150000-0x0000000001470000-memory.dmp

Filesize
3.1MB

Download
memory/4220-5-0x000000000041D0A0-mapping.dmp

Download
memory/4220-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4648-2-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/4648-3-0x0000000002B11000-0x0000000002B12000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads