formbook | 0baedfe6121c3fdc3438625335a05080f6e347bf6ff29910d2ff35b2aa02d4d5

General

Target

SKM_C221200706052800.exe
Size

273KB
MD5

3c51788968fa6ed67bde7511b1868b08
SHA1

194e63c851406e2ac39ef09d48ab35871e041ccc
SHA256

0baedfe6121c3fdc3438625335a05080f6e347bf6ff29910d2ff35b2aa02d4d5
SHA512

2f872cd65df657e420c8d47e4b9ef2919ecc4b8170855751f8b26faec02fe59df949cb9c3306327250911292d52261a1a28970c2ba41044e47e4f7cb8a3e4467

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.destinny.com/s9zh/

Decoy

paintedinafrica.com

electrumfix.download

edlange.com

tqiawy.xyz

satiscenter.xyz

nc-affiliates.com

agencybuilderforum.com

testabcde.net

venisseturf.net

rubenvdsande.com

nzmatrimony.com

mdthriftsandflips.com

virtualfxstudio.com

communityinsuranceut.com

qqbokep.com

copeva.net

bookedupdaily.com

houstongrowmyairway.com

fortunapublishing.com

empireplumbingandheating.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3680-3-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3680-4-0x000000000041D060-mapping.dmp	xloader
behavioral2/memory/1048-13-0x0000000000470000-0x0000000000499000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

cmstp.exe

flow pid process

39 1048 cmstp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
39	1048	cmstp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SKM_C221200706052800.exevbc.execmstp.exe

description	pid	process	target process
PID 1360 set thread context of 3680	1360	SKM_C221200706052800.exe	vbc.exe
PID 3680 set thread context of 2352	3680	vbc.exe	Explorer.EXE
PID 1048 set thread context of 2352	1048	cmstp.exe	Explorer.EXE

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

808 1360 WerFault.exe SKM_C221200706052800.exe

pid	pid_target	process	target process
808	1360	WerFault.exe	SKM_C221200706052800.exe

Suspicious behavior: EnumeratesProcesses 78 IoCs

Processes:

SKM_C221200706052800.exevbc.exeWerFault.execmstp.exe

pid	process
1360	SKM_C221200706052800.exe
1360	SKM_C221200706052800.exe
1360	SKM_C221200706052800.exe
3680	vbc.exe
3680	vbc.exe
3680	vbc.exe
3680	vbc.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
808	WerFault.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe
1048	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.execmstp.exe

pid process

3680 vbc.exe
3680 vbc.exe
3680 vbc.exe
1048 cmstp.exe
1048 cmstp.exe

pid	process
3680	vbc.exe
3680	vbc.exe
3680	vbc.exe
1048	cmstp.exe
1048	cmstp.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

SKM_C221200706052800.exeWerFault.exevbc.exeExplorer.EXEcmstp.exe

description	pid	process
Token: SeDebugPrivilege	1360	SKM_C221200706052800.exe
Token: SeRestorePrivilege	808	WerFault.exe
Token: SeBackupPrivilege	808	WerFault.exe
Token: SeDebugPrivilege	3680	vbc.exe
Token: SeDebugPrivilege	808	WerFault.exe
Token: SeShutdownPrivilege	2352	Explorer.EXE
Token: SeCreatePagefilePrivilege	2352	Explorer.EXE
Token: SeShutdownPrivilege	2352	Explorer.EXE
Token: SeCreatePagefilePrivilege	2352	Explorer.EXE
Token: SeShutdownPrivilege	2352	Explorer.EXE
Token: SeCreatePagefilePrivilege	2352	Explorer.EXE
Token: SeDebugPrivilege	1048	cmstp.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2352 Explorer.EXE

pid	process
2352	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SKM_C221200706052800.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1360 wrote to memory of 3680	1360	SKM_C221200706052800.exe	vbc.exe
PID 1360 wrote to memory of 3680	1360	SKM_C221200706052800.exe	vbc.exe
PID 1360 wrote to memory of 3680	1360	SKM_C221200706052800.exe	vbc.exe
PID 1360 wrote to memory of 3680	1360	SKM_C221200706052800.exe	vbc.exe
PID 1360 wrote to memory of 3680	1360	SKM_C221200706052800.exe	vbc.exe
PID 1360 wrote to memory of 3680	1360	SKM_C221200706052800.exe	vbc.exe
PID 2352 wrote to memory of 1048	2352	Explorer.EXE	cmstp.exe
PID 2352 wrote to memory of 1048	2352	Explorer.EXE	cmstp.exe
PID 2352 wrote to memory of 1048	2352	Explorer.EXE	cmstp.exe
PID 1048 wrote to memory of 2796	1048	cmstp.exe	cmd.exe
PID 1048 wrote to memory of 2796	1048	cmstp.exe	cmd.exe
PID 1048 wrote to memory of 2796	1048	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2352

C:\Users\Admin\AppData\Local\Temp\SKM_C221200706052800.exe
"C:\Users\Admin\AppData\Local\Temp\SKM_C221200706052800.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 1032
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
PID:2796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/808-5-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/1048-12-0x0000000000A70000-0x0000000000A86000-memory.dmp

Filesize
88KB

Download
memory/1048-10-0x0000000000000000-mapping.dmp

Download
memory/1048-14-0x0000000004570000-0x0000000004890000-memory.dmp

Filesize
3.1MB

Download
memory/1048-13-0x0000000000470000-0x0000000000499000-memory.dmp

Filesize
164KB

Download
memory/1048-15-0x0000000004360000-0x00000000043F0000-memory.dmp

Filesize
576KB

Download
memory/1360-2-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/2352-9-0x0000000005000000-0x000000000517A000-memory.dmp

Filesize
1.5MB

Download
memory/2352-16-0x0000000005180000-0x00000000052B9000-memory.dmp

Filesize
1.2MB

Download
memory/2796-11-0x0000000000000000-mapping.dmp

Download
memory/3680-4-0x000000000041D060-mapping.dmp

Download
memory/3680-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3680-8-0x00000000006F0000-0x0000000000701000-memory.dmp

Filesize
68KB

Download
memory/3680-7-0x0000000000BC0000-0x0000000000EE0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads