formbook | 6961aeab02e7dafda1e2f16e9ec88fd5dce6199925a71f22657a2c48627ae087

General

Target

1c68b56f273eab047eccce3cbad492a5.exe
Size

885KB
MD5

1c68b56f273eab047eccce3cbad492a5
SHA1

76598e8315496d2bfcaa35edd12f521483ff5c31
SHA256

6961aeab02e7dafda1e2f16e9ec88fd5dce6199925a71f22657a2c48627ae087
SHA512

7f24e6f61a86314e91275d4492b74659ca34f036fb32c20eccaebd68410a228dae3d1bca2f6faa74933692b50a19aca693b3c5ca803c3717175e19b58d1ba6e6

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.kaiyuansu.pro/incn/

Decoy

1bovvfk93jd.com

enlightenedhealthcoaching.com

findthatsmartphone.com

intelligentsystemsus.com

xn--lmsealamientos-tnb.com

eot0luh5ia.men

babanewshop.com

beyond-bit.com

meritane.com

buythinsecret.com

c2ornot.com

twelvesband.com

rktlends.com

bourseandish.com

happyshop88.com

topangacanyonvintage.com

epersonalloansonline.com

roofers-anaheim.com

shanghaiys.net

bickel.wtf

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1660-8-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1660-9-0x000000000041D060-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

1c68b56f273eab047eccce3cbad492a5.exe

description pid process target process

PID 1636 set thread context of 1660 1636 1c68b56f273eab047eccce3cbad492a5.exe 1c68b56f273eab047eccce3cbad492a5.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1c68b56f273eab047eccce3cbad492a5.exe

pid process

1660 1c68b56f273eab047eccce3cbad492a5.exe

description	pid	process	target process
PID 1636 set thread context of 1660	1636	1c68b56f273eab047eccce3cbad492a5.exe	1c68b56f273eab047eccce3cbad492a5.exe

pid	process
1660	1c68b56f273eab047eccce3cbad492a5.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

1c68b56f273eab047eccce3cbad492a5.exe

description	pid	process	target process
PID 1636 wrote to memory of 1660	1636	1c68b56f273eab047eccce3cbad492a5.exe	1c68b56f273eab047eccce3cbad492a5.exe
PID 1636 wrote to memory of 1660	1636	1c68b56f273eab047eccce3cbad492a5.exe	1c68b56f273eab047eccce3cbad492a5.exe
PID 1636 wrote to memory of 1660	1636	1c68b56f273eab047eccce3cbad492a5.exe	1c68b56f273eab047eccce3cbad492a5.exe
PID 1636 wrote to memory of 1660	1636	1c68b56f273eab047eccce3cbad492a5.exe	1c68b56f273eab047eccce3cbad492a5.exe
PID 1636 wrote to memory of 1660	1636	1c68b56f273eab047eccce3cbad492a5.exe	1c68b56f273eab047eccce3cbad492a5.exe
PID 1636 wrote to memory of 1660	1636	1c68b56f273eab047eccce3cbad492a5.exe	1c68b56f273eab047eccce3cbad492a5.exe
PID 1636 wrote to memory of 1660	1636	1c68b56f273eab047eccce3cbad492a5.exe	1c68b56f273eab047eccce3cbad492a5.exe

C:\Users\Admin\AppData\Local\Temp\1c68b56f273eab047eccce3cbad492a5.exe
"C:\Users\Admin\AppData\Local\Temp\1c68b56f273eab047eccce3cbad492a5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\1c68b56f273eab047eccce3cbad492a5.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1660

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1636-2-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1636-3-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/1636-5-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/1636-6-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/1636-7-0x0000000002200000-0x0000000002255000-memory.dmp

Filesize
340KB

Download
memory/1660-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1660-9-0x000000000041D060-mapping.dmp

Download
memory/1660-11-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing