formbook | 10d1e607e170563551b4dc8ce160b907067143b8222418cab17620481c3471c9

General

Target

dir2.exe
Size

1.5MB
MD5

ac44dce1ac1b90aec13f71bed7a27f14
SHA1

baadfc03a182da09e604235679cdde0feae32e28
SHA256

10d1e607e170563551b4dc8ce160b907067143b8222418cab17620481c3471c9
SHA512

435e10cd48ee663a28912aeb8dc13fb9cb09ee86a92113f2d88f75548b969378881de60eaf72e694f3c49db1cc040c1fa0aea8f8fceeb05cb492c32d0a2ad731

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.rizrvd.com/bw82/

Decoy

fundamentaliemef.com

gallerybrows.com

leadeligey.com

octoberx2.online

climaxnovels.com

gdsjgf.com

curateherstories.com

blacksailus.com

yjpps.com

gmobilet.com

fcoins.club

foreverlive2027.com

healthyfifties.com

wmarquezy.com

housebulb.com

thebabyfriendly.com

primajayaintiperkasa.com

learnplaychess.com

chrisbubser.digital

xn--avenr-wsa.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3260-14-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3260-15-0x000000000041CFF0-mapping.dmp	xloader
behavioral2/memory/2224-23-0x00000000003C0000-0x00000000003E8000-memory.dmp	xloader

Suspicious use of SetThreadContext 2 IoCs

Processes:

dir2.exedir2.exe

description pid process target process

PID 728 set thread context of 3260 728 dir2.exe dir2.exe
PID 3260 set thread context of 2968 3260 dir2.exe Explorer.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

dir2.exemsdt.exe

pid process

3260 dir2.exe
3260 dir2.exe
3260 dir2.exe
3260 dir2.exe
2224 msdt.exe
2224 msdt.exe
2224 msdt.exe
2224 msdt.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

dir2.exemsdt.exe

pid process

3260 dir2.exe
3260 dir2.exe
3260 dir2.exe
2224 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dir2.exemsdt.exe

description pid process

Token: SeDebugPrivilege 3260 dir2.exe
Token: SeDebugPrivilege 2224 msdt.exe

description	pid	process	target process
PID 728 set thread context of 3260	728	dir2.exe	dir2.exe
PID 3260 set thread context of 2968	3260	dir2.exe	Explorer.EXE

pid	process
3260	dir2.exe
3260	dir2.exe
3260	dir2.exe
3260	dir2.exe
2224	msdt.exe
2224	msdt.exe
2224	msdt.exe
2224	msdt.exe

pid	process
3260	dir2.exe
3260	dir2.exe
3260	dir2.exe
2224	msdt.exe

description	pid	process
Token: SeDebugPrivilege	3260	dir2.exe
Token: SeDebugPrivilege	2224	msdt.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

dir2.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 728 wrote to memory of 3260	728	dir2.exe	dir2.exe
PID 728 wrote to memory of 3260	728	dir2.exe	dir2.exe
PID 728 wrote to memory of 3260	728	dir2.exe	dir2.exe
PID 728 wrote to memory of 3260	728	dir2.exe	dir2.exe
PID 728 wrote to memory of 3260	728	dir2.exe	dir2.exe
PID 728 wrote to memory of 3260	728	dir2.exe	dir2.exe
PID 2968 wrote to memory of 2224	2968	Explorer.EXE	msdt.exe
PID 2968 wrote to memory of 2224	2968	Explorer.EXE	msdt.exe
PID 2968 wrote to memory of 2224	2968	Explorer.EXE	msdt.exe
PID 2224 wrote to memory of 1092	2224	msdt.exe	cmd.exe
PID 2224 wrote to memory of 1092	2224	msdt.exe	cmd.exe
PID 2224 wrote to memory of 1092	2224	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\dir2.exe
"C:\Users\Admin\AppData\Local\Temp\dir2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:728

C:\Users\Admin\AppData\Local\Temp\dir2.exe
"C:\Users\Admin\AppData\Local\Temp\dir2.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2700

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\dir2.exe"
3⤵
PID:1092

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/728-13-0x0000000000F50000-0x0000000000FF4000-memory.dmp

Filesize
656KB

Download
memory/728-7-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/728-2-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/728-6-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/728-3-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/728-8-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/728-9-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/728-10-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/728-11-0x0000000008080000-0x0000000008081000-memory.dmp

Filesize
4KB

Download
memory/728-12-0x00000000029E0000-0x00000000029F3000-memory.dmp

Filesize
76KB

Download
memory/728-5-0x00000000075E0000-0x00000000075E1000-memory.dmp

Filesize
4KB

Download
memory/1092-21-0x0000000000000000-mapping.dmp

Download
memory/2224-20-0x0000000000000000-mapping.dmp

Download
memory/2224-23-0x00000000003C0000-0x00000000003E8000-memory.dmp

Filesize
160KB

Download
memory/2224-22-0x0000000000D90000-0x0000000000F03000-memory.dmp

Filesize
1.4MB

Download
memory/2224-24-0x0000000004650000-0x0000000004970000-memory.dmp

Filesize
3.1MB

Download
memory/2968-19-0x0000000005AC0000-0x0000000005BE5000-memory.dmp

Filesize
1.1MB

Download
memory/3260-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3260-15-0x000000000041CFF0-mapping.dmp

Download
memory/3260-17-0x0000000001030000-0x0000000001350000-memory.dmp

Filesize
3.1MB

Download
memory/3260-18-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing