formbook | 00b4306bf3aa94183358ece86c01bb245ca2e39ba0a2d56f5b9d8b50c3ba3e91

General

Target

9tyZf93qRdNHfVw.exe
Size

930KB
MD5

2967ace274e8984c8543c386a8d0f3e2
SHA1

aba6f9d379b6a75b84e1a03ea7cc89d13c952b55
SHA256

00b4306bf3aa94183358ece86c01bb245ca2e39ba0a2d56f5b9d8b50c3ba3e91
SHA512

88fd9f24c435bcc411a705f4e262ca8ff44ab8df555fb0653cb110769820155c73901ab06784777974e18abaeba58ad97ad12319cb7d68d3128dda7228162d4f

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.besteprobioticakopen.online/uszn/

Decoy

animegriptape.com

pcpnetworks.com

putupmybabyforadoption.com

xn--jvrr98g37n88d.com

fertinvitro.doctor

undonethread.com

avoleague.com

sissysundays.com

guilhermeoliveiro.site

catholicon-bespeckle.info

mardesuenosfundacion.com

songkhoe24.site

shoecityindia.com

smallbathroomdecor.info

tskusa.com

prairiespringsllc.com

kegncoffee.com

clicklounge.xyz

catholicendoflifeplanning.com

steelobzee.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1408-8-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1408-9-0x000000000041D0F0-mapping.dmp	xloader
behavioral1/memory/1612-20-0x0000000000090000-0x00000000000B9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1564 cmd.exe

pid	process
1564	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

9tyZf93qRdNHfVw.exe9tyZf93qRdNHfVw.execmstp.exe

description	pid	process	target process
PID 1056 set thread context of 1408	1056	9tyZf93qRdNHfVw.exe	9tyZf93qRdNHfVw.exe
PID 1408 set thread context of 1212	1408	9tyZf93qRdNHfVw.exe	Explorer.EXE
PID 1408 set thread context of 1212	1408	9tyZf93qRdNHfVw.exe	Explorer.EXE
PID 1612 set thread context of 1212	1612	cmstp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

9tyZf93qRdNHfVw.exe9tyZf93qRdNHfVw.execmstp.exe

pid	process
1056	9tyZf93qRdNHfVw.exe
1056	9tyZf93qRdNHfVw.exe
1056	9tyZf93qRdNHfVw.exe
1408	9tyZf93qRdNHfVw.exe
1408	9tyZf93qRdNHfVw.exe
1408	9tyZf93qRdNHfVw.exe
1612	cmstp.exe
1612	cmstp.exe
1612	cmstp.exe
1612	cmstp.exe
1612	cmstp.exe
1612	cmstp.exe
1612	cmstp.exe
1612	cmstp.exe
1612	cmstp.exe
1612	cmstp.exe
1612	cmstp.exe
1612	cmstp.exe
1612	cmstp.exe
1612	cmstp.exe
1612	cmstp.exe
1612	cmstp.exe
1612	cmstp.exe
1612	cmstp.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

9tyZf93qRdNHfVw.execmstp.exe

pid process

1408 9tyZf93qRdNHfVw.exe
1408 9tyZf93qRdNHfVw.exe
1408 9tyZf93qRdNHfVw.exe
1408 9tyZf93qRdNHfVw.exe
1612 cmstp.exe
1612 cmstp.exe

pid	process
1408	9tyZf93qRdNHfVw.exe
1408	9tyZf93qRdNHfVw.exe
1408	9tyZf93qRdNHfVw.exe
1408	9tyZf93qRdNHfVw.exe
1612	cmstp.exe
1612	cmstp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

9tyZf93qRdNHfVw.exe9tyZf93qRdNHfVw.execmstp.exe

description	pid	process
Token: SeDebugPrivilege	1056	9tyZf93qRdNHfVw.exe
Token: SeDebugPrivilege	1408	9tyZf93qRdNHfVw.exe
Token: SeDebugPrivilege	1612	cmstp.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

9tyZf93qRdNHfVw.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1056 wrote to memory of 828	1056	9tyZf93qRdNHfVw.exe	9tyZf93qRdNHfVw.exe
PID 1056 wrote to memory of 828	1056	9tyZf93qRdNHfVw.exe	9tyZf93qRdNHfVw.exe
PID 1056 wrote to memory of 828	1056	9tyZf93qRdNHfVw.exe	9tyZf93qRdNHfVw.exe
PID 1056 wrote to memory of 828	1056	9tyZf93qRdNHfVw.exe	9tyZf93qRdNHfVw.exe
PID 1056 wrote to memory of 1408	1056	9tyZf93qRdNHfVw.exe	9tyZf93qRdNHfVw.exe
PID 1056 wrote to memory of 1408	1056	9tyZf93qRdNHfVw.exe	9tyZf93qRdNHfVw.exe
PID 1056 wrote to memory of 1408	1056	9tyZf93qRdNHfVw.exe	9tyZf93qRdNHfVw.exe
PID 1056 wrote to memory of 1408	1056	9tyZf93qRdNHfVw.exe	9tyZf93qRdNHfVw.exe
PID 1056 wrote to memory of 1408	1056	9tyZf93qRdNHfVw.exe	9tyZf93qRdNHfVw.exe
PID 1056 wrote to memory of 1408	1056	9tyZf93qRdNHfVw.exe	9tyZf93qRdNHfVw.exe
PID 1056 wrote to memory of 1408	1056	9tyZf93qRdNHfVw.exe	9tyZf93qRdNHfVw.exe
PID 1212 wrote to memory of 1612	1212	Explorer.EXE	cmstp.exe
PID 1212 wrote to memory of 1612	1212	Explorer.EXE	cmstp.exe
PID 1212 wrote to memory of 1612	1212	Explorer.EXE	cmstp.exe
PID 1212 wrote to memory of 1612	1212	Explorer.EXE	cmstp.exe
PID 1212 wrote to memory of 1612	1212	Explorer.EXE	cmstp.exe
PID 1212 wrote to memory of 1612	1212	Explorer.EXE	cmstp.exe
PID 1212 wrote to memory of 1612	1212	Explorer.EXE	cmstp.exe
PID 1612 wrote to memory of 1564	1612	cmstp.exe	cmd.exe
PID 1612 wrote to memory of 1564	1612	cmstp.exe	cmd.exe
PID 1612 wrote to memory of 1564	1612	cmstp.exe	cmd.exe
PID 1612 wrote to memory of 1564	1612	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\9tyZf93qRdNHfVw.exe
"C:\Users\Admin\AppData\Local\Temp\9tyZf93qRdNHfVw.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Local\Temp\9tyZf93qRdNHfVw.exe
"{path}"
3⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\9tyZf93qRdNHfVw.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\9tyZf93qRdNHfVw.exe"
3⤵
- Deletes itself
PID:1564

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-2-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/1056-3-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1056-5-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1056-6-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download
memory/1056-7-0x00000000051A0000-0x00000000051F6000-memory.dmp

Filesize
344KB

Download
memory/1212-15-0x0000000004EB0000-0x0000000004FBB000-memory.dmp

Filesize
1.0MB

Download
memory/1212-13-0x0000000004B70000-0x0000000004C6C000-memory.dmp

Filesize
1008KB

Download
memory/1408-12-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/1408-11-0x0000000000B80000-0x0000000000E83000-memory.dmp

Filesize
3.0MB

Download
memory/1408-9-0x000000000041D0F0-mapping.dmp

Download
memory/1408-14-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/1408-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1564-18-0x0000000000000000-mapping.dmp

Download
memory/1612-16-0x0000000000000000-mapping.dmp

Download
memory/1612-17-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download
memory/1612-20-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1612-21-0x0000000002110000-0x0000000002413000-memory.dmp

Filesize
3.0MB

Download
memory/1612-19-0x0000000000CF0000-0x0000000000D08000-memory.dmp

Filesize
96KB

Download
memory/1612-22-0x0000000000A40000-0x0000000000ACF000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads