formbook | cb791f412d5932e2488323eb036e19c6f495d1e89f6fcbbd0f4b81efba432378

General

Target

Busan Korea.exe
Size

1.1MB
MD5

c463ffa063af5cde7ad2a0aaf726854a
SHA1

64b49f2fbc2bbc943ddfc3515ecb6a3092ebf47c
SHA256

cb791f412d5932e2488323eb036e19c6f495d1e89f6fcbbd0f4b81efba432378
SHA512

076bd2ae39edc6acf501c925d0acb1a38e087fd2cd88e47463c0815bff6947828adffc610b0354fcc87ae43b95471ea4e4773349da1dcb6cd5d7128af8f497ae

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.valiantbranch.com/0wdn/

Decoy

inclusivefamilybookshop.com

hollyjmillsphotography.com

mojavewellnessaz.com

cookies-x.info

trainingkanban.com

tempoborough.life

mayalv.com

mbsgiftstore.com

vanjele.com

serieshaha.com

jlbstructural.com

topkids.asia

thejoyofleather.com

qvujxa.com

anythinginworld.com

danielablason.com

smartphoneloops.com

thisisauckland.com

cityelectricals.com

revati-thenoir.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1860-10-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1860-11-0x000000000041D110-mapping.dmp	xloader
behavioral1/memory/980-19-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

956 cmd.exe

pid	process
956	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Busan Korea.exeBusan Korea.exe

description	pid	process	target process
PID 1848 set thread context of 1860	1848	Busan Korea.exe	Busan Korea.exe
PID 1860 set thread context of 1220	1860	Busan Korea.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

944 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Busan Korea.exewlanext.exe

pid process

1860 Busan Korea.exe
1860 Busan Korea.exe
980 wlanext.exe
980 wlanext.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

Busan Korea.exewlanext.exe

pid process

1860 Busan Korea.exe
1860 Busan Korea.exe
1860 Busan Korea.exe
980 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Busan Korea.exewlanext.exe

description pid process

Token: SeDebugPrivilege 1860 Busan Korea.exe
Token: SeDebugPrivilege 980 wlanext.exe

pid	process
944	schtasks.exe

pid	process
1860	Busan Korea.exe
1860	Busan Korea.exe
980	wlanext.exe
980	wlanext.exe

pid	process
1860	Busan Korea.exe
1860	Busan Korea.exe
1860	Busan Korea.exe
980	wlanext.exe

description	pid	process
Token: SeDebugPrivilege	1860	Busan Korea.exe
Token: SeDebugPrivilege	980	wlanext.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Busan Korea.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 1848 wrote to memory of 944	1848	Busan Korea.exe	schtasks.exe
PID 1848 wrote to memory of 944	1848	Busan Korea.exe	schtasks.exe
PID 1848 wrote to memory of 944	1848	Busan Korea.exe	schtasks.exe
PID 1848 wrote to memory of 944	1848	Busan Korea.exe	schtasks.exe
PID 1848 wrote to memory of 1860	1848	Busan Korea.exe	Busan Korea.exe
PID 1848 wrote to memory of 1860	1848	Busan Korea.exe	Busan Korea.exe
PID 1848 wrote to memory of 1860	1848	Busan Korea.exe	Busan Korea.exe
PID 1848 wrote to memory of 1860	1848	Busan Korea.exe	Busan Korea.exe
PID 1848 wrote to memory of 1860	1848	Busan Korea.exe	Busan Korea.exe
PID 1848 wrote to memory of 1860	1848	Busan Korea.exe	Busan Korea.exe
PID 1848 wrote to memory of 1860	1848	Busan Korea.exe	Busan Korea.exe
PID 1220 wrote to memory of 980	1220	Explorer.EXE	wlanext.exe
PID 1220 wrote to memory of 980	1220	Explorer.EXE	wlanext.exe
PID 1220 wrote to memory of 980	1220	Explorer.EXE	wlanext.exe
PID 1220 wrote to memory of 980	1220	Explorer.EXE	wlanext.exe
PID 980 wrote to memory of 956	980	wlanext.exe	cmd.exe
PID 980 wrote to memory of 956	980	wlanext.exe	cmd.exe
PID 980 wrote to memory of 956	980	wlanext.exe	cmd.exe
PID 980 wrote to memory of 956	980	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\Busan Korea.exe
"C:\Users\Admin\AppData\Local\Temp\Busan Korea.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAqFmidTWJQD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F4D.tmp"
3⤵
- Creates scheduled task(s)
PID:944

C:\Users\Admin\AppData\Local\Temp\Busan Korea.exe
"C:\Users\Admin\AppData\Local\Temp\Busan Korea.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Busan Korea.exe"
3⤵
- Deletes itself
PID:956

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7F4D.tmp
MD5
038e4d68bd6b474c7cf95ad5e66f56ec

SHA1
03f6d2a2bbe00b4ab8cf3301836e7698ee174516

SHA256
8f14c7dd91c2e0ff7500766508bf91d51615f4a3f55fd3341c488591d2b2a128

SHA512
d8d4c1ea7ea704289fde1fbd6de4a5df215fe942c7a597df834cd3ea5c5219e641ac1a2146ff7c139626c15041c9e4e2c5afe8a219b60e9ea6ea401f854bb4e6

Download Submit
memory/944-8-0x0000000000000000-mapping.dmp

Download
memory/956-17-0x0000000000000000-mapping.dmp

Download
memory/980-21-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/980-20-0x0000000001F70000-0x0000000002273000-memory.dmp

Filesize
3.0MB

Download
memory/980-19-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/980-18-0x00000000001C0000-0x00000000001D6000-memory.dmp

Filesize
88KB

Download
memory/980-16-0x0000000000000000-mapping.dmp

Download
memory/1220-15-0x0000000004950000-0x00000000049FF000-memory.dmp

Filesize
700KB

Download
memory/1848-7-0x0000000004C20000-0x0000000004CC4000-memory.dmp

Filesize
656KB

Download
memory/1848-2-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/1848-6-0x0000000000520000-0x0000000000533000-memory.dmp

Filesize
76KB

Download
memory/1848-5-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/1848-3-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/1860-14-0x00000000000B0000-0x00000000000C0000-memory.dmp

Filesize
64KB

Download
memory/1860-13-0x0000000000820000-0x0000000000B23000-memory.dmp

Filesize
3.0MB

Download
memory/1860-11-0x000000000041D110-mapping.dmp

Download
memory/1860-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads