formbook | f1422701954b6c0116802819526ba75f414beda5419f80445d321885d8732473

General

Target

3KvCNpcQ6tvwKr5.exe
Size

894KB
MD5

03c67a5a09e3a472b5ac1db3e64f36dd
SHA1

ed818f401e5d67f1351fd94d121c0a64739bcba9
SHA256

f1422701954b6c0116802819526ba75f414beda5419f80445d321885d8732473
SHA512

6d7279cfc5a9e68c1f8c9aa39d4f2208487a42bbd967337a25611513efcf10e1dd7d27a04aeae84bd1a131c068b5d5f2a121bdadbed94927bd590a8bf35412a9

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.allismd.com/ur06/

Decoy

philippebrooksdesign.com

cmoorestudio.com

profille-sarina23tammara.club

dqulxe.com

uiffinger.com

nolarapper.com

maconanimalexterminator.com

bisovka.com

loveisloveent.com

datication.com

spxo66.com

drhelpnow.com

ladybug-cle.com

macocome.com

thepoppysocks.com

eldritchparadox.com

mercadolibre.company

ismartfarm.com

kansascarlot.com

kevinld.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1700-5-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1700-6-0x000000000041D000-mapping.dmp	xloader
behavioral1/memory/900-14-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

956 cmd.exe

pid	process
956	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

3KvCNpcQ6tvwKr5.exe3KvCNpcQ6tvwKr5.exeraserver.exe

description	pid	process	target process
PID 1668 set thread context of 1700	1668	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 1700 set thread context of 1248	1700	3KvCNpcQ6tvwKr5.exe	Explorer.EXE
PID 900 set thread context of 1248	900	raserver.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

3KvCNpcQ6tvwKr5.exeraserver.exe

pid	process
1700	3KvCNpcQ6tvwKr5.exe
1700	3KvCNpcQ6tvwKr5.exe
900	raserver.exe
900	raserver.exe
900	raserver.exe
900	raserver.exe
900	raserver.exe
900	raserver.exe
900	raserver.exe
900	raserver.exe
900	raserver.exe
900	raserver.exe
900	raserver.exe
900	raserver.exe
900	raserver.exe
900	raserver.exe
900	raserver.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

3KvCNpcQ6tvwKr5.exeraserver.exe

pid process

1700 3KvCNpcQ6tvwKr5.exe
1700 3KvCNpcQ6tvwKr5.exe
1700 3KvCNpcQ6tvwKr5.exe
900 raserver.exe
900 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3KvCNpcQ6tvwKr5.exeraserver.exe

description pid process

Token: SeDebugPrivilege 1700 3KvCNpcQ6tvwKr5.exe
Token: SeDebugPrivilege 900 raserver.exe

description	pid	process
Token: SeDebugPrivilege	1700	3KvCNpcQ6tvwKr5.exe
Token: SeDebugPrivilege	900	raserver.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3KvCNpcQ6tvwKr5.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 1668 wrote to memory of 1700	1668	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 1668 wrote to memory of 1700	1668	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 1668 wrote to memory of 1700	1668	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 1668 wrote to memory of 1700	1668	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 1668 wrote to memory of 1700	1668	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 1668 wrote to memory of 1700	1668	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 1668 wrote to memory of 1700	1668	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 1248 wrote to memory of 900	1248	Explorer.EXE	raserver.exe
PID 1248 wrote to memory of 900	1248	Explorer.EXE	raserver.exe
PID 1248 wrote to memory of 900	1248	Explorer.EXE	raserver.exe
PID 1248 wrote to memory of 900	1248	Explorer.EXE	raserver.exe
PID 900 wrote to memory of 956	900	raserver.exe	cmd.exe
PID 900 wrote to memory of 956	900	raserver.exe	cmd.exe
PID 900 wrote to memory of 956	900	raserver.exe	cmd.exe
PID 900 wrote to memory of 956	900	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\3KvCNpcQ6tvwKr5.exe
"C:\Users\Admin\AppData\Local\Temp\3KvCNpcQ6tvwKr5.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\3KvCNpcQ6tvwKr5.exe
"C:\Users\Admin\AppData\Local\Temp\3KvCNpcQ6tvwKr5.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\3KvCNpcQ6tvwKr5.exe"
3⤵
- Deletes itself
PID:956

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/900-13-0x0000000000630000-0x000000000064C000-memory.dmp

Filesize
112KB

Download
memory/900-17-0x0000000001E00000-0x0000000001E8F000-memory.dmp

Filesize
572KB

Download
memory/900-15-0x0000000001F00000-0x0000000002203000-memory.dmp

Filesize
3.0MB

Download
memory/900-11-0x0000000000000000-mapping.dmp

Download
memory/900-14-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/956-16-0x0000000000000000-mapping.dmp

Download
memory/1248-10-0x0000000006630000-0x0000000006781000-memory.dmp

Filesize
1.3MB

Download
memory/1668-3-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1668-4-0x0000000000121000-0x0000000000122000-memory.dmp

Filesize
4KB

Download
memory/1668-2-0x0000000074B31000-0x0000000074B33000-memory.dmp

Filesize
8KB

Download
memory/1700-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1700-9-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/1700-8-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download
memory/1700-6-0x000000000041D000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads