formbook | f1422701954b6c0116802819526ba75f414beda5419f80445d321885d8732473

General

Target

3KvCNpcQ6tvwKr5.exe
Size

894KB
MD5

03c67a5a09e3a472b5ac1db3e64f36dd
SHA1

ed818f401e5d67f1351fd94d121c0a64739bcba9
SHA256

f1422701954b6c0116802819526ba75f414beda5419f80445d321885d8732473
SHA512

6d7279cfc5a9e68c1f8c9aa39d4f2208487a42bbd967337a25611513efcf10e1dd7d27a04aeae84bd1a131c068b5d5f2a121bdadbed94927bd590a8bf35412a9

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.allismd.com/ur06/

Decoy

philippebrooksdesign.com

cmoorestudio.com

profille-sarina23tammara.club

dqulxe.com

uiffinger.com

nolarapper.com

maconanimalexterminator.com

bisovka.com

loveisloveent.com

datication.com

spxo66.com

drhelpnow.com

ladybug-cle.com

macocome.com

thepoppysocks.com

eldritchparadox.com

mercadolibre.company

ismartfarm.com

kansascarlot.com

kevinld.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4280-4-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/4280-5-0x000000000041D000-mapping.dmp	xloader
behavioral2/memory/452-13-0x0000000000140000-0x0000000000168000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

3KvCNpcQ6tvwKr5.exe3KvCNpcQ6tvwKr5.exerundll32.exe

description	pid	process	target process
PID 4808 set thread context of 4280	4808	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 4280 set thread context of 3152	4280	3KvCNpcQ6tvwKr5.exe	Explorer.EXE
PID 452 set thread context of 3152	452	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

3KvCNpcQ6tvwKr5.exe3KvCNpcQ6tvwKr5.exerundll32.exe

pid	process
4808	3KvCNpcQ6tvwKr5.exe
4808	3KvCNpcQ6tvwKr5.exe
4280	3KvCNpcQ6tvwKr5.exe
4280	3KvCNpcQ6tvwKr5.exe
4280	3KvCNpcQ6tvwKr5.exe
4280	3KvCNpcQ6tvwKr5.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

3KvCNpcQ6tvwKr5.exerundll32.exe

pid process

4280 3KvCNpcQ6tvwKr5.exe
4280 3KvCNpcQ6tvwKr5.exe
4280 3KvCNpcQ6tvwKr5.exe
452 rundll32.exe
452 rundll32.exe

pid	process
4280	3KvCNpcQ6tvwKr5.exe
4280	3KvCNpcQ6tvwKr5.exe
4280	3KvCNpcQ6tvwKr5.exe
452	rundll32.exe
452	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

3KvCNpcQ6tvwKr5.exe3KvCNpcQ6tvwKr5.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	4808	3KvCNpcQ6tvwKr5.exe
Token: SeDebugPrivilege	4280	3KvCNpcQ6tvwKr5.exe
Token: SeDebugPrivilege	452	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3KvCNpcQ6tvwKr5.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 4808 wrote to memory of 4288	4808	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 4808 wrote to memory of 4288	4808	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 4808 wrote to memory of 4288	4808	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 4808 wrote to memory of 4280	4808	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 4808 wrote to memory of 4280	4808	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 4808 wrote to memory of 4280	4808	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 4808 wrote to memory of 4280	4808	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 4808 wrote to memory of 4280	4808	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 4808 wrote to memory of 4280	4808	3KvCNpcQ6tvwKr5.exe	3KvCNpcQ6tvwKr5.exe
PID 3152 wrote to memory of 452	3152	Explorer.EXE	rundll32.exe
PID 3152 wrote to memory of 452	3152	Explorer.EXE	rundll32.exe
PID 3152 wrote to memory of 452	3152	Explorer.EXE	rundll32.exe
PID 452 wrote to memory of 840	452	rundll32.exe	cmd.exe
PID 452 wrote to memory of 840	452	rundll32.exe	cmd.exe
PID 452 wrote to memory of 840	452	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\3KvCNpcQ6tvwKr5.exe
"C:\Users\Admin\AppData\Local\Temp\3KvCNpcQ6tvwKr5.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\3KvCNpcQ6tvwKr5.exe
"C:\Users\Admin\AppData\Local\Temp\3KvCNpcQ6tvwKr5.exe"
3⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\3KvCNpcQ6tvwKr5.exe
"C:\Users\Admin\AppData\Local\Temp\3KvCNpcQ6tvwKr5.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\3KvCNpcQ6tvwKr5.exe"
3⤵
PID:840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/452-12-0x0000000000D30000-0x0000000000D43000-memory.dmp

Filesize
76KB

Download
memory/452-16-0x0000000004470000-0x00000000044FF000-memory.dmp

Filesize
572KB

Download
memory/452-13-0x0000000000140000-0x0000000000168000-memory.dmp

Filesize
160KB

Download
memory/452-14-0x0000000004150000-0x0000000004470000-memory.dmp

Filesize
3.1MB

Download
memory/452-11-0x0000000000000000-mapping.dmp

Download
memory/840-15-0x0000000000000000-mapping.dmp

Download
memory/3152-17-0x00000000056F0000-0x00000000057EA000-memory.dmp

Filesize
1000KB

Download
memory/3152-10-0x0000000003040000-0x0000000003139000-memory.dmp

Filesize
996KB

Download
memory/4280-5-0x000000000041D000-mapping.dmp

Download
memory/4280-8-0x0000000001390000-0x00000000016B0000-memory.dmp

Filesize
3.1MB

Download
memory/4280-9-0x0000000001030000-0x0000000001040000-memory.dmp

Filesize
64KB

Download
memory/4280-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4808-2-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/4808-3-0x0000000002BA1000-0x0000000002BA2000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads