formbook | 8bb4cdfefd9caae6291347842048859a0f44a3cd6a3313004506f939541ce0a3

General

Target

SKM_C221200706052800n.exe
Size

263KB
MD5

428a6aceb56f682b4b95685dd56f805f
SHA1

20549710f386a134b7fac0db3dbe4bb1118908f1
SHA256

8bb4cdfefd9caae6291347842048859a0f44a3cd6a3313004506f939541ce0a3
SHA512

1a65bba17b0730bc6a7453fabb55367a06a4ff247944f5621c9137c3266ffb6853a6d3f0af5432751c1b22d990b9a5af2208afaae2cf19118f2f9b22414e33c6

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.destinny.com/s9zh/

Decoy

paintedinafrica.com

electrumfix.download

edlange.com

tqiawy.xyz

satiscenter.xyz

nc-affiliates.com

agencybuilderforum.com

testabcde.net

venisseturf.net

rubenvdsande.com

nzmatrimony.com

mdthriftsandflips.com

virtualfxstudio.com

communityinsuranceut.com

qqbokep.com

copeva.net

bookedupdaily.com

houstongrowmyairway.com

fortunapublishing.com

empireplumbingandheating.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 672 created 1052 672 WerFault.exe SKM_C221200706052800n.exe
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

description	pid	process	target process
PID 672 created 1052	672	WerFault.exe	SKM_C221200706052800n.exe

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/204-3-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/204-4-0x000000000041D060-mapping.dmp	xloader
behavioral2/memory/2252-17-0x0000000000600000-0x0000000000629000-memory.dmp	xloader

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

SKM_C221200706052800n.exevbc.exemsdt.exe

description	pid	process	target process
PID 1052 set thread context of 204	1052	SKM_C221200706052800n.exe	vbc.exe
PID 204 set thread context of 3040	204	vbc.exe	Explorer.EXE
PID 2252 set thread context of 3040	2252	msdt.exe	Explorer.EXE

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

944 1052 WerFault.exe SKM_C221200706052800n.exe
672 1052 WerFault.exe SKM_C221200706052800n.exe

pid	pid_target	process	target process
944	1052	WerFault.exe	SKM_C221200706052800n.exe
672	1052	WerFault.exe	SKM_C221200706052800n.exe

Suspicious behavior: EnumeratesProcesses 93 IoCs

Processes:

SKM_C221200706052800n.exevbc.exeWerFault.exeWerFault.exemsdt.exe

pid	process
1052	SKM_C221200706052800n.exe
1052	SKM_C221200706052800n.exe
1052	SKM_C221200706052800n.exe
204	vbc.exe
204	vbc.exe
204	vbc.exe
204	vbc.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
944	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
672	WerFault.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe
2252	msdt.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exemsdt.exe

pid process

204 vbc.exe
204 vbc.exe
204 vbc.exe
2252 msdt.exe
2252 msdt.exe

pid	process
204	vbc.exe
204	vbc.exe
204	vbc.exe
2252	msdt.exe
2252	msdt.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

SKM_C221200706052800n.exevbc.exeWerFault.exeWerFault.exeExplorer.EXEmsdt.exe

description	pid	process
Token: SeDebugPrivilege	1052	SKM_C221200706052800n.exe
Token: SeDebugPrivilege	204	vbc.exe
Token: SeRestorePrivilege	944	WerFault.exe
Token: SeBackupPrivilege	944	WerFault.exe
Token: SeDebugPrivilege	944	WerFault.exe
Token: SeDebugPrivilege	672	WerFault.exe
Token: SeShutdownPrivilege	3040	Explorer.EXE
Token: SeCreatePagefilePrivilege	3040	Explorer.EXE
Token: SeShutdownPrivilege	3040	Explorer.EXE
Token: SeCreatePagefilePrivilege	3040	Explorer.EXE
Token: SeShutdownPrivilege	3040	Explorer.EXE
Token: SeCreatePagefilePrivilege	3040	Explorer.EXE
Token: SeDebugPrivilege	2252	msdt.exe
Token: SeShutdownPrivilege	3040	Explorer.EXE
Token: SeCreatePagefilePrivilege	3040	Explorer.EXE
Token: SeShutdownPrivilege	3040	Explorer.EXE
Token: SeCreatePagefilePrivilege	3040	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3040 Explorer.EXE

pid	process
3040	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SKM_C221200706052800n.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 1052 wrote to memory of 204	1052	SKM_C221200706052800n.exe	vbc.exe
PID 1052 wrote to memory of 204	1052	SKM_C221200706052800n.exe	vbc.exe
PID 1052 wrote to memory of 204	1052	SKM_C221200706052800n.exe	vbc.exe
PID 1052 wrote to memory of 204	1052	SKM_C221200706052800n.exe	vbc.exe
PID 1052 wrote to memory of 204	1052	SKM_C221200706052800n.exe	vbc.exe
PID 1052 wrote to memory of 204	1052	SKM_C221200706052800n.exe	vbc.exe
PID 3040 wrote to memory of 2252	3040	Explorer.EXE	msdt.exe
PID 3040 wrote to memory of 2252	3040	Explorer.EXE	msdt.exe
PID 3040 wrote to memory of 2252	3040	Explorer.EXE	msdt.exe
PID 2252 wrote to memory of 500	2252	msdt.exe	cmd.exe
PID 2252 wrote to memory of 500	2252	msdt.exe	cmd.exe
PID 2252 wrote to memory of 500	2252	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\SKM_C221200706052800n.exe
"C:\Users\Admin\AppData\Local\Temp\SKM_C221200706052800n.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1032
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 984
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1564

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
PID:500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/204-10-0x0000000000A20000-0x0000000000D40000-memory.dmp

Filesize
3.1MB

Download
memory/204-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/204-4-0x000000000041D060-mapping.dmp

Download
memory/204-11-0x0000000000500000-0x0000000000511000-memory.dmp

Filesize
68KB

Download
memory/500-16-0x0000000000000000-mapping.dmp

Download
memory/672-13-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/944-8-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/944-6-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/1052-2-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/2252-14-0x0000000000000000-mapping.dmp

Download
memory/2252-17-0x0000000000600000-0x0000000000629000-memory.dmp

Filesize
164KB

Download
memory/2252-15-0x00000000008F0000-0x0000000000A63000-memory.dmp

Filesize
1.4MB

Download
memory/2252-18-0x00000000046B0000-0x00000000049D0000-memory.dmp

Filesize
3.1MB

Download
memory/2252-19-0x00000000042A0000-0x0000000004330000-memory.dmp

Filesize
576KB

Download
memory/3040-12-0x0000000002FB0000-0x0000000003091000-memory.dmp

Filesize
900KB

Download
memory/3040-20-0x0000000006720000-0x00000000067E9000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads