formbook | c4527be43e6ad0e3eb7e8ca1bf26c120c0c5eef996716178a87bbe2b807efa57

General

Target

Consignment Document PL&BL Draft.exe
Size

460KB
MD5

bf30d9af8aa63484e6fe1d73a184afd9
SHA1

cbc300068895405af8c9da413b7081cb0d281084
SHA256

c4527be43e6ad0e3eb7e8ca1bf26c120c0c5eef996716178a87bbe2b807efa57
SHA512

dc4bfa6810a1e9c4a33ae45088fc590b42c8ca6613d506ea5abc4b4b6bddac2165ee311d5ccd7058a4054ece2559df85e25c06f842e4e3f5f0e63322b02f3679

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.mwavpn.com/9bwn/

Decoy

italiancoastal.com

shareandfit.com

ibexacademia.com

guejek.com

vitalbizdev.com

connemaracomputers.com

surf-livre.com

styleforwoman.com

costcopaysecure.com

kingdomandqueendom.com

www-societegenerale.com

radiokerbfm.com

marylandstars.net

thechampionsday.com

beertenderb95.com

iybbshop.com

maglex.info

vh3g.asia

zaairobot.online

ryderhydros.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1836-3-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1968-10-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1064 cmd.exe

pid	process
1064	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Consignment Document PL&BL Draft.exeConsignment Document PL&BL Draft.exewlanext.exe

description	pid	process	target process
PID 1724 set thread context of 1836	1724	Consignment Document PL&BL Draft.exe	Consignment Document PL&BL Draft.exe
PID 1836 set thread context of 1248	1836	Consignment Document PL&BL Draft.exe	Explorer.EXE
PID 1968 set thread context of 1248	1968	wlanext.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

Consignment Document PL&BL Draft.exewlanext.exe

pid	process
1836	Consignment Document PL&BL Draft.exe
1836	Consignment Document PL&BL Draft.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe
1968	wlanext.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Consignment Document PL&BL Draft.exeConsignment Document PL&BL Draft.exewlanext.exe

pid	process
1724	Consignment Document PL&BL Draft.exe
1836	Consignment Document PL&BL Draft.exe
1836	Consignment Document PL&BL Draft.exe
1836	Consignment Document PL&BL Draft.exe
1968	wlanext.exe
1968	wlanext.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Consignment Document PL&BL Draft.exewlanext.exe

description pid process

Token: SeDebugPrivilege 1836 Consignment Document PL&BL Draft.exe
Token: SeDebugPrivilege 1968 wlanext.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1836	Consignment Document PL&BL Draft.exe
Token: SeDebugPrivilege	1968	wlanext.exe

pid	process
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Consignment Document PL&BL Draft.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 1724 wrote to memory of 1836	1724	Consignment Document PL&BL Draft.exe	Consignment Document PL&BL Draft.exe
PID 1724 wrote to memory of 1836	1724	Consignment Document PL&BL Draft.exe	Consignment Document PL&BL Draft.exe
PID 1724 wrote to memory of 1836	1724	Consignment Document PL&BL Draft.exe	Consignment Document PL&BL Draft.exe
PID 1724 wrote to memory of 1836	1724	Consignment Document PL&BL Draft.exe	Consignment Document PL&BL Draft.exe
PID 1724 wrote to memory of 1836	1724	Consignment Document PL&BL Draft.exe	Consignment Document PL&BL Draft.exe
PID 1248 wrote to memory of 1968	1248	Explorer.EXE	wlanext.exe
PID 1248 wrote to memory of 1968	1248	Explorer.EXE	wlanext.exe
PID 1248 wrote to memory of 1968	1248	Explorer.EXE	wlanext.exe
PID 1248 wrote to memory of 1968	1248	Explorer.EXE	wlanext.exe
PID 1968 wrote to memory of 1064	1968	wlanext.exe	cmd.exe
PID 1968 wrote to memory of 1064	1968	wlanext.exe	cmd.exe
PID 1968 wrote to memory of 1064	1968	wlanext.exe	cmd.exe
PID 1968 wrote to memory of 1064	1968	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\Consignment Document PL&BL Draft.exe
"C:\Users\Admin\AppData\Local\Temp\Consignment Document PL&BL Draft.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\Consignment Document PL&BL Draft.exe
"C:\Users\Admin\AppData\Local\Temp\Consignment Document PL&BL Draft.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Consignment Document PL&BL Draft.exe"
3⤵
- Deletes itself
PID:1064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1064-8-0x0000000000000000-mapping.dmp

Download
memory/1248-6-0x0000000006C40000-0x0000000006DB0000-memory.dmp

Filesize
1.4MB

Download
memory/1248-13-0x00000000068A0000-0x00000000069B6000-memory.dmp

Filesize
1.1MB

Download
memory/1340-15-0x000007FEF7D90000-0x000007FEF800A000-memory.dmp

Filesize
2.5MB

Download
memory/1836-5-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download
memory/1836-2-0x000000000041D050-mapping.dmp

Download
memory/1836-4-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/1836-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1968-7-0x0000000000000000-mapping.dmp

Download
memory/1968-9-0x0000000000B10000-0x0000000000B26000-memory.dmp

Filesize
88KB

Download
memory/1968-11-0x00000000020C0000-0x00000000023C3000-memory.dmp

Filesize
3.0MB

Download
memory/1968-10-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1968-12-0x00000000008E0000-0x000000000096F000-memory.dmp

Filesize
572KB

Download
memory/1968-14-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads