formbook | a55e49e3dffd386fbe1b8cfdafb4bcca81264b48e1fa2f9d68a7b8b12ec2bc7e

General

Target

Invoice Payment Details.exe
Size

892KB
MD5

9570c6d8cef329a8984dc89ecc786c28
SHA1

f318481b2fa2cc222bb783974c917f7c2b352c8f
SHA256

a55e49e3dffd386fbe1b8cfdafb4bcca81264b48e1fa2f9d68a7b8b12ec2bc7e
SHA512

3f1a3827be7daa886136c039b22a91d8c577e18f651cb414a2f9ebae258e45772533f17253f58a600c05b1307ef618ec6dd49ceebc5128333f53f83068293251

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.smallcoloradoweddings.com/kio8/

Decoy

greeaircondition.com

thewilmingtonguide.com

cbluedotlivewdmall.com

globalcrime24.com

heightsplace.com

ghar.pro

asosbira.com

melolandia.com

velactun.com

erniesimms.com

nutbullet.com

drizzerstr.com

hnqym888.com

ghorowaseba.com

1317efoxchasedrive.info

stjudetroop623.com

facestaj.com

airpromaskaccessories.com

wolfetailors.com

56ohdc2016.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/836-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/836-14-0x000000000041D0B0-mapping.dmp	xloader
behavioral2/memory/2732-21-0x0000000002CE0000-0x0000000002D09000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

Invoice Payment Details.exeInvoice Payment Details.exeNETSTAT.EXE

description	pid	process	target process
PID 1192 set thread context of 836	1192	Invoice Payment Details.exe	Invoice Payment Details.exe
PID 836 set thread context of 2588	836	Invoice Payment Details.exe	Explorer.EXE
PID 2732 set thread context of 2588	2732	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

2732 NETSTAT.EXE

pid	process
2732	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

Invoice Payment Details.exeNETSTAT.EXE

pid	process
836	Invoice Payment Details.exe
836	Invoice Payment Details.exe
836	Invoice Payment Details.exe
836	Invoice Payment Details.exe
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE
2732	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Invoice Payment Details.exeNETSTAT.EXE

pid process

836 Invoice Payment Details.exe
836 Invoice Payment Details.exe
836 Invoice Payment Details.exe
2732 NETSTAT.EXE
2732 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Invoice Payment Details.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 836 Invoice Payment Details.exe
Token: SeDebugPrivilege 2732 NETSTAT.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2588 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	836	Invoice Payment Details.exe
Token: SeDebugPrivilege	2732	NETSTAT.EXE

pid	process
2588	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Invoice Payment Details.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1192 wrote to memory of 836	1192	Invoice Payment Details.exe	Invoice Payment Details.exe
PID 1192 wrote to memory of 836	1192	Invoice Payment Details.exe	Invoice Payment Details.exe
PID 1192 wrote to memory of 836	1192	Invoice Payment Details.exe	Invoice Payment Details.exe
PID 1192 wrote to memory of 836	1192	Invoice Payment Details.exe	Invoice Payment Details.exe
PID 1192 wrote to memory of 836	1192	Invoice Payment Details.exe	Invoice Payment Details.exe
PID 1192 wrote to memory of 836	1192	Invoice Payment Details.exe	Invoice Payment Details.exe
PID 2588 wrote to memory of 2732	2588	Explorer.EXE	NETSTAT.EXE
PID 2588 wrote to memory of 2732	2588	Explorer.EXE	NETSTAT.EXE
PID 2588 wrote to memory of 2732	2588	Explorer.EXE	NETSTAT.EXE
PID 2732 wrote to memory of 884	2732	NETSTAT.EXE	cmd.exe
PID 2732 wrote to memory of 884	2732	NETSTAT.EXE	cmd.exe
PID 2732 wrote to memory of 884	2732	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"
3⤵
PID:884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/836-17-0x0000000001030000-0x0000000001040000-memory.dmp

Filesize
64KB

Download
memory/836-16-0x0000000001050000-0x0000000001370000-memory.dmp

Filesize
3.1MB

Download
memory/836-14-0x000000000041D0B0-mapping.dmp

Download
memory/884-23-0x0000000000000000-mapping.dmp

Download
memory/1192-8-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/1192-3-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1192-10-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1192-11-0x00000000056C0000-0x00000000056E3000-memory.dmp

Filesize
140KB

Download
memory/1192-12-0x0000000006140000-0x00000000061A1000-memory.dmp

Filesize
388KB

Download
memory/1192-2-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/1192-7-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/1192-6-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/1192-5-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/1192-9-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/2588-18-0x0000000005820000-0x0000000005951000-memory.dmp

Filesize
1.2MB

Download
memory/2588-26-0x0000000001290000-0x0000000001355000-memory.dmp

Filesize
788KB

Download
memory/2732-20-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/2732-21-0x0000000002CE0000-0x0000000002D09000-memory.dmp

Filesize
164KB

Download
memory/2732-22-0x0000000003450000-0x0000000003770000-memory.dmp

Filesize
3.1MB

Download
memory/2732-19-0x0000000000000000-mapping.dmp

Download
memory/2732-25-0x00000000032C0000-0x000000000334F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads