formbook | f5a88909c2272b7ddba37b210ca2bbf79c4baf80e51f883a36e5887183b84d3b

General

Target

PO81053.exe
Size

189KB
MD5

133bddae88916c0016892d2cf55b6d8a
SHA1

5eaa43928a9a569fb807f5e8c1ecf9a54da79515
SHA256

f5a88909c2272b7ddba37b210ca2bbf79c4baf80e51f883a36e5887183b84d3b
SHA512

8dc23a5e14f031eaff4ee1096a8f427783b9f9a9ce83f635bf8fd712e78b9f36327b42fba6ffd696684e398fc8794e9a5dd87ffdf8ff533c98ce14856ee23697

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.wissinkadams.com/iae2/

Decoy

mainstreetswimschool.com

nhadat9chu.com

guidedcommercialloan.com

quandd.site

smittysfrontlinecarriers.com

hmas-vibrant.com

pakunok.net

jiffihosting.com

shopping-container.com

quartiercreole.net

weebflix.com

gringomexico.com

whathappensnextin6minutes.com

patchealth.com

exclusivelymarissa.com

my-glp.com

trgtbk.com

sagefemmecaluire.com

fetaldiagnosislaboratorios.com

aniversariocom-presente12.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4968-3-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3224-12-0x0000000002620000-0x0000000002649000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

PO81053.exePO81053.exemstsc.exe

description	pid	process	target process
PID 4704 set thread context of 4968	4704	PO81053.exe	PO81053.exe
PID 4968 set thread context of 2300	4968	PO81053.exe	Explorer.EXE
PID 4968 set thread context of 2300	4968	PO81053.exe	Explorer.EXE
PID 3224 set thread context of 2300	3224	mstsc.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

PO81053.exemstsc.exe

pid	process
4968	PO81053.exe
4968	PO81053.exe
4968	PO81053.exe
4968	PO81053.exe
4968	PO81053.exe
4968	PO81053.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe
3224	mstsc.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

PO81053.exePO81053.exemstsc.exe

pid process

4704 PO81053.exe
4968 PO81053.exe
4968 PO81053.exe
4968 PO81053.exe
4968 PO81053.exe
3224 mstsc.exe
3224 mstsc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO81053.exemstsc.exe

description pid process

Token: SeDebugPrivilege 4968 PO81053.exe
Token: SeDebugPrivilege 3224 mstsc.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2300 Explorer.EXE

pid	process
4704	PO81053.exe
4968	PO81053.exe
4968	PO81053.exe
4968	PO81053.exe
4968	PO81053.exe
3224	mstsc.exe
3224	mstsc.exe

description	pid	process
Token: SeDebugPrivilege	4968	PO81053.exe
Token: SeDebugPrivilege	3224	mstsc.exe

pid	process
2300	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

PO81053.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 4704 wrote to memory of 4968	4704	PO81053.exe	PO81053.exe
PID 4704 wrote to memory of 4968	4704	PO81053.exe	PO81053.exe
PID 4704 wrote to memory of 4968	4704	PO81053.exe	PO81053.exe
PID 4704 wrote to memory of 4968	4704	PO81053.exe	PO81053.exe
PID 2300 wrote to memory of 3224	2300	Explorer.EXE	mstsc.exe
PID 2300 wrote to memory of 3224	2300	Explorer.EXE	mstsc.exe
PID 2300 wrote to memory of 3224	2300	Explorer.EXE	mstsc.exe
PID 3224 wrote to memory of 3860	3224	mstsc.exe	cmd.exe
PID 3224 wrote to memory of 3860	3224	mstsc.exe	cmd.exe
PID 3224 wrote to memory of 3860	3224	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\PO81053.exe
"C:\Users\Admin\AppData\Local\Temp\PO81053.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4704

C:\Users\Admin\AppData\Local\Temp\PO81053.exe
"C:\Users\Admin\AppData\Local\Temp\PO81053.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO81053.exe"
3⤵
PID:3860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2300-7-0x0000000004CA0000-0x0000000004E1E000-memory.dmp

Filesize
1.5MB

Download
memory/2300-17-0x0000000005C40000-0x0000000005D06000-memory.dmp

Filesize
792KB

Download
memory/2300-9-0x0000000002720000-0x00000000027CE000-memory.dmp

Filesize
696KB

Download
memory/3224-12-0x0000000002620000-0x0000000002649000-memory.dmp

Filesize
164KB

Download
memory/3224-10-0x0000000000000000-mapping.dmp

Download
memory/3224-11-0x0000000000020000-0x000000000031C000-memory.dmp

Filesize
3.0MB

Download
memory/3224-13-0x0000000004600000-0x0000000004920000-memory.dmp

Filesize
3.1MB

Download
memory/3224-15-0x00000000043B0000-0x000000000443F000-memory.dmp

Filesize
572KB

Download
memory/3860-14-0x0000000000000000-mapping.dmp

Download
memory/4968-6-0x0000000001110000-0x0000000001120000-memory.dmp

Filesize
64KB

Download
memory/4968-8-0x0000000001600000-0x0000000001610000-memory.dmp

Filesize
64KB

Download
memory/4968-5-0x0000000001720000-0x0000000001A40000-memory.dmp

Filesize
3.1MB

Download
memory/4968-2-0x000000000041D0D0-mapping.dmp

Download
memory/4968-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads