formbook | dd9c6267a87c89067d157e28d6f3ca17f958871f3d403609ed72dad80514e226

General

Target

Calendario dei pagamenti.exe
Size

219KB
MD5

1a02db6595fb5471a1d91a4f51897269
SHA1

644069ab472309d4ecfca95de736dfb14676a776
SHA256

dd9c6267a87c89067d157e28d6f3ca17f958871f3d403609ed72dad80514e226
SHA512

ca86ca60343f96581c67ddaabd8553cfa030a1ae7cbedc0f05da403d972f7c2de9bf3048a0dbd43642c846f92f9c6f5b280f6537ef013a6d121fb70d72a2905d

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.smallcoloradoweddings.com/kio8/

Decoy

greeaircondition.com

thewilmingtonguide.com

cbluedotlivewdmall.com

globalcrime24.com

heightsplace.com

ghar.pro

asosbira.com

melolandia.com

velactun.com

erniesimms.com

nutbullet.com

drizzerstr.com

hnqym888.com

ghorowaseba.com

1317efoxchasedrive.info

stjudetroop623.com

facestaj.com

airpromaskaccessories.com

wolfetailors.com

56ohdc2016.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3224-8-0x0000000000D60000-0x0000000000D89000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

Calendario dei pagamenti.exeCalendario dei pagamenti.execmmon32.exe

description	pid	process	target process
PID 644 set thread context of 2224	644	Calendario dei pagamenti.exe	Calendario dei pagamenti.exe
PID 2224 set thread context of 2580	2224	Calendario dei pagamenti.exe	Explorer.EXE
PID 3224 set thread context of 2580	3224	cmmon32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

Calendario dei pagamenti.execmmon32.exe

pid	process
2224	Calendario dei pagamenti.exe
2224	Calendario dei pagamenti.exe
2224	Calendario dei pagamenti.exe
2224	Calendario dei pagamenti.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe
3224	cmmon32.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Calendario dei pagamenti.exeCalendario dei pagamenti.execmmon32.exe

pid	process
644	Calendario dei pagamenti.exe
644	Calendario dei pagamenti.exe
2224	Calendario dei pagamenti.exe
2224	Calendario dei pagamenti.exe
2224	Calendario dei pagamenti.exe
3224	cmmon32.exe
3224	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Calendario dei pagamenti.execmmon32.exe

description pid process

Token: SeDebugPrivilege 2224 Calendario dei pagamenti.exe
Token: SeDebugPrivilege 3224 cmmon32.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2580 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2224	Calendario dei pagamenti.exe
Token: SeDebugPrivilege	3224	cmmon32.exe

pid	process
2580	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Calendario dei pagamenti.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 644 wrote to memory of 2224	644	Calendario dei pagamenti.exe	Calendario dei pagamenti.exe
PID 644 wrote to memory of 2224	644	Calendario dei pagamenti.exe	Calendario dei pagamenti.exe
PID 644 wrote to memory of 2224	644	Calendario dei pagamenti.exe	Calendario dei pagamenti.exe
PID 644 wrote to memory of 2224	644	Calendario dei pagamenti.exe	Calendario dei pagamenti.exe
PID 2580 wrote to memory of 3224	2580	Explorer.EXE	cmmon32.exe
PID 2580 wrote to memory of 3224	2580	Explorer.EXE	cmmon32.exe
PID 2580 wrote to memory of 3224	2580	Explorer.EXE	cmmon32.exe
PID 3224 wrote to memory of 516	3224	cmmon32.exe	cmd.exe
PID 3224 wrote to memory of 516	3224	cmmon32.exe	cmd.exe
PID 3224 wrote to memory of 516	3224	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2580

C:\Users\Admin\AppData\Local\Temp\Calendario dei pagamenti.exe
"C:\Users\Admin\AppData\Local\Temp\Calendario dei pagamenti.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\Calendario dei pagamenti.exe
"C:\Users\Admin\AppData\Local\Temp\Calendario dei pagamenti.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Calendario dei pagamenti.exe"
3⤵
PID:516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/516-9-0x0000000000000000-mapping.dmp

Download
memory/2224-2-0x000000000018D0B0-mapping.dmp

Download
memory/2224-4-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2224-3-0x0000000000A30000-0x0000000000D50000-memory.dmp

Filesize
3.1MB

Download
memory/2580-5-0x0000000005210000-0x000000000537A000-memory.dmp

Filesize
1.4MB

Download
memory/2580-12-0x0000000002A30000-0x0000000002AE6000-memory.dmp

Filesize
728KB

Download
memory/3224-6-0x0000000000000000-mapping.dmp

Download
memory/3224-8-0x0000000000D60000-0x0000000000D89000-memory.dmp

Filesize
164KB

Download
memory/3224-7-0x0000000000EF0000-0x0000000000EFC000-memory.dmp

Filesize
48KB

Download
memory/3224-10-0x0000000004FE0000-0x0000000005300000-memory.dmp

Filesize
3.1MB

Download
memory/3224-11-0x0000000004CB0000-0x0000000004D3F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads