formbook | ae8f3d13092dbd9ac0a490c691eefafe0026e44148a9df896d6b5b8edceb5284

General

Target

Request for Quotation.exe
Size

1.0MB
MD5

7f2ab7a73897ef184b2b2f88c441f7b2
SHA1

ba88609508657b04c665d15b9fec27565810aec9
SHA256

ae8f3d13092dbd9ac0a490c691eefafe0026e44148a9df896d6b5b8edceb5284
SHA512

6aa465396a70f43812e2b19da321ce02bd2a018108dd8fd29c1b9beac0d787979a15d8cebf5d62b38cc38eadada54a6b0c7a2aa0977ceedf9caef1229edd81d8

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.outtheframecustoms.com/9t6k/

Decoy

parklineemployerperks.com

container-hq.com

harzproductions.com

wweebtedge.com

sandiegosalesandleasing.com

ri-web-dev.com

ufomars.com

countrybarndogkennel.com

imakestuff.xyz

lnmqjy.com

martialarttemple.com

jermaine-williams.com

ahomedokita.com

buttsliders.com

3344cq.com

umkxmhopi.icu

houstonlasertreatment.com

makingdoathome.com

ladysativamarketing.com

shroomgiant.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/268-10-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/268-11-0x000000000041CAC0-mapping.dmp	xloader
behavioral1/memory/1824-21-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1532 cmd.exe

pid	process
1532	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Request for Quotation.exeRequest for Quotation.exeipconfig.exe

description	pid	process	target process
PID 2004 set thread context of 268	2004	Request for Quotation.exe	Request for Quotation.exe
PID 268 set thread context of 1304	268	Request for Quotation.exe	Explorer.EXE
PID 268 set thread context of 1304	268	Request for Quotation.exe	Explorer.EXE
PID 1824 set thread context of 1304	1824	ipconfig.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1928 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1824 ipconfig.exe

pid	process
1928	schtasks.exe

pid	process
1824	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

Request for Quotation.exeipconfig.exe

pid	process
268	Request for Quotation.exe
268	Request for Quotation.exe
268	Request for Quotation.exe
1824	ipconfig.exe
1824	ipconfig.exe
1824	ipconfig.exe
1824	ipconfig.exe
1824	ipconfig.exe
1824	ipconfig.exe
1824	ipconfig.exe
1824	ipconfig.exe
1824	ipconfig.exe
1824	ipconfig.exe
1824	ipconfig.exe
1824	ipconfig.exe
1824	ipconfig.exe
1824	ipconfig.exe
1824	ipconfig.exe
1824	ipconfig.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Request for Quotation.exeipconfig.exe

pid	process
268	Request for Quotation.exe
268	Request for Quotation.exe
268	Request for Quotation.exe
268	Request for Quotation.exe
1824	ipconfig.exe
1824	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Request for Quotation.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 268 Request for Quotation.exe
Token: SeDebugPrivilege 1824 ipconfig.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	268	Request for Quotation.exe
Token: SeDebugPrivilege	1824	ipconfig.exe

pid	process
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE

pid	process
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Request for Quotation.exeRequest for Quotation.exeipconfig.exe

description	pid	process	target process
PID 2004 wrote to memory of 1928	2004	Request for Quotation.exe	schtasks.exe
PID 2004 wrote to memory of 1928	2004	Request for Quotation.exe	schtasks.exe
PID 2004 wrote to memory of 1928	2004	Request for Quotation.exe	schtasks.exe
PID 2004 wrote to memory of 1928	2004	Request for Quotation.exe	schtasks.exe
PID 2004 wrote to memory of 268	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 268	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 268	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 268	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 268	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 268	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 268	2004	Request for Quotation.exe	Request for Quotation.exe
PID 268 wrote to memory of 1824	268	Request for Quotation.exe	ipconfig.exe
PID 268 wrote to memory of 1824	268	Request for Quotation.exe	ipconfig.exe
PID 268 wrote to memory of 1824	268	Request for Quotation.exe	ipconfig.exe
PID 268 wrote to memory of 1824	268	Request for Quotation.exe	ipconfig.exe
PID 1824 wrote to memory of 1532	1824	ipconfig.exe	cmd.exe
PID 1824 wrote to memory of 1532	1824	ipconfig.exe	cmd.exe
PID 1824 wrote to memory of 1532	1824	ipconfig.exe	cmd.exe
PID 1824 wrote to memory of 1532	1824	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1304

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OrxfuWwhEehOge" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF8B.tmp"
3⤵
- Creates scheduled task(s)
PID:1928

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
4⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
5⤵
- Deletes itself
PID:1532

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF8B.tmp
MD5
a91a51fc9b19f46d5b23633cbfa2bafb

SHA1
ea1cc40405dc061dd779d9e409c65fd17f543d5b

SHA256
d3aa11649adc5df07d95b257d5ac6eb47ca76161c2b9ea846d7ee6ed6057cade

SHA512
6abc2e48e88240ba6582b6017e65c50d8cda4f685a7d4837231e3fc3f53092a06de7a99558e292f6e1d4744eee2a2543832e632cdc9084485c1df2d317097a4f

Download Submit
memory/268-13-0x0000000000810000-0x0000000000B13000-memory.dmp

Filesize
3.0MB

Download
memory/268-16-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/268-14-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/268-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/268-11-0x000000000041CAC0-mapping.dmp

Download
memory/1304-17-0x0000000006AE0000-0x0000000006BBF000-memory.dmp

Filesize
892KB

Download
memory/1304-15-0x0000000004910000-0x00000000049C7000-memory.dmp

Filesize
732KB

Download
memory/1532-23-0x0000000000000000-mapping.dmp

Download
memory/1824-19-0x0000000075EA1000-0x0000000075EA3000-memory.dmp

Filesize
8KB

Download
memory/1824-18-0x0000000000000000-mapping.dmp

Download
memory/1824-20-0x00000000009E0000-0x00000000009EA000-memory.dmp

Filesize
40KB

Download
memory/1824-21-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1824-22-0x00000000020C0000-0x00000000023C3000-memory.dmp

Filesize
3.0MB

Download
memory/1824-24-0x00000000008F0000-0x000000000097F000-memory.dmp

Filesize
572KB

Download
memory/1928-8-0x0000000000000000-mapping.dmp

Download
memory/2004-7-0x0000000005450000-0x00000000054B1000-memory.dmp

Filesize
388KB

Download
memory/2004-6-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2004-5-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/2004-2-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/2004-3-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads