formbook | ae8f3d13092dbd9ac0a490c691eefafe0026e44148a9df896d6b5b8edceb5284

General

Target

Request for Quotation.exe
Size

1.0MB
MD5

7f2ab7a73897ef184b2b2f88c441f7b2
SHA1

ba88609508657b04c665d15b9fec27565810aec9
SHA256

ae8f3d13092dbd9ac0a490c691eefafe0026e44148a9df896d6b5b8edceb5284
SHA512

6aa465396a70f43812e2b19da321ce02bd2a018108dd8fd29c1b9beac0d787979a15d8cebf5d62b38cc38eadada54a6b0c7a2aa0977ceedf9caef1229edd81d8

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.outtheframecustoms.com/9t6k/

Decoy

parklineemployerperks.com

container-hq.com

harzproductions.com

wweebtedge.com

sandiegosalesandleasing.com

ri-web-dev.com

ufomars.com

countrybarndogkennel.com

imakestuff.xyz

lnmqjy.com

martialarttemple.com

jermaine-williams.com

ahomedokita.com

buttsliders.com

3344cq.com

umkxmhopi.icu

houstonlasertreatment.com

makingdoathome.com

ladysativamarketing.com

shroomgiant.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1020-15-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/1020-16-0x000000000041CAC0-mapping.dmp	xloader
behavioral2/memory/1076-24-0x00000000006B0000-0x00000000006D8000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

Request for Quotation.exeRequest for Quotation.exesvchost.exe

description	pid	process	target process
PID 508 set thread context of 1020	508	Request for Quotation.exe	Request for Quotation.exe
PID 1020 set thread context of 3048	1020	Request for Quotation.exe	Explorer.EXE
PID 1076 set thread context of 3048	1076	svchost.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2972 schtasks.exe

pid	process
2972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

Request for Quotation.exesvchost.exe

pid	process
1020	Request for Quotation.exe
1020	Request for Quotation.exe
1020	Request for Quotation.exe
1020	Request for Quotation.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe
1076	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Request for Quotation.exesvchost.exe

pid process

1020 Request for Quotation.exe
1020 Request for Quotation.exe
1020 Request for Quotation.exe
1076 svchost.exe
1076 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Request for Quotation.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1020 Request for Quotation.exe
Token: SeDebugPrivilege 1076 svchost.exe

description	pid	process
Token: SeDebugPrivilege	1020	Request for Quotation.exe
Token: SeDebugPrivilege	1076	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Request for Quotation.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 508 wrote to memory of 2972	508	Request for Quotation.exe	schtasks.exe
PID 508 wrote to memory of 2972	508	Request for Quotation.exe	schtasks.exe
PID 508 wrote to memory of 2972	508	Request for Quotation.exe	schtasks.exe
PID 508 wrote to memory of 1020	508	Request for Quotation.exe	Request for Quotation.exe
PID 508 wrote to memory of 1020	508	Request for Quotation.exe	Request for Quotation.exe
PID 508 wrote to memory of 1020	508	Request for Quotation.exe	Request for Quotation.exe
PID 508 wrote to memory of 1020	508	Request for Quotation.exe	Request for Quotation.exe
PID 508 wrote to memory of 1020	508	Request for Quotation.exe	Request for Quotation.exe
PID 508 wrote to memory of 1020	508	Request for Quotation.exe	Request for Quotation.exe
PID 3048 wrote to memory of 1076	3048	Explorer.EXE	svchost.exe
PID 3048 wrote to memory of 1076	3048	Explorer.EXE	svchost.exe
PID 3048 wrote to memory of 1076	3048	Explorer.EXE	svchost.exe
PID 1076 wrote to memory of 3136	1076	svchost.exe	cmd.exe
PID 1076 wrote to memory of 3136	1076	svchost.exe	cmd.exe
PID 1076 wrote to memory of 3136	1076	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OrxfuWwhEehOge" /XML "C:\Users\Admin\AppData\Local\Temp\tmp416F.tmp"
3⤵
- Creates scheduled task(s)
PID:2972

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
3⤵
PID:3136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp416F.tmp
MD5
f85c5df6d19abebbaa2a6ab5032529a9

SHA1
de8eb85d4c088bf6315c150fa828c6379daeb34a

SHA256
9d9facc42de6e9932a774932230b8c715bc3606debfd80a0a09a445d08380db5

SHA512
3d9362ec16c75c4682a667cfe573f80f7108d33fed4fc1e9901a48cb6a13cc0963ef7f065589ecb51414a2cb613b7e5a98c92b090c26868f36d80934c7d13df3

Download Submit
memory/508-3-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/508-5-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/508-6-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/508-7-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/508-8-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/508-9-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/508-10-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/508-11-0x00000000058A0000-0x00000000058C3000-memory.dmp

Filesize
140KB

Download
memory/508-12-0x00000000065D0000-0x0000000006631000-memory.dmp

Filesize
388KB

Download
memory/508-2-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/1020-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1020-16-0x000000000041CAC0-mapping.dmp

Download
memory/1020-19-0x00000000010C0000-0x00000000013E0000-memory.dmp

Filesize
3.1MB

Download
memory/1020-20-0x0000000000C50000-0x0000000000C60000-memory.dmp

Filesize
64KB

Download
memory/1076-22-0x0000000000000000-mapping.dmp

Download
memory/1076-23-0x0000000000D60000-0x0000000000D6C000-memory.dmp

Filesize
48KB

Download
memory/1076-24-0x00000000006B0000-0x00000000006D8000-memory.dmp

Filesize
160KB

Download
memory/1076-25-0x0000000003090000-0x00000000033B0000-memory.dmp

Filesize
3.1MB

Download
memory/1076-27-0x0000000002D70000-0x0000000002DFF000-memory.dmp

Filesize
572KB

Download
memory/2972-13-0x0000000000000000-mapping.dmp

Download
memory/3048-21-0x0000000003060000-0x0000000003124000-memory.dmp

Filesize
784KB

Download
memory/3048-28-0x00000000064E0000-0x00000000065C5000-memory.dmp

Filesize
916KB

Download
memory/3136-26-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads