formbook | 63b3402660ff4a015ff3bf516ece2da73234e315f5b0b7235ef3c4523d846152

General

Target

PO-RY 001-21 Accuri.jar
Size

372KB
MD5

c57bb7c025860397afdef61c676ead90
SHA1

6b2195e0b140ad27c5fd909f4944b5a63c2a6e08
SHA256

63b3402660ff4a015ff3bf516ece2da73234e315f5b0b7235ef3c4523d846152
SHA512

7f1ddd540b4cb316101e1facb8a217047d607b7bcd9e888f020d2ca4fa46f0e04747fc465424f87c7e1a4c8713aa84bb34b33f4e2b97edb16d4c66392f90f6bd

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.dmvantalya.com/bnuw/

Decoy

amgggma.com

reptilerus.com

degearboss.com

jennaelsbakeshop.com

invisablescreen.com

beingsingleda.com

2nsupplements.online

12862.xyz

expand.care

romeoalchimistefullmental.com

7750166.com

brendonellis.com

sprayfoamharlemny.com

bukannyaterbuai30.com

boatpiz.com

stylistrx.com

decorationhaven.com

stockaro.com

state728.com

secretlairtoys.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1768-17-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1656-41-0x00000000000D0000-0x00000000000F8000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

UjbG.exeUjbG.exe

pid process

1636 UjbG.exe
1768 UjbG.exe
Loads dropped DLL 1 IoCs

Processes:

UjbG.exe

pid process

1636 UjbG.exe

pid	process
1636	UjbG.exe
1768	UjbG.exe

pid	process
1636	UjbG.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

UjbG.exeUjbG.exeipconfig.exe

description	pid	process	target process
PID 1636 set thread context of 1768	1636	UjbG.exe	UjbG.exe
PID 1768 set thread context of 1248	1768	UjbG.exe	Explorer.EXE
PID 1656 set thread context of 1248	1656	ipconfig.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1760 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1656 ipconfig.exe

pid	process
1760	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1656	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

288 EXCEL.EXE

pid	process
288	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

UjbG.exeipconfig.exe

pid	process
1768	UjbG.exe
1768	UjbG.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe
1656	ipconfig.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

UjbG.exeUjbG.exeipconfig.exe

pid process

1636 UjbG.exe
1768 UjbG.exe
1768 UjbG.exe
1768 UjbG.exe
1656 ipconfig.exe
1656 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

UjbG.exeExplorer.EXEipconfig.exe

description pid process

Token: SeDebugPrivilege 1768 UjbG.exe
Token: SeShutdownPrivilege 1248 Explorer.EXE
Token: SeDebugPrivilege 1656 ipconfig.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

java.exeEXCEL.EXE

pid process

2004 java.exe
288 EXCEL.EXE
288 EXCEL.EXE
288 EXCEL.EXE

pid	process
1636	UjbG.exe
1768	UjbG.exe
1768	UjbG.exe
1768	UjbG.exe
1656	ipconfig.exe
1656	ipconfig.exe

description	pid	process
Token: SeDebugPrivilege	1768	UjbG.exe
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeDebugPrivilege	1656	ipconfig.exe

pid	process
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

pid	process
2004	java.exe
288	EXCEL.EXE
288	EXCEL.EXE
288	EXCEL.EXE

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

java.exeUjbG.execmd.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 2004 wrote to memory of 1636	2004	java.exe	UjbG.exe
PID 2004 wrote to memory of 1636	2004	java.exe	UjbG.exe
PID 2004 wrote to memory of 1636	2004	java.exe	UjbG.exe
PID 2004 wrote to memory of 1636	2004	java.exe	UjbG.exe
PID 1636 wrote to memory of 1724	1636	UjbG.exe	cmd.exe
PID 1636 wrote to memory of 1724	1636	UjbG.exe	cmd.exe
PID 1636 wrote to memory of 1724	1636	UjbG.exe	cmd.exe
PID 1636 wrote to memory of 1724	1636	UjbG.exe	cmd.exe
PID 1636 wrote to memory of 1768	1636	UjbG.exe	UjbG.exe
PID 1636 wrote to memory of 1768	1636	UjbG.exe	UjbG.exe
PID 1636 wrote to memory of 1768	1636	UjbG.exe	UjbG.exe
PID 1636 wrote to memory of 1768	1636	UjbG.exe	UjbG.exe
PID 1636 wrote to memory of 1768	1636	UjbG.exe	UjbG.exe
PID 2004 wrote to memory of 288	2004	java.exe	EXCEL.EXE
PID 2004 wrote to memory of 288	2004	java.exe	EXCEL.EXE
PID 2004 wrote to memory of 288	2004	java.exe	EXCEL.EXE
PID 2004 wrote to memory of 288	2004	java.exe	EXCEL.EXE
PID 2004 wrote to memory of 288	2004	java.exe	EXCEL.EXE
PID 2004 wrote to memory of 288	2004	java.exe	EXCEL.EXE
PID 2004 wrote to memory of 288	2004	java.exe	EXCEL.EXE
PID 2004 wrote to memory of 288	2004	java.exe	EXCEL.EXE
PID 2004 wrote to memory of 288	2004	java.exe	EXCEL.EXE
PID 1724 wrote to memory of 1760	1724	cmd.exe	schtasks.exe
PID 1724 wrote to memory of 1760	1724	cmd.exe	schtasks.exe
PID 1724 wrote to memory of 1760	1724	cmd.exe	schtasks.exe
PID 1724 wrote to memory of 1760	1724	cmd.exe	schtasks.exe
PID 1248 wrote to memory of 1656	1248	Explorer.EXE	ipconfig.exe
PID 1248 wrote to memory of 1656	1248	Explorer.EXE	ipconfig.exe
PID 1248 wrote to memory of 1656	1248	Explorer.EXE	ipconfig.exe
PID 1248 wrote to memory of 1656	1248	Explorer.EXE	ipconfig.exe
PID 1656 wrote to memory of 1532	1656	ipconfig.exe	cmd.exe
PID 1656 wrote to memory of 1532	1656	ipconfig.exe	cmd.exe
PID 1656 wrote to memory of 1532	1656	ipconfig.exe	cmd.exe
PID 1656 wrote to memory of 1532	1656	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\PO-RY 001-21 Accuri.jar"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\UjbG.exe
C:\Users\Admin\UjbG.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9e1f3fba13714ca3a803c1c61fa66d8a.xml"
4⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9e1f3fba13714ca3a803c1c61fa66d8a.xml"
5⤵
- Creates scheduled task(s)
PID:1760

C:\Users\Admin\UjbG.exe
C:\Users\Admin\UjbG.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
3⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:288

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\UjbG.exe"
3⤵
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Scheduled Task

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9e1f3fba13714ca3a803c1c61fa66d8a.xml

MD5
a035055e1c80bc652520df45650c690f

SHA1
37b8364ad46e17199eb5a7ee89bb506bba384adb

SHA256
2b9948d34674d0fc0f9cb290da8298441b56205f6e341e3cfa1954df42c2b655

SHA512
678279d1bfc8a71c27a5a2c3afa5fd266882a62610863a3e4ebc2489f17827ed4c680c89e6b8b52621320500294d2df9888259ccdc5d38def43e739c1f325fc1

Download Submit
C:\Users\Admin\UjbG.exe

MD5
625fcbea1821d2a1eaebabacace38109

SHA1
f5c88f49c439f42f7510ab49322dbb7852b25fe5

SHA256
113a0c0153c6a70775fe88f97ab3e7452446f11956a53c904da5574742f70ac2

SHA512
1058c89fa62c300e57d09d068cda061087c6030fc89c270b6c8aa801034ca9481294b157e8fe96e972a7fa8055bff3a3f5d2a3577d459aa93efcf8a4d3acb38e

Download Submit
C:\Users\Admin\UjbG.exe

MD5
625fcbea1821d2a1eaebabacace38109

SHA1
f5c88f49c439f42f7510ab49322dbb7852b25fe5

SHA256
113a0c0153c6a70775fe88f97ab3e7452446f11956a53c904da5574742f70ac2

SHA512
1058c89fa62c300e57d09d068cda061087c6030fc89c270b6c8aa801034ca9481294b157e8fe96e972a7fa8055bff3a3f5d2a3577d459aa93efcf8a4d3acb38e

Download Submit
C:\Users\Admin\UjbG.exe

MD5
625fcbea1821d2a1eaebabacace38109

SHA1
f5c88f49c439f42f7510ab49322dbb7852b25fe5

SHA256
113a0c0153c6a70775fe88f97ab3e7452446f11956a53c904da5574742f70ac2

SHA512
1058c89fa62c300e57d09d068cda061087c6030fc89c270b6c8aa801034ca9481294b157e8fe96e972a7fa8055bff3a3f5d2a3577d459aa93efcf8a4d3acb38e

Download Submit
C:\Users\Admin\ZnKfJA2RC6Bu.xlsx

MD5
119986be9f58ce4ec7253c0181b78d99

SHA1
d694e671a2842b58f4646ab8239dfcf98e9f3093

SHA256
9ba96b320d9901c41a9725f58f419b4b1f9c6a5e98ee176a14a96dfce3ec396a

SHA512
623e4d9db1f5ebbce4b33f9e09a3e1b2ca7106c6c1afb791227692dc7f88eef3f15b8edd820fbd4c37ebdff73e32baca66de14a1cff13d52cf5018b2861a2c50

Download Submit
\Users\Admin\UjbG.exe

MD5
625fcbea1821d2a1eaebabacace38109

SHA1
f5c88f49c439f42f7510ab49322dbb7852b25fe5

SHA256
113a0c0153c6a70775fe88f97ab3e7452446f11956a53c904da5574742f70ac2

SHA512
1058c89fa62c300e57d09d068cda061087c6030fc89c270b6c8aa801034ca9481294b157e8fe96e972a7fa8055bff3a3f5d2a3577d459aa93efcf8a4d3acb38e

Download Submit
memory/288-12-0x0000000000000000-mapping.dmp

Download
memory/288-16-0x00000000719D1000-0x00000000719D3000-memory.dmp

Filesize
8KB

Download
memory/288-15-0x000000002F831000-0x000000002F834000-memory.dmp

Filesize
12KB

Download
memory/1064-35-0x000007FEF6850000-0x000007FEF6ACA000-memory.dmp

Filesize
2.5MB

Download
memory/1248-26-0x00000000075D0000-0x00000000075D4000-memory.dmp

Filesize
16KB

Download
memory/1248-36-0x00000000075D0000-0x00000000075D4000-memory.dmp

Filesize
16KB

Download
memory/1248-45-0x0000000007220000-0x000000000734F000-memory.dmp

Filesize
1.2MB

Download
memory/1248-25-0x0000000003B00000-0x0000000003B04000-memory.dmp

Filesize
16KB

Download
memory/1248-24-0x00000000075D0000-0x00000000075D4000-memory.dmp

Filesize
16KB

Download
memory/1248-23-0x0000000003B00000-0x0000000003B04000-memory.dmp

Filesize
16KB

Download
memory/1248-22-0x00000000075D0000-0x00000000075D4000-memory.dmp

Filesize
16KB

Download
memory/1248-20-0x0000000006AE0000-0x0000000006BD6000-memory.dmp

Filesize
984KB

Download
memory/1532-43-0x0000000000000000-mapping.dmp

Download
memory/1636-6-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1636-4-0x0000000000000000-mapping.dmp

Download
memory/1656-42-0x0000000002110000-0x0000000002413000-memory.dmp

Filesize
3.0MB

Download
memory/1656-38-0x0000000000000000-mapping.dmp

Download
memory/1656-40-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/1656-41-0x00000000000D0000-0x00000000000F8000-memory.dmp

Filesize
160KB

Download
memory/1656-44-0x0000000000620000-0x00000000006AF000-memory.dmp

Filesize
572KB

Download
memory/1724-8-0x0000000000000000-mapping.dmp

Download
memory/1760-13-0x0000000000000000-mapping.dmp

Download
memory/1768-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1768-19-0x0000000000070000-0x0000000000080000-memory.dmp

Filesize
64KB

Download
memory/1768-18-0x0000000000850000-0x0000000000B53000-memory.dmp

Filesize
3.0MB

Download
memory/1768-10-0x000000000041CFF0-mapping.dmp

Download
memory/2004-2-0x000007FEFC371000-0x000007FEFC373000-memory.dmp

Filesize
8KB

Download
memory/2004-3-0x0000000002260000-0x00000000024D0000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads