formbook | 63b3402660ff4a015ff3bf516ece2da73234e315f5b0b7235ef3c4523d846152

General

Target

PO-RY 001-21 Accuri.jar
Size

372KB
MD5

c57bb7c025860397afdef61c676ead90
SHA1

6b2195e0b140ad27c5fd909f4944b5a63c2a6e08
SHA256

63b3402660ff4a015ff3bf516ece2da73234e315f5b0b7235ef3c4523d846152
SHA512

7f1ddd540b4cb316101e1facb8a217047d607b7bcd9e888f020d2ca4fa46f0e04747fc465424f87c7e1a4c8713aa84bb34b33f4e2b97edb16d4c66392f90f6bd

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.dmvantalya.com/bnuw/

Decoy

amgggma.com

reptilerus.com

degearboss.com

jennaelsbakeshop.com

invisablescreen.com

beingsingleda.com

2nsupplements.online

12862.xyz

expand.care

romeoalchimistefullmental.com

7750166.com

brendonellis.com

sprayfoamharlemny.com

bukannyaterbuai30.com

boatpiz.com

stylistrx.com

decorationhaven.com

stockaro.com

state728.com

secretlairtoys.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1384-11-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3980-25-0x00000000006C0000-0x00000000006E8000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

UjbG.exeUjbG.exe

pid process

3356 UjbG.exe
1384 UjbG.exe

pid	process
3356	UjbG.exe
1384	UjbG.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

UjbG.exeUjbG.exemsdt.exe

description	pid	process	target process
PID 3356 set thread context of 1384	3356	UjbG.exe	UjbG.exe
PID 1384 set thread context of 3048	1384	UjbG.exe	Explorer.EXE
PID 3980 set thread context of 3048	3980	msdt.exe	Explorer.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

936 schtasks.exe

pid	process
936	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies registry class 1 IoCs

Processes:

java.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings java.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

540 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	java.exe

pid	process
540	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

UjbG.exemsdt.exe

pid	process
1384	UjbG.exe
1384	UjbG.exe
1384	UjbG.exe
1384	UjbG.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe
3980	msdt.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

UjbG.exeUjbG.exemsdt.exe

pid process

3356 UjbG.exe
1384 UjbG.exe
1384 UjbG.exe
1384 UjbG.exe
3980 msdt.exe
3980 msdt.exe

pid	process
3356	UjbG.exe
1384	UjbG.exe
1384	UjbG.exe
1384	UjbG.exe
3980	msdt.exe
3980	msdt.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

UjbG.exeExplorer.EXEmsdt.exe

description	pid	process
Token: SeDebugPrivilege	1384	UjbG.exe
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeDebugPrivilege	3980	msdt.exe
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE

Suspicious use of FindShellTrayWindow 20 IoCs

Processes:

Explorer.EXE

pid	process
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE
3048	Explorer.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

java.exeEXCEL.EXE

pid	process
496	java.exe
540	EXCEL.EXE
540	EXCEL.EXE
540	EXCEL.EXE
540	EXCEL.EXE
540	EXCEL.EXE
540	EXCEL.EXE
540	EXCEL.EXE
540	EXCEL.EXE
540	EXCEL.EXE
540	EXCEL.EXE
540	EXCEL.EXE
540	EXCEL.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

java.exeUjbG.execmd.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 496 wrote to memory of 3356	496	java.exe	UjbG.exe
PID 496 wrote to memory of 3356	496	java.exe	UjbG.exe
PID 496 wrote to memory of 3356	496	java.exe	UjbG.exe
PID 3356 wrote to memory of 3572	3356	UjbG.exe	cmd.exe
PID 3356 wrote to memory of 3572	3356	UjbG.exe	cmd.exe
PID 3356 wrote to memory of 3572	3356	UjbG.exe	cmd.exe
PID 3356 wrote to memory of 1384	3356	UjbG.exe	UjbG.exe
PID 3356 wrote to memory of 1384	3356	UjbG.exe	UjbG.exe
PID 3356 wrote to memory of 1384	3356	UjbG.exe	UjbG.exe
PID 3356 wrote to memory of 1384	3356	UjbG.exe	UjbG.exe
PID 3572 wrote to memory of 936	3572	cmd.exe	schtasks.exe
PID 3572 wrote to memory of 936	3572	cmd.exe	schtasks.exe
PID 3572 wrote to memory of 936	3572	cmd.exe	schtasks.exe
PID 496 wrote to memory of 540	496	java.exe	EXCEL.EXE
PID 496 wrote to memory of 540	496	java.exe	EXCEL.EXE
PID 496 wrote to memory of 540	496	java.exe	EXCEL.EXE
PID 3048 wrote to memory of 3980	3048	Explorer.EXE	msdt.exe
PID 3048 wrote to memory of 3980	3048	Explorer.EXE	msdt.exe
PID 3048 wrote to memory of 3980	3048	Explorer.EXE	msdt.exe
PID 3980 wrote to memory of 3092	3980	msdt.exe	cmd.exe
PID 3980 wrote to memory of 3092	3980	msdt.exe	cmd.exe
PID 3980 wrote to memory of 3092	3980	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3048

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\PO-RY 001-21 Accuri.jar"
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:496

C:\Users\Admin\UjbG.exe
C:\Users\Admin\UjbG.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9e1f3fba13714ca3a803c1c61fa66d8a.xml"
4⤵
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9e1f3fba13714ca3a803c1c61fa66d8a.xml"
5⤵
- Creates scheduled task(s)
PID:936

C:\Users\Admin\UjbG.exe
C:\Users\Admin\UjbG.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\ZnKfJA2RC6Bu.xlsx"
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:540

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\UjbG.exe"
3⤵
PID:3092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9e1f3fba13714ca3a803c1c61fa66d8a.xml

MD5
a36564afc14b3eb0849c01a3afdb9944

SHA1
4dcee9fae3fde4e46b08529bc0ba067150686f07

SHA256
9d4342f763c5d62a06f69aa6fdcb1caa376ff2f2c0972f36b487f73b4d221996

SHA512
782082aa36ae056734e90fc079c813dfef59420571a1b70cde4cf15eb6c870f85b2bfe0748ef4db9df3d010c08671bff744d78178ba75bf2ba02b665f044ae89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5
07af266b0ddfcb6350b90c5a720833e9

SHA1
5a3a075a7560b1cfd55a6b59c8e17b9d9f0a7306

SHA256
a59528ae0f6e1d08815b506a512f026eaa4cc27665d498bc4190d849fa12c893

SHA512
289e19c36216c1b4566c2d167efba7b925926714c4d9d5423444a18fabb5233dc70d91431c766e497ee3b34bb8f0fe39754404def94515778456437ea93f581f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\UjbG.exe

MD5
625fcbea1821d2a1eaebabacace38109

SHA1
f5c88f49c439f42f7510ab49322dbb7852b25fe5

SHA256
113a0c0153c6a70775fe88f97ab3e7452446f11956a53c904da5574742f70ac2

SHA512
1058c89fa62c300e57d09d068cda061087c6030fc89c270b6c8aa801034ca9481294b157e8fe96e972a7fa8055bff3a3f5d2a3577d459aa93efcf8a4d3acb38e

Download Submit
C:\Users\Admin\UjbG.exe

MD5
625fcbea1821d2a1eaebabacace38109

SHA1
f5c88f49c439f42f7510ab49322dbb7852b25fe5

SHA256
113a0c0153c6a70775fe88f97ab3e7452446f11956a53c904da5574742f70ac2

SHA512
1058c89fa62c300e57d09d068cda061087c6030fc89c270b6c8aa801034ca9481294b157e8fe96e972a7fa8055bff3a3f5d2a3577d459aa93efcf8a4d3acb38e

Download Submit
C:\Users\Admin\UjbG.exe

MD5
625fcbea1821d2a1eaebabacace38109

SHA1
f5c88f49c439f42f7510ab49322dbb7852b25fe5

SHA256
113a0c0153c6a70775fe88f97ab3e7452446f11956a53c904da5574742f70ac2

SHA512
1058c89fa62c300e57d09d068cda061087c6030fc89c270b6c8aa801034ca9481294b157e8fe96e972a7fa8055bff3a3f5d2a3577d459aa93efcf8a4d3acb38e

Download Submit
C:\Users\Admin\ZnKfJA2RC6Bu.xlsx

MD5
119986be9f58ce4ec7253c0181b78d99

SHA1
d694e671a2842b58f4646ab8239dfcf98e9f3093

SHA256
9ba96b320d9901c41a9725f58f419b4b1f9c6a5e98ee176a14a96dfce3ec396a

SHA512
623e4d9db1f5ebbce4b33f9e09a3e1b2ca7106c6c1afb791227692dc7f88eef3f15b8edd820fbd4c37ebdff73e32baca66de14a1cff13d52cf5018b2861a2c50

Download Submit
memory/496-2-0x0000000002640000-0x00000000028B0000-memory.dmp

Filesize
2.4MB

Download
memory/540-17-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/540-21-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/540-13-0x0000000000000000-mapping.dmp

Download
memory/540-20-0x00007FF808D40000-0x00007FF809377000-memory.dmp

Filesize
6.2MB

Download
memory/540-19-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/540-18-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/936-9-0x0000000000000000-mapping.dmp

Download
memory/1384-7-0x000000000041CFF0-mapping.dmp

Download
memory/1384-15-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/1384-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1384-14-0x0000000001380000-0x00000000016A0000-memory.dmp

Filesize
3.1MB

Download
memory/3048-16-0x0000000005600000-0x0000000005763000-memory.dmp

Filesize
1.4MB

Download
memory/3048-29-0x0000000007150000-0x0000000007279000-memory.dmp

Filesize
1.2MB

Download
memory/3092-23-0x0000000000000000-mapping.dmp

Download
memory/3356-3-0x0000000000000000-mapping.dmp

Download
memory/3572-6-0x0000000000000000-mapping.dmp

Download
memory/3980-24-0x0000000001150000-0x00000000012C3000-memory.dmp

Filesize
1.4MB

Download
memory/3980-26-0x0000000004870000-0x0000000004B90000-memory.dmp

Filesize
3.1MB

Download
memory/3980-28-0x00000000046D0000-0x000000000475F000-memory.dmp

Filesize
572KB

Download
memory/3980-25-0x00000000006C0000-0x00000000006E8000-memory.dmp

Filesize
160KB

Download
memory/3980-22-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads