formbook | 1c9bd5c0c394b6aa7606bac0e69e85d65c5321ac6a17d9615d7e3a813bf44193

General

Target

Statement for T10495.jar
Size

811KB
MD5

0764a56dda2fd74d87e9303972af246c
SHA1

e0cb38683d4a5e83c4d26cd11cbdd97a42aef8d6
SHA256

1c9bd5c0c394b6aa7606bac0e69e85d65c5321ac6a17d9615d7e3a813bf44193
SHA512

c8835d58181d9f6c51d2b7fa1c980678211a004030d6a5f6fcb4dbfd332df7d1073f7ddc966fe151134357e099af510f0edfb758a462042f74c008ae31d09333

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.dmvantalya.com/bnuw/

Decoy

amgggma.com

reptilerus.com

degearboss.com

jennaelsbakeshop.com

invisablescreen.com

beingsingleda.com

2nsupplements.online

12862.xyz

expand.care

romeoalchimistefullmental.com

7750166.com

brendonellis.com

sprayfoamharlemny.com

bukannyaterbuai30.com

boatpiz.com

stylistrx.com

decorationhaven.com

stockaro.com

state728.com

secretlairtoys.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1828-15-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1368-26-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

Ckt40j50xJfd.exeCkt40j50xJfd.exe

pid process

736 Ckt40j50xJfd.exe
1828 Ckt40j50xJfd.exe
Loads dropped DLL 1 IoCs

Processes:

Ckt40j50xJfd.exe

pid process

736 Ckt40j50xJfd.exe

pid	process
736	Ckt40j50xJfd.exe
1828	Ckt40j50xJfd.exe

pid	process
736	Ckt40j50xJfd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Ckt40j50xJfd.exeCkt40j50xJfd.exeexplorer.exe

description	pid	process	target process
PID 736 set thread context of 1828	736	Ckt40j50xJfd.exe	Ckt40j50xJfd.exe
PID 1828 set thread context of 1236	1828	Ckt40j50xJfd.exe	Explorer.EXE
PID 1368 set thread context of 1236	1368	explorer.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

Explorer.EXE

description ioc process

File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe Explorer.EXE
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1724 schtasks.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	Explorer.EXE

pid	process
1724	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

Ckt40j50xJfd.exeexplorer.exe

pid	process
1828	Ckt40j50xJfd.exe
1828	Ckt40j50xJfd.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe
1368	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1732 AcroRd32.exe
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Ckt40j50xJfd.exeCkt40j50xJfd.exeexplorer.exe

pid process

736 Ckt40j50xJfd.exe
1828 Ckt40j50xJfd.exe
1828 Ckt40j50xJfd.exe
1828 Ckt40j50xJfd.exe
1368 explorer.exe
1368 explorer.exe

pid	process
1732	AcroRd32.exe

pid	process
736	Ckt40j50xJfd.exe
1828	Ckt40j50xJfd.exe
1828	Ckt40j50xJfd.exe
1828	Ckt40j50xJfd.exe
1368	explorer.exe
1368	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Ckt40j50xJfd.exeExplorer.EXEexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1828	Ckt40j50xJfd.exe
Token: SeShutdownPrivilege	1236	Explorer.EXE
Token: SeShutdownPrivilege	1236	Explorer.EXE
Token: SeDebugPrivilege	1368	explorer.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE
1236 Explorer.EXE
1236 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE
1236 Explorer.EXE
1236 Explorer.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

java.exeAcroRd32.exe

pid process

1088 java.exe
1732 AcroRd32.exe
1732 AcroRd32.exe
1732 AcroRd32.exe

pid	process
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE

pid	process
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE

pid	process
1088	java.exe
1732	AcroRd32.exe
1732	AcroRd32.exe
1732	AcroRd32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

java.exeCkt40j50xJfd.execmd.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 1088 wrote to memory of 736	1088	java.exe	Ckt40j50xJfd.exe
PID 1088 wrote to memory of 736	1088	java.exe	Ckt40j50xJfd.exe
PID 1088 wrote to memory of 736	1088	java.exe	Ckt40j50xJfd.exe
PID 1088 wrote to memory of 736	1088	java.exe	Ckt40j50xJfd.exe
PID 736 wrote to memory of 1508	736	Ckt40j50xJfd.exe	cmd.exe
PID 736 wrote to memory of 1508	736	Ckt40j50xJfd.exe	cmd.exe
PID 736 wrote to memory of 1508	736	Ckt40j50xJfd.exe	cmd.exe
PID 736 wrote to memory of 1508	736	Ckt40j50xJfd.exe	cmd.exe
PID 1088 wrote to memory of 1732	1088	java.exe	AcroRd32.exe
PID 1088 wrote to memory of 1732	1088	java.exe	AcroRd32.exe
PID 1088 wrote to memory of 1732	1088	java.exe	AcroRd32.exe
PID 1088 wrote to memory of 1732	1088	java.exe	AcroRd32.exe
PID 736 wrote to memory of 1828	736	Ckt40j50xJfd.exe	Ckt40j50xJfd.exe
PID 736 wrote to memory of 1828	736	Ckt40j50xJfd.exe	Ckt40j50xJfd.exe
PID 736 wrote to memory of 1828	736	Ckt40j50xJfd.exe	Ckt40j50xJfd.exe
PID 736 wrote to memory of 1828	736	Ckt40j50xJfd.exe	Ckt40j50xJfd.exe
PID 736 wrote to memory of 1828	736	Ckt40j50xJfd.exe	Ckt40j50xJfd.exe
PID 1508 wrote to memory of 1724	1508	cmd.exe	schtasks.exe
PID 1508 wrote to memory of 1724	1508	cmd.exe	schtasks.exe
PID 1508 wrote to memory of 1724	1508	cmd.exe	schtasks.exe
PID 1508 wrote to memory of 1724	1508	cmd.exe	schtasks.exe
PID 1236 wrote to memory of 1368	1236	Explorer.EXE	explorer.exe
PID 1236 wrote to memory of 1368	1236	Explorer.EXE	explorer.exe
PID 1236 wrote to memory of 1368	1236	Explorer.EXE	explorer.exe
PID 1236 wrote to memory of 1368	1236	Explorer.EXE	explorer.exe
PID 1368 wrote to memory of 1636	1368	explorer.exe	cmd.exe
PID 1368 wrote to memory of 1636	1368	explorer.exe	cmd.exe
PID 1368 wrote to memory of 1636	1368	explorer.exe	cmd.exe
PID 1368 wrote to memory of 1636	1368	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Statement for T10495.jar"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\Ckt40j50xJfd.exe
C:\Users\Admin\Ckt40j50xJfd.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\13b7517e56994f3fa2d3ccb861f944e1.xml"
4⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\13b7517e56994f3fa2d3ccb861f944e1.xml"
5⤵
- Creates scheduled task(s)
PID:1724

C:\Users\Admin\Ckt40j50xJfd.exe
C:\Users\Admin\Ckt40j50xJfd.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\hi3A9NUbhQ.pdf"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\Ckt40j50xJfd.exe"
3⤵
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13b7517e56994f3fa2d3ccb861f944e1.xml
MD5
9313352a59e3b368ab4eb8173567c406

SHA1
fc776c28e3ae9bd5e68f25c2a4f6248126731370

SHA256
469d4994320f37196faca4de8ada85161a43dd42c9405b283bea5e4ea84c9a8d

SHA512
000f6edf387b4ea0f244003fad3f66be5eb1920012838ba3a19c3f2dcde973fce8450c8e556c22cc20f7a3a0980d735fb169ecfafd440993c9fe5b8875fc7462

Download Submit
C:\Users\Admin\Ckt40j50xJfd.exe
MD5
76d3edb9a348bf7167f4bb0c6a3e6a35

SHA1
e304f9b76ef4fe0da767c490b15e1dd8d7a8392f

SHA256
c7a3ec323f7c3911c8d685e205b414484c626ef78464c860dd5e836e1406efd0

SHA512
8951905b8c9ee5b31ad67b31feced8bcf0e9e5feba98b18d3cac2fa4e713ba9acc123bf0aea693152a3295bd0e2d7ed1f047ac20aa7a445e7743e16d743d0b33

Download Submit
C:\Users\Admin\Ckt40j50xJfd.exe
MD5
76d3edb9a348bf7167f4bb0c6a3e6a35

SHA1
e304f9b76ef4fe0da767c490b15e1dd8d7a8392f

SHA256
c7a3ec323f7c3911c8d685e205b414484c626ef78464c860dd5e836e1406efd0

SHA512
8951905b8c9ee5b31ad67b31feced8bcf0e9e5feba98b18d3cac2fa4e713ba9acc123bf0aea693152a3295bd0e2d7ed1f047ac20aa7a445e7743e16d743d0b33

Download Submit
C:\Users\Admin\Ckt40j50xJfd.exe
MD5
76d3edb9a348bf7167f4bb0c6a3e6a35

SHA1
e304f9b76ef4fe0da767c490b15e1dd8d7a8392f

SHA256
c7a3ec323f7c3911c8d685e205b414484c626ef78464c860dd5e836e1406efd0

SHA512
8951905b8c9ee5b31ad67b31feced8bcf0e9e5feba98b18d3cac2fa4e713ba9acc123bf0aea693152a3295bd0e2d7ed1f047ac20aa7a445e7743e16d743d0b33

Download Submit
C:\Users\Admin\hi3A9NUbhQ.pdf
MD5
05feac88a3982cd6f58520ba3efdcfab

SHA1
b65289e98c62ca821da2c2dc2446fc3cd087d4ee

SHA256
06b91869bf886c49fc0871005f9001c7e3f2819e85ec27c12e4253f3e3f548a0

SHA512
5f5e5bbbb2a31ec0c5a02bf5b112613aa5beea9e14b2dfc4b44a342dfebc0e08aeacdb28e9ec6cf6eb6e002485f77dedeb38e18fb186277a0aced0d10a419297

Download Submit
\Users\Admin\Ckt40j50xJfd.exe
MD5
76d3edb9a348bf7167f4bb0c6a3e6a35

SHA1
e304f9b76ef4fe0da767c490b15e1dd8d7a8392f

SHA256
c7a3ec323f7c3911c8d685e205b414484c626ef78464c860dd5e836e1406efd0

SHA512
8951905b8c9ee5b31ad67b31feced8bcf0e9e5feba98b18d3cac2fa4e713ba9acc123bf0aea693152a3295bd0e2d7ed1f047ac20aa7a445e7743e16d743d0b33

Download Submit
memory/736-7-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/736-4-0x0000000000000000-mapping.dmp

Download
memory/1088-2-0x000007FEFBDA1000-0x000007FEFBDA3000-memory.dmp

Filesize
8KB

Download
memory/1088-3-0x0000000002190000-0x0000000002400000-memory.dmp

Filesize
2.4MB

Download
memory/1236-29-0x00000000061B0000-0x0000000006310000-memory.dmp

Filesize
1.4MB

Download
memory/1236-19-0x0000000003BD0000-0x0000000003CED000-memory.dmp

Filesize
1.1MB

Download
memory/1368-21-0x0000000000000000-mapping.dmp

Download
memory/1368-28-0x0000000002180000-0x000000000220F000-memory.dmp

Filesize
572KB

Download
memory/1368-25-0x00000000007C0000-0x0000000000A41000-memory.dmp

Filesize
2.5MB

Download
memory/1368-27-0x0000000002310000-0x0000000002613000-memory.dmp

Filesize
3.0MB

Download
memory/1368-26-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1368-23-0x0000000074631000-0x0000000074633000-memory.dmp

Filesize
8KB

Download
memory/1508-8-0x0000000000000000-mapping.dmp

Download
memory/1636-24-0x0000000000000000-mapping.dmp

Download
memory/1724-14-0x0000000000000000-mapping.dmp

Download
memory/1732-9-0x0000000000000000-mapping.dmp

Download
memory/1828-18-0x00000000000A0000-0x00000000000B0000-memory.dmp

Filesize
64KB

Download
memory/1828-16-0x0000000000A80000-0x0000000000D83000-memory.dmp

Filesize
3.0MB

Download
memory/1828-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1828-12-0x000000000041CFF0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads