formbook | bfe365fae8e14aae158de051972efe75103b705f7d8cf84061f857d79bb1993b

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
19-01-2021 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00882320002344-SwiftAdvice_pdf.exe
Size

188KB
MD5

9d7290bbe5611ee57a7604cbea3518f0
SHA1

d19769d9fb9970253f55decb8227b9d367eb78ba
SHA256

bfe365fae8e14aae158de051972efe75103b705f7d8cf84061f857d79bb1993b
SHA512

ab1e24e23770b35b5d32e2dd4b03f2e9be6fecbd3ce6987575a518d179aaab7aa9e0456ac90f0e7d8d90d067abc299d61f35b0973687463c4a458423c9e07ad0

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

http://www.floridaretaildevelopment.com/uoyd/

Decoy

precisehomeremodelinginc.com

brettslegal.com

mannokpackaging.com

syne.site

home-style-bg.com

testowadomena.com

postgrestosnowflake.com

costumes4babies.com

justcallkerriann.fyi

justbealegend.com

jnfwmy.com

cbuksdei.com

jehflrtic.icu

changefio.net

ka30066.com

hagusto.com

eastpeakessentials.com

upsppreworkcheck.com

duraghenni.com

joshadlesperger.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3464-3-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

00882320002344-SwiftAdvice_pdf.exe

description pid process target process

PID 4692 set thread context of 3464 4692 00882320002344-SwiftAdvice_pdf.exe 00882320002344-SwiftAdvice_pdf.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

00882320002344-SwiftAdvice_pdf.exe

pid process

3464 00882320002344-SwiftAdvice_pdf.exe
3464 00882320002344-SwiftAdvice_pdf.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

00882320002344-SwiftAdvice_pdf.exe

pid process

4692 00882320002344-SwiftAdvice_pdf.exe

description	pid	process	target process
PID 4692 set thread context of 3464	4692	00882320002344-SwiftAdvice_pdf.exe	00882320002344-SwiftAdvice_pdf.exe

pid	process
3464	00882320002344-SwiftAdvice_pdf.exe
3464	00882320002344-SwiftAdvice_pdf.exe

pid	process
4692	00882320002344-SwiftAdvice_pdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

00882320002344-SwiftAdvice_pdf.exe

description	pid	process	target process
PID 4692 wrote to memory of 3464	4692	00882320002344-SwiftAdvice_pdf.exe	00882320002344-SwiftAdvice_pdf.exe
PID 4692 wrote to memory of 3464	4692	00882320002344-SwiftAdvice_pdf.exe	00882320002344-SwiftAdvice_pdf.exe
PID 4692 wrote to memory of 3464	4692	00882320002344-SwiftAdvice_pdf.exe	00882320002344-SwiftAdvice_pdf.exe
PID 4692 wrote to memory of 3464	4692	00882320002344-SwiftAdvice_pdf.exe	00882320002344-SwiftAdvice_pdf.exe

C:\Users\Admin\AppData\Local\Temp\00882320002344-SwiftAdvice_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\00882320002344-SwiftAdvice_pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Local\Temp\00882320002344-SwiftAdvice_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\00882320002344-SwiftAdvice_pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3464

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3464-2-0x000000000041D120-mapping.dmp

Download
memory/3464-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3464-4-0x0000000000C30000-0x0000000000F50000-memory.dmp

Filesize
3.1MB

Download