formbook | 5551c39b0838a38711babfe60b36dda8855791ce1512553858fbaff025d31122

General

Target

7195211e786ecd993b3c6a3176942d15.exe
Size

432KB
MD5

7195211e786ecd993b3c6a3176942d15
SHA1

b654f8e012d933e295b48d427d8939265d50a5e2
SHA256

5551c39b0838a38711babfe60b36dda8855791ce1512553858fbaff025d31122
SHA512

b784bce514162fa73dc1e3a9f63a6daaaac5037a636e0ab3645a1573cd5c1de1d71dbb7abed9a2ccfb50197c6d22f1102f547ae6bb87d765627ac84d53df47c2

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.inreachpt.com/gqx2/

Decoy

calusaptamiami.com

starlinkwebservices.com

lakeviewbarbershonola.com

oaklandraidersjerseyspop.com

ohiotechreport.com

eligetucafetera.com

tu4343.com

abstract-elearning.com

thebabylashes.com

athleteshive.com

fanninhomesforless.com

sembracna.com

servicesyn.com

bellairechoice.com

tmpaas.com

eyepaa.com

stickerzblvd.com

rentfs.com

nadya-shanab.com

microwgreens.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1496-8-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1496-9-0x000000000041D070-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

7195211e786ecd993b3c6a3176942d15.exe

description pid process target process

PID 1684 set thread context of 1496 1684 7195211e786ecd993b3c6a3176942d15.exe 7195211e786ecd993b3c6a3176942d15.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1932 1684 WerFault.exe 7195211e786ecd993b3c6a3176942d15.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

7195211e786ecd993b3c6a3176942d15.exeWerFault.exe

pid process

1496 7195211e786ecd993b3c6a3176942d15.exe
1932 WerFault.exe
1932 WerFault.exe
1932 WerFault.exe
1932 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1932 WerFault.exe

description	pid	process	target process
PID 1684 set thread context of 1496	1684	7195211e786ecd993b3c6a3176942d15.exe	7195211e786ecd993b3c6a3176942d15.exe

pid	pid_target	process	target process
1932	1684	WerFault.exe	7195211e786ecd993b3c6a3176942d15.exe

pid	process
1496	7195211e786ecd993b3c6a3176942d15.exe
1932	WerFault.exe
1932	WerFault.exe
1932	WerFault.exe
1932	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1932	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

7195211e786ecd993b3c6a3176942d15.exe

description	pid	process	target process
PID 1684 wrote to memory of 1496	1684	7195211e786ecd993b3c6a3176942d15.exe	7195211e786ecd993b3c6a3176942d15.exe
PID 1684 wrote to memory of 1496	1684	7195211e786ecd993b3c6a3176942d15.exe	7195211e786ecd993b3c6a3176942d15.exe
PID 1684 wrote to memory of 1496	1684	7195211e786ecd993b3c6a3176942d15.exe	7195211e786ecd993b3c6a3176942d15.exe
PID 1684 wrote to memory of 1496	1684	7195211e786ecd993b3c6a3176942d15.exe	7195211e786ecd993b3c6a3176942d15.exe
PID 1684 wrote to memory of 1496	1684	7195211e786ecd993b3c6a3176942d15.exe	7195211e786ecd993b3c6a3176942d15.exe
PID 1684 wrote to memory of 1496	1684	7195211e786ecd993b3c6a3176942d15.exe	7195211e786ecd993b3c6a3176942d15.exe
PID 1684 wrote to memory of 1496	1684	7195211e786ecd993b3c6a3176942d15.exe	7195211e786ecd993b3c6a3176942d15.exe
PID 1684 wrote to memory of 1932	1684	7195211e786ecd993b3c6a3176942d15.exe	WerFault.exe
PID 1684 wrote to memory of 1932	1684	7195211e786ecd993b3c6a3176942d15.exe	WerFault.exe
PID 1684 wrote to memory of 1932	1684	7195211e786ecd993b3c6a3176942d15.exe	WerFault.exe
PID 1684 wrote to memory of 1932	1684	7195211e786ecd993b3c6a3176942d15.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\7195211e786ecd993b3c6a3176942d15.exe
"C:\Users\Admin\AppData\Local\Temp\7195211e786ecd993b3c6a3176942d15.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\7195211e786ecd993b3c6a3176942d15.exe
"C:\Users\Admin\AppData\Local\Temp\7195211e786ecd993b3c6a3176942d15.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 664
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1496-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1496-9-0x000000000041D070-mapping.dmp

Download
memory/1496-11-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download
memory/1684-2-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-3-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1684-5-0x0000000001F40000-0x0000000001F96000-memory.dmp

Filesize
344KB

Download
memory/1684-6-0x0000000000390000-0x000000000039F000-memory.dmp

Filesize
60KB

Download
memory/1684-7-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/1932-12-0x0000000000000000-mapping.dmp

Download
memory/1932-13-0x0000000001D80000-0x0000000001D91000-memory.dmp

Filesize
68KB

Download
memory/1932-14-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing