formbook | 5551c39b0838a38711babfe60b36dda8855791ce1512553858fbaff025d31122

General

Target

7195211e786ecd993b3c6a3176942d15.exe
Size

432KB
MD5

7195211e786ecd993b3c6a3176942d15
SHA1

b654f8e012d933e295b48d427d8939265d50a5e2
SHA256

5551c39b0838a38711babfe60b36dda8855791ce1512553858fbaff025d31122
SHA512

b784bce514162fa73dc1e3a9f63a6daaaac5037a636e0ab3645a1573cd5c1de1d71dbb7abed9a2ccfb50197c6d22f1102f547ae6bb87d765627ac84d53df47c2

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.inreachpt.com/gqx2/

Decoy

calusaptamiami.com

starlinkwebservices.com

lakeviewbarbershonola.com

oaklandraidersjerseyspop.com

ohiotechreport.com

eligetucafetera.com

tu4343.com

abstract-elearning.com

thebabylashes.com

athleteshive.com

fanninhomesforless.com

sembracna.com

servicesyn.com

bellairechoice.com

tmpaas.com

eyepaa.com

stickerzblvd.com

rentfs.com

nadya-shanab.com

microwgreens.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3920-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3920-13-0x000000000041D070-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

7195211e786ecd993b3c6a3176942d15.exe

description pid process target process

PID 644 set thread context of 3920 644 7195211e786ecd993b3c6a3176942d15.exe 7195211e786ecd993b3c6a3176942d15.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

208 644 WerFault.exe 7195211e786ecd993b3c6a3176942d15.exe

description	pid	process	target process
PID 644 set thread context of 3920	644	7195211e786ecd993b3c6a3176942d15.exe	7195211e786ecd993b3c6a3176942d15.exe

pid	pid_target	process	target process
208	644	WerFault.exe	7195211e786ecd993b3c6a3176942d15.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

7195211e786ecd993b3c6a3176942d15.exeWerFault.exe

pid	process
3920	7195211e786ecd993b3c6a3176942d15.exe
3920	7195211e786ecd993b3c6a3176942d15.exe
208	WerFault.exe
208	WerFault.exe
208	WerFault.exe
208	WerFault.exe
208	WerFault.exe
208	WerFault.exe
208	WerFault.exe
208	WerFault.exe
208	WerFault.exe
208	WerFault.exe
208	WerFault.exe
208	WerFault.exe
208	WerFault.exe
208	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 208 WerFault.exe
Token: SeBackupPrivilege 208 WerFault.exe
Token: SeDebugPrivilege 208 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	208	WerFault.exe
Token: SeBackupPrivilege	208	WerFault.exe
Token: SeDebugPrivilege	208	WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7195211e786ecd993b3c6a3176942d15.exe

description	pid	process	target process
PID 644 wrote to memory of 3920	644	7195211e786ecd993b3c6a3176942d15.exe	7195211e786ecd993b3c6a3176942d15.exe
PID 644 wrote to memory of 3920	644	7195211e786ecd993b3c6a3176942d15.exe	7195211e786ecd993b3c6a3176942d15.exe
PID 644 wrote to memory of 3920	644	7195211e786ecd993b3c6a3176942d15.exe	7195211e786ecd993b3c6a3176942d15.exe
PID 644 wrote to memory of 3920	644	7195211e786ecd993b3c6a3176942d15.exe	7195211e786ecd993b3c6a3176942d15.exe
PID 644 wrote to memory of 3920	644	7195211e786ecd993b3c6a3176942d15.exe	7195211e786ecd993b3c6a3176942d15.exe
PID 644 wrote to memory of 3920	644	7195211e786ecd993b3c6a3176942d15.exe	7195211e786ecd993b3c6a3176942d15.exe

C:\Users\Admin\AppData\Local\Temp\7195211e786ecd993b3c6a3176942d15.exe
"C:\Users\Admin\AppData\Local\Temp\7195211e786ecd993b3c6a3176942d15.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\7195211e786ecd993b3c6a3176942d15.exe
"C:\Users\Admin\AppData\Local\Temp\7195211e786ecd993b3c6a3176942d15.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1172
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/208-17-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/644-9-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/644-5-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

Filesize
4KB

Download
memory/644-6-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/644-7-0x00000000056C0000-0x0000000005716000-memory.dmp

Filesize
344KB

Download
memory/644-8-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/644-2-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/644-10-0x0000000005A80000-0x0000000005A8F000-memory.dmp

Filesize
60KB

Download
memory/644-11-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/644-14-0x00000000060D0000-0x00000000060D1000-memory.dmp

Filesize
4KB

Download
memory/644-3-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3920-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3920-13-0x000000000041D070-mapping.dmp

Download
memory/3920-16-0x0000000001000000-0x0000000001320000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads