formbook | fe30613b322753635f37763ebfeb63e065629b56e2924e51dc188f24be3f05d6

General

Target

1bTpgGVn5mfDSUq.exe
Size

1.5MB
MD5

63b589dc5ab85b4e2238e4aedf98b9f9
SHA1

7bcb4a2f5971a267e8c8b5ed349daa4eccfc0c58
SHA256

fe30613b322753635f37763ebfeb63e065629b56e2924e51dc188f24be3f05d6
SHA512

28914ec758a2f7c3244967bbb76809d7403fe53972951164b1c9392d8b51c9388d9951b669dfde23d17157c961fb2c8a168a81a1cc0900b1ada1e5fc67361ba0

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.besteprobioticakopen.online/uszn/

Decoy

animegriptape.com

pcpnetworks.com

putupmybabyforadoption.com

xn--jvrr98g37n88d.com

fertinvitro.doctor

undonethread.com

avoleague.com

sissysundays.com

guilhermeoliveiro.site

catholicon-bespeckle.info

mardesuenosfundacion.com

songkhoe24.site

shoecityindia.com

smallbathroomdecor.info

tskusa.com

prairiespringsllc.com

kegncoffee.com

clicklounge.xyz

catholicendoflifeplanning.com

steelobzee.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1328-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1328-14-0x000000000041D0F0-mapping.dmp	xloader
behavioral2/memory/3600-21-0x00000000007D0000-0x00000000007F9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

1bTpgGVn5mfDSUq.exe1bTpgGVn5mfDSUq.exeraserver.exe

description	pid	process	target process
PID 1048 set thread context of 1328	1048	1bTpgGVn5mfDSUq.exe	1bTpgGVn5mfDSUq.exe
PID 1328 set thread context of 2868	1328	1bTpgGVn5mfDSUq.exe	Explorer.EXE
PID 3600 set thread context of 2868	3600	raserver.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

1bTpgGVn5mfDSUq.exe1bTpgGVn5mfDSUq.exeraserver.exe

pid	process
1048	1bTpgGVn5mfDSUq.exe
1048	1bTpgGVn5mfDSUq.exe
1048	1bTpgGVn5mfDSUq.exe
1048	1bTpgGVn5mfDSUq.exe
1328	1bTpgGVn5mfDSUq.exe
1328	1bTpgGVn5mfDSUq.exe
1328	1bTpgGVn5mfDSUq.exe
1328	1bTpgGVn5mfDSUq.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe
3600	raserver.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

1bTpgGVn5mfDSUq.exeraserver.exe

pid process

1328 1bTpgGVn5mfDSUq.exe
1328 1bTpgGVn5mfDSUq.exe
1328 1bTpgGVn5mfDSUq.exe
3600 raserver.exe
3600 raserver.exe

pid	process
1328	1bTpgGVn5mfDSUq.exe
1328	1bTpgGVn5mfDSUq.exe
1328	1bTpgGVn5mfDSUq.exe
3600	raserver.exe
3600	raserver.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1bTpgGVn5mfDSUq.exe1bTpgGVn5mfDSUq.exeraserver.exe

description	pid	process
Token: SeDebugPrivilege	1048	1bTpgGVn5mfDSUq.exe
Token: SeDebugPrivilege	1328	1bTpgGVn5mfDSUq.exe
Token: SeDebugPrivilege	3600	raserver.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1bTpgGVn5mfDSUq.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 1048 wrote to memory of 1328	1048	1bTpgGVn5mfDSUq.exe	1bTpgGVn5mfDSUq.exe
PID 1048 wrote to memory of 1328	1048	1bTpgGVn5mfDSUq.exe	1bTpgGVn5mfDSUq.exe
PID 1048 wrote to memory of 1328	1048	1bTpgGVn5mfDSUq.exe	1bTpgGVn5mfDSUq.exe
PID 1048 wrote to memory of 1328	1048	1bTpgGVn5mfDSUq.exe	1bTpgGVn5mfDSUq.exe
PID 1048 wrote to memory of 1328	1048	1bTpgGVn5mfDSUq.exe	1bTpgGVn5mfDSUq.exe
PID 1048 wrote to memory of 1328	1048	1bTpgGVn5mfDSUq.exe	1bTpgGVn5mfDSUq.exe
PID 2868 wrote to memory of 3600	2868	Explorer.EXE	raserver.exe
PID 2868 wrote to memory of 3600	2868	Explorer.EXE	raserver.exe
PID 2868 wrote to memory of 3600	2868	Explorer.EXE	raserver.exe
PID 3600 wrote to memory of 688	3600	raserver.exe	cmd.exe
PID 3600 wrote to memory of 688	3600	raserver.exe	cmd.exe
PID 3600 wrote to memory of 688	3600	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\1bTpgGVn5mfDSUq.exe
"C:\Users\Admin\AppData\Local\Temp\1bTpgGVn5mfDSUq.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\1bTpgGVn5mfDSUq.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\1bTpgGVn5mfDSUq.exe"
3⤵
PID:688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/688-22-0x0000000000000000-mapping.dmp

Download
memory/1048-3-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/1048-5-0x0000000004AB0000-0x0000000004B25000-memory.dmp

Filesize
468KB

Download
memory/1048-6-0x000000000A820000-0x000000000A821000-memory.dmp

Filesize
4KB

Download
memory/1048-7-0x000000000A3C0000-0x000000000A3C1000-memory.dmp

Filesize
4KB

Download
memory/1048-8-0x000000000A330000-0x000000000A331000-memory.dmp

Filesize
4KB

Download
memory/1048-9-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1048-10-0x0000000004CA0000-0x0000000004CAE000-memory.dmp

Filesize
56KB

Download
memory/1048-11-0x0000000004F40000-0x0000000004F94000-memory.dmp

Filesize
336KB

Download
memory/1048-12-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/1048-2-0x0000000073460000-0x0000000073B4E000-memory.dmp

Filesize
6.9MB

Download
memory/1328-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1328-16-0x0000000001510000-0x0000000001830000-memory.dmp

Filesize
3.1MB

Download
memory/1328-17-0x0000000000F50000-0x0000000000F60000-memory.dmp

Filesize
64KB

Download
memory/1328-14-0x000000000041D0F0-mapping.dmp

Download
memory/2868-18-0x0000000006220000-0x00000000062E5000-memory.dmp

Filesize
788KB

Download
memory/2868-25-0x00000000062F0000-0x00000000063EE000-memory.dmp

Filesize
1016KB

Download
memory/3600-19-0x0000000000000000-mapping.dmp

Download
memory/3600-20-0x0000000000EC0000-0x0000000000EDF000-memory.dmp

Filesize
124KB

Download
memory/3600-21-0x00000000007D0000-0x00000000007F9000-memory.dmp

Filesize
164KB

Download
memory/3600-23-0x00000000049C0000-0x0000000004CE0000-memory.dmp

Filesize
3.1MB

Download
memory/3600-24-0x0000000004910000-0x000000000499F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads