formbook | 33f302f22ca7cfa4de06befaab200c53337b218196a9ef16ff6139d7f09a9b87

General

Target

VCS58GQMhuCYghC.exe
Size

937KB
MD5

e36cffd41bac0837943e65c6e96d8f82
SHA1

048bdd4d332b56b10b7505800b4a869d91b4670e
SHA256

33f302f22ca7cfa4de06befaab200c53337b218196a9ef16ff6139d7f09a9b87
SHA512

7c87990fd8cc633280a85d7ab81e6a24edc89053ec58400eb5b0444276540cd4d21ce518086da8dca86fa1febf969f284dd037877ff29f357226fb25a7701dfb

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.allismd.com/ur06/

Decoy

philippebrooksdesign.com

cmoorestudio.com

profille-sarina23tammara.club

dqulxe.com

uiffinger.com

nolarapper.com

maconanimalexterminator.com

bisovka.com

loveisloveent.com

datication.com

spxo66.com

drhelpnow.com

ladybug-cle.com

macocome.com

thepoppysocks.com

eldritchparadox.com

mercadolibre.company

ismartfarm.com

kansascarlot.com

kevinld.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/940-4-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/940-5-0x000000000041D000-mapping.dmp	xloader
behavioral2/memory/580-12-0x0000000002CA0000-0x0000000002CC8000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

VCS58GQMhuCYghC.exeVCS58GQMhuCYghC.exehelp.exe

description	pid	process	target process
PID 640 set thread context of 940	640	VCS58GQMhuCYghC.exe	VCS58GQMhuCYghC.exe
PID 940 set thread context of 3052	940	VCS58GQMhuCYghC.exe	Explorer.EXE
PID 580 set thread context of 3052	580	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

VCS58GQMhuCYghC.exehelp.exe

pid	process
940	VCS58GQMhuCYghC.exe
940	VCS58GQMhuCYghC.exe
940	VCS58GQMhuCYghC.exe
940	VCS58GQMhuCYghC.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe
580	help.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

VCS58GQMhuCYghC.exehelp.exe

pid process

940 VCS58GQMhuCYghC.exe
940 VCS58GQMhuCYghC.exe
940 VCS58GQMhuCYghC.exe
580 help.exe
580 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

VCS58GQMhuCYghC.exehelp.exe

description pid process

Token: SeDebugPrivilege 940 VCS58GQMhuCYghC.exe
Token: SeDebugPrivilege 580 help.exe

description	pid	process
Token: SeDebugPrivilege	940	VCS58GQMhuCYghC.exe
Token: SeDebugPrivilege	580	help.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

VCS58GQMhuCYghC.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 640 wrote to memory of 940	640	VCS58GQMhuCYghC.exe	VCS58GQMhuCYghC.exe
PID 640 wrote to memory of 940	640	VCS58GQMhuCYghC.exe	VCS58GQMhuCYghC.exe
PID 640 wrote to memory of 940	640	VCS58GQMhuCYghC.exe	VCS58GQMhuCYghC.exe
PID 640 wrote to memory of 940	640	VCS58GQMhuCYghC.exe	VCS58GQMhuCYghC.exe
PID 640 wrote to memory of 940	640	VCS58GQMhuCYghC.exe	VCS58GQMhuCYghC.exe
PID 640 wrote to memory of 940	640	VCS58GQMhuCYghC.exe	VCS58GQMhuCYghC.exe
PID 3052 wrote to memory of 580	3052	Explorer.EXE	help.exe
PID 3052 wrote to memory of 580	3052	Explorer.EXE	help.exe
PID 3052 wrote to memory of 580	3052	Explorer.EXE	help.exe
PID 580 wrote to memory of 3408	580	help.exe	cmd.exe
PID 580 wrote to memory of 3408	580	help.exe	cmd.exe
PID 580 wrote to memory of 3408	580	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\VCS58GQMhuCYghC.exe
"C:\Users\Admin\AppData\Local\Temp\VCS58GQMhuCYghC.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Local\Temp\VCS58GQMhuCYghC.exe
"C:\Users\Admin\AppData\Local\Temp\VCS58GQMhuCYghC.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\VCS58GQMhuCYghC.exe"
3⤵
PID:3408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-10-0x0000000000000000-mapping.dmp

Download
memory/580-15-0x0000000003800000-0x000000000388F000-memory.dmp

Filesize
572KB

Download
memory/580-14-0x00000000034E0000-0x0000000003800000-memory.dmp

Filesize
3.1MB

Download
memory/580-12-0x0000000002CA0000-0x0000000002CC8000-memory.dmp

Filesize
160KB

Download
memory/580-11-0x0000000000C90000-0x0000000000C97000-memory.dmp

Filesize
28KB

Download
memory/640-3-0x0000000003351000-0x0000000003352000-memory.dmp

Filesize
4KB

Download
memory/640-2-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/940-5-0x000000000041D000-mapping.dmp

Download
memory/940-8-0x00000000013B0000-0x00000000013C0000-memory.dmp

Filesize
64KB

Download
memory/940-7-0x0000000001960000-0x0000000001C80000-memory.dmp

Filesize
3.1MB

Download
memory/940-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3052-9-0x0000000004F60000-0x00000000050FF000-memory.dmp

Filesize
1.6MB

Download
memory/3052-16-0x0000000005EC0000-0x0000000006028000-memory.dmp

Filesize
1.4MB

Download
memory/3408-13-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads