formbook | 3ed3126cfc3094e0f1a5736369cc55f68feb9bf6c9e31ba6e00e36f11917bc18

General

Target

f0f1a843b50f76e7236cc32dedf1d65d.exe
Size

276KB
MD5

f0f1a843b50f76e7236cc32dedf1d65d
SHA1

f84f30a93355d46bbdbebfedc760188879b6db0b
SHA256

3ed3126cfc3094e0f1a5736369cc55f68feb9bf6c9e31ba6e00e36f11917bc18
SHA512

f856db58b39aacbc858a248a7352ee20e63ac3a50966ebb9a95bcacad6221d98eff7a8f4024fae08badfc45396a7312a8bf70e69e5802777b7e34ef6e48342a2

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.douzhuan168.com/o8na/

Decoy

www1669099.com

digitalallserv.com

thiszzzwq.info

dallasoswalt.info

ladolcefesta.com

mariamalikially.com

origenbsas.com

antichoc.watch

tropicalbirdtoys.com

bbluedotvrwdbuy.com

racevx.xyz

ut-trustandwill.com

maximumhomeoffers.com

wrapname.com

hypelighystrip.com

oshoum2020.com

parkwestmi.com

themodumall.com

tempuslawnandsnow.com

dailypromo.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1948-4-0x000000000041D040-mapping.dmp	xloader
behavioral1/memory/1948-3-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1684-6-0x0000000000220000-0x000000000024A000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

f0f1a843b50f76e7236cc32dedf1d65d.exe

description pid process target process

PID 1684 set thread context of 1948 1684 f0f1a843b50f76e7236cc32dedf1d65d.exe f0f1a843b50f76e7236cc32dedf1d65d.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f0f1a843b50f76e7236cc32dedf1d65d.exe

pid process

1948 f0f1a843b50f76e7236cc32dedf1d65d.exe

description	pid	process	target process
PID 1684 set thread context of 1948	1684	f0f1a843b50f76e7236cc32dedf1d65d.exe	f0f1a843b50f76e7236cc32dedf1d65d.exe

pid	process
1948	f0f1a843b50f76e7236cc32dedf1d65d.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f0f1a843b50f76e7236cc32dedf1d65d.exe

description	pid	process	target process
PID 1684 wrote to memory of 1948	1684	f0f1a843b50f76e7236cc32dedf1d65d.exe	f0f1a843b50f76e7236cc32dedf1d65d.exe
PID 1684 wrote to memory of 1948	1684	f0f1a843b50f76e7236cc32dedf1d65d.exe	f0f1a843b50f76e7236cc32dedf1d65d.exe
PID 1684 wrote to memory of 1948	1684	f0f1a843b50f76e7236cc32dedf1d65d.exe	f0f1a843b50f76e7236cc32dedf1d65d.exe
PID 1684 wrote to memory of 1948	1684	f0f1a843b50f76e7236cc32dedf1d65d.exe	f0f1a843b50f76e7236cc32dedf1d65d.exe
PID 1684 wrote to memory of 1948	1684	f0f1a843b50f76e7236cc32dedf1d65d.exe	f0f1a843b50f76e7236cc32dedf1d65d.exe
PID 1684 wrote to memory of 1948	1684	f0f1a843b50f76e7236cc32dedf1d65d.exe	f0f1a843b50f76e7236cc32dedf1d65d.exe
PID 1684 wrote to memory of 1948	1684	f0f1a843b50f76e7236cc32dedf1d65d.exe	f0f1a843b50f76e7236cc32dedf1d65d.exe

C:\Users\Admin\AppData\Local\Temp\f0f1a843b50f76e7236cc32dedf1d65d.exe
"C:\Users\Admin\AppData\Local\Temp\f0f1a843b50f76e7236cc32dedf1d65d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\f0f1a843b50f76e7236cc32dedf1d65d.exe
"C:\Users\Admin\AppData\Local\Temp\f0f1a843b50f76e7236cc32dedf1d65d.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1948

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-2-0x0000000004F40000-0x0000000004F51000-memory.dmp

Filesize
68KB

Download
memory/1684-5-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1684-6-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1948-4-0x000000000041D040-mapping.dmp

Download
memory/1948-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1948-8-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing