formbook | 752c933394c080ea667a1d098c603a7216c16cdfb2bae516d78a0aeb14543248

General

Target

payment _doc.exe
Size

884KB
MD5

d65c9fe128d2294055cc9b3238e67c07
SHA1

1495109fc0760f4becd195b790206a0fc00b89ce
SHA256

ad03ca16b05c593894d3cf90ea6ebe56f3ce6dc94dc0675234f357893f3aadfa
SHA512

60b9fb9c9d159dac7d9a486ebf7dba7387ac45ab184857a0721d59e2a78dc4a4e074b80126d912d4a00351345f564e283ef2bf7630c437147d398a52b4f9fb21

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.bimtracks.com/e3eb/

Decoy

jrgsestates.com

xpress-supplies.com

manniramart.com

2800delaware.com

abeltobaygo.com

audiologiamallorca.com

motormaniaintl.com

millennialluxuryliving.com

wrightrealestates.com

servicesguide.online

ignitejob.com

overdoza.com

deliveringcarsanywhere.com

lojahellomundo.com

245245.xyz

ngdbusa.com

bandarnalo.network

microbekr.com

myflycodes.club

weatherstationpolinema2020.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2040-13-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/2040-14-0x000000000041D020-mapping.dmp	xloader
behavioral2/memory/3700-23-0x00000000003A0000-0x00000000003C8000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

payment _doc.exepayment _doc.exemsiexec.exe

description	pid	process	target process
PID 832 set thread context of 2040	832	payment _doc.exe	payment _doc.exe
PID 2040 set thread context of 2920	2040	payment _doc.exe	Explorer.EXE
PID 2040 set thread context of 2920	2040	payment _doc.exe	Explorer.EXE
PID 3700 set thread context of 2920	3700	msiexec.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

payment _doc.exemsiexec.exe

pid	process
2040	payment _doc.exe
2040	payment _doc.exe
2040	payment _doc.exe
2040	payment _doc.exe
2040	payment _doc.exe
2040	payment _doc.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe
3700	msiexec.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

payment _doc.exemsiexec.exe

pid process

2040 payment _doc.exe
2040 payment _doc.exe
2040 payment _doc.exe
2040 payment _doc.exe
3700 msiexec.exe
3700 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

payment _doc.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 2040 payment _doc.exe
Token: SeDebugPrivilege 3700 msiexec.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2920 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2040	payment _doc.exe
Token: SeDebugPrivilege	3700	msiexec.exe

pid	process
2920	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

payment _doc.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 832 wrote to memory of 2040	832	payment _doc.exe	payment _doc.exe
PID 832 wrote to memory of 2040	832	payment _doc.exe	payment _doc.exe
PID 832 wrote to memory of 2040	832	payment _doc.exe	payment _doc.exe
PID 832 wrote to memory of 2040	832	payment _doc.exe	payment _doc.exe
PID 832 wrote to memory of 2040	832	payment _doc.exe	payment _doc.exe
PID 832 wrote to memory of 2040	832	payment _doc.exe	payment _doc.exe
PID 2920 wrote to memory of 3700	2920	Explorer.EXE	msiexec.exe
PID 2920 wrote to memory of 3700	2920	Explorer.EXE	msiexec.exe
PID 2920 wrote to memory of 3700	2920	Explorer.EXE	msiexec.exe
PID 3700 wrote to memory of 3428	3700	msiexec.exe	cmd.exe
PID 3700 wrote to memory of 3428	3700	msiexec.exe	cmd.exe
PID 3700 wrote to memory of 3428	3700	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2920

C:\Users\Admin\AppData\Local\Temp\payment _doc.exe
"C:\Users\Admin\AppData\Local\Temp\payment _doc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Local\Temp\payment _doc.exe
"C:\Users\Admin\AppData\Local\Temp\payment _doc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\payment _doc.exe"
3⤵
PID:3428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/832-2-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/832-3-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/832-5-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/832-6-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/832-7-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/832-8-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/832-9-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/832-10-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/832-11-0x0000000005630000-0x0000000005653000-memory.dmp

Filesize
140KB

Download
memory/832-12-0x00000000061F0000-0x0000000006251000-memory.dmp

Filesize
388KB

Download
memory/2040-16-0x0000000001940000-0x0000000001C60000-memory.dmp

Filesize
3.1MB

Download
memory/2040-14-0x000000000041D020-mapping.dmp

Download
memory/2040-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2040-17-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/2040-19-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2920-18-0x0000000006BF0000-0x0000000006D41000-memory.dmp

Filesize
1.3MB

Download
memory/2920-20-0x0000000006D50000-0x0000000006E92000-memory.dmp

Filesize
1.3MB

Download
memory/2920-27-0x0000000000BD0000-0x0000000000C82000-memory.dmp

Filesize
712KB

Download
memory/3428-24-0x0000000000000000-mapping.dmp

Download
memory/3700-23-0x00000000003A0000-0x00000000003C8000-memory.dmp

Filesize
160KB

Download
memory/3700-22-0x0000000000870000-0x0000000000882000-memory.dmp

Filesize
72KB

Download
memory/3700-25-0x0000000004700000-0x0000000004A20000-memory.dmp

Filesize
3.1MB

Download
memory/3700-26-0x00000000043C0000-0x000000000444F000-memory.dmp

Filesize
572KB

Download
memory/3700-21-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads