formbook | 1e0ffffac4a1077450af5cd08414d45c275605cdedd7a3138a863b96ea3624ab

General

Target

dira2.exe
Size

914KB
MD5

7f67485d2d0a280dce0e66d24fa97972
SHA1

508369a537e7db8b44505f2d2d55f57ddefad947
SHA256

1e0ffffac4a1077450af5cd08414d45c275605cdedd7a3138a863b96ea3624ab
SHA512

f614fc558d676510958a64dd2c83edd280dce713a28e3276b3d840f20b39a816e4175d5cd53e4830cf36c425cb3d2951f63e19b977d889c22b5a7a3a34b7e2f3

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.rizrvd.com/bw82/

Decoy

fundamentaliemef.com

gallerybrows.com

leadeligey.com

octoberx2.online

climaxnovels.com

gdsjgf.com

curateherstories.com

blacksailus.com

yjpps.com

gmobilet.com

fcoins.club

foreverlive2027.com

healthyfifties.com

wmarquezy.com

housebulb.com

thebabyfriendly.com

primajayaintiperkasa.com

learnplaychess.com

chrisbubser.digital

xn--avenr-wsa.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3692-12-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3692-13-0x000000000041CFF0-mapping.dmp	xloader
behavioral2/memory/3660-20-0x0000000000600000-0x0000000000628000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

dira2.exedira2.exesvchost.exe

description	pid	process	target process
PID 4052 set thread context of 3692	4052	dira2.exe	dira2.exe
PID 3692 set thread context of 3028	3692	dira2.exe	Explorer.EXE
PID 3660 set thread context of 3028	3660	svchost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

dira2.exedira2.exesvchost.exe

pid	process
4052	dira2.exe
4052	dira2.exe
3692	dira2.exe
3692	dira2.exe
3692	dira2.exe
3692	dira2.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe
3660	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

dira2.exesvchost.exe

pid process

3692 dira2.exe
3692 dira2.exe
3692 dira2.exe
3660 svchost.exe
3660 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

dira2.exedira2.exesvchost.exe

description pid process

Token: SeDebugPrivilege 4052 dira2.exe
Token: SeDebugPrivilege 3692 dira2.exe
Token: SeDebugPrivilege 3660 svchost.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3028 Explorer.EXE

pid	process
3692	dira2.exe
3692	dira2.exe
3692	dira2.exe
3660	svchost.exe
3660	svchost.exe

description	pid	process
Token: SeDebugPrivilege	4052	dira2.exe
Token: SeDebugPrivilege	3692	dira2.exe
Token: SeDebugPrivilege	3660	svchost.exe

pid	process
3028	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

dira2.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 4052 wrote to memory of 8	4052	dira2.exe	dira2.exe
PID 4052 wrote to memory of 8	4052	dira2.exe	dira2.exe
PID 4052 wrote to memory of 8	4052	dira2.exe	dira2.exe
PID 4052 wrote to memory of 3692	4052	dira2.exe	dira2.exe
PID 4052 wrote to memory of 3692	4052	dira2.exe	dira2.exe
PID 4052 wrote to memory of 3692	4052	dira2.exe	dira2.exe
PID 4052 wrote to memory of 3692	4052	dira2.exe	dira2.exe
PID 4052 wrote to memory of 3692	4052	dira2.exe	dira2.exe
PID 4052 wrote to memory of 3692	4052	dira2.exe	dira2.exe
PID 3028 wrote to memory of 3660	3028	Explorer.EXE	svchost.exe
PID 3028 wrote to memory of 3660	3028	Explorer.EXE	svchost.exe
PID 3028 wrote to memory of 3660	3028	Explorer.EXE	svchost.exe
PID 3660 wrote to memory of 2124	3660	svchost.exe	cmd.exe
PID 3660 wrote to memory of 2124	3660	svchost.exe	cmd.exe
PID 3660 wrote to memory of 2124	3660	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\dira2.exe
"C:\Users\Admin\AppData\Local\Temp\dira2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Local\Temp\dira2.exe
"C:\Users\Admin\AppData\Local\Temp\dira2.exe"
3⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\dira2.exe
"C:\Users\Admin\AppData\Local\Temp\dira2.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\dira2.exe"
3⤵
PID:2124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2124-22-0x0000000000000000-mapping.dmp

Download
memory/3028-17-0x0000000006D50000-0x0000000006E60000-memory.dmp

Filesize
1.1MB

Download
memory/3028-25-0x0000000006E60000-0x0000000006F78000-memory.dmp

Filesize
1.1MB

Download
memory/3660-24-0x0000000000BD0000-0x0000000000C5F000-memory.dmp

Filesize
572KB

Download
memory/3660-19-0x0000000001310000-0x000000000131C000-memory.dmp

Filesize
48KB

Download
memory/3660-21-0x0000000000F90000-0x00000000012B0000-memory.dmp

Filesize
3.1MB

Download
memory/3660-20-0x0000000000600000-0x0000000000628000-memory.dmp

Filesize
160KB

Download
memory/3660-18-0x0000000000000000-mapping.dmp

Download
memory/3692-13-0x000000000041CFF0-mapping.dmp

Download
memory/3692-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3692-15-0x00000000012E0000-0x0000000001600000-memory.dmp

Filesize
3.1MB

Download
memory/3692-16-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/4052-2-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/4052-11-0x0000000008130000-0x0000000008191000-memory.dmp

Filesize
388KB

Download
memory/4052-10-0x00000000076F0000-0x0000000007713000-memory.dmp

Filesize
140KB

Download
memory/4052-9-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/4052-8-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/4052-7-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/4052-6-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/4052-5-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/4052-3-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads