formbook | 3a220e6bff537b270991d1bb49e530c7279fb643f8a9b5998bbefae6140a19f4

General

Target

Doc_3957495686846574893974939464936488463936484,pdf.exe
Size

77KB
MD5

1662b1ff6de1371a09ecabb5a2c14905
SHA1

5a9353c5b8b1e1b19b7879cd483c9f715237c478
SHA256

3a220e6bff537b270991d1bb49e530c7279fb643f8a9b5998bbefae6140a19f4
SHA512

ae20025d79fbfbf85bceeaca71fcd170966eaa71761dffc4d96405311e314f44b4f6d5573747b6923da0477c0a2ba1ecd95c14e917aa9408c157c6964fd3b68f

Score

10^/10

formbook xloader evasion loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.aubonmarcheduparc.com/rina/

Decoy

syndicauto.net

techvorx.com

palletrackingvancouver.com

pricetrackerindia.com

photocravings.com

jenniferlwilsonrn.com

cartucce-toner.com

fred-auto-sport.com

aletheajean.com

beautyhacks.website

seoalmaguer.com

cursoencasa.net

flex-eg.com

dygdreams.com

magnoliadawson.com

whitehouseeffectband.com

visualtrigger.art

kalinahybridseeds.com

glacesnamur.com

drbordogna.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/844-18-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral1/memory/844-19-0x000000000041D0A0-mapping.dmp	xloader

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	Doc_3957495686846574893974939464936488463936484,pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	Doc_3957495686846574893974939464936488463936484,pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe = "0"	Doc_3957495686846574893974939464936488463936484,pdf.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Doc_3957495686846574893974939464936488463936484,pdf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Doc_3957495686846574893974939464936488463936484,pdf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exe

pid	process
780	Doc_3957495686846574893974939464936488463936484,pdf.exe
780	Doc_3957495686846574893974939464936488463936484,pdf.exe
780	Doc_3957495686846574893974939464936488463936484,pdf.exe
780	Doc_3957495686846574893974939464936488463936484,pdf.exe
780	Doc_3957495686846574893974939464936488463936484,pdf.exe
780	Doc_3957495686846574893974939464936488463936484,pdf.exe
780	Doc_3957495686846574893974939464936488463936484,pdf.exe
780	Doc_3957495686846574893974939464936488463936484,pdf.exe
780	Doc_3957495686846574893974939464936488463936484,pdf.exe
780	Doc_3957495686846574893974939464936488463936484,pdf.exe
780	Doc_3957495686846574893974939464936488463936484,pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exe

description	pid	process	target process
PID 780 set thread context of 844	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1440 780 WerFault.exe Doc_3957495686846574893974939464936488463936484,pdf.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1512 timeout.exe

pid	pid_target	process	target process
1440	780	WerFault.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe

pid	process
1512	timeout.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exeDoc_3957495686846574893974939464936488463936484,pdf.exeDoc_3957495686846574893974939464936488463936484,pdf.exeWerFault.exe

pid	process
908	powershell.exe
908	powershell.exe
780	Doc_3957495686846574893974939464936488463936484,pdf.exe
780	Doc_3957495686846574893974939464936488463936484,pdf.exe
780	Doc_3957495686846574893974939464936488463936484,pdf.exe
844	Doc_3957495686846574893974939464936488463936484,pdf.exe
1440	WerFault.exe
1440	WerFault.exe
1440	WerFault.exe
1440	WerFault.exe
1440	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	780	Doc_3957495686846574893974939464936488463936484,pdf.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	1440	WerFault.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.execmd.exe

description	pid	process	target process
PID 780 wrote to memory of 908	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	powershell.exe
PID 780 wrote to memory of 908	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	powershell.exe
PID 780 wrote to memory of 908	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	powershell.exe
PID 780 wrote to memory of 908	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	powershell.exe
PID 780 wrote to memory of 1000	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	cmd.exe
PID 780 wrote to memory of 1000	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	cmd.exe
PID 780 wrote to memory of 1000	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	cmd.exe
PID 780 wrote to memory of 1000	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	cmd.exe
PID 1000 wrote to memory of 1512	1000	cmd.exe	timeout.exe
PID 1000 wrote to memory of 1512	1000	cmd.exe	timeout.exe
PID 1000 wrote to memory of 1512	1000	cmd.exe	timeout.exe
PID 1000 wrote to memory of 1512	1000	cmd.exe	timeout.exe
PID 780 wrote to memory of 844	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 780 wrote to memory of 844	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 780 wrote to memory of 844	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 780 wrote to memory of 844	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 780 wrote to memory of 844	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 780 wrote to memory of 844	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 780 wrote to memory of 844	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 780 wrote to memory of 844	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 780 wrote to memory of 1440	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	WerFault.exe
PID 780 wrote to memory of 1440	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	WerFault.exe
PID 780 wrote to memory of 1440	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	WerFault.exe
PID 780 wrote to memory of 1440	780	Doc_3957495686846574893974939464936488463936484,pdf.exe	WerFault.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Doc_3957495686846574893974939464936488463936484,pdf.exe

C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe"
1⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1512

C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 1320
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

4

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/780-3-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/780-5-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/780-6-0x0000000000270000-0x000000000030B000-memory.dmp

Filesize
620KB

Download
memory/780-2-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/844-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/844-23-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/844-19-0x000000000041D0A0-mapping.dmp

Download
memory/908-27-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/908-33-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/908-12-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/908-13-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/908-14-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/908-16-0x0000000002682000-0x0000000002683000-memory.dmp

Filesize
4KB

Download
memory/908-15-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/908-17-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/908-57-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/908-56-0x00000000065D0000-0x00000000065D1000-memory.dmp

Filesize
4KB

Download
memory/908-55-0x00000000065C0000-0x00000000065C1000-memory.dmp

Filesize
4KB

Download
memory/908-41-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/908-8-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/908-40-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/908-7-0x0000000000000000-mapping.dmp

Download
memory/908-32-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/908-11-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/1000-9-0x0000000000000000-mapping.dmp

Download
memory/1440-24-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1440-21-0x00000000020A0000-0x00000000020B1000-memory.dmp

Filesize
68KB

Download
memory/1440-20-0x0000000000000000-mapping.dmp

Download
memory/1512-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads