formbook | 3a220e6bff537b270991d1bb49e530c7279fb643f8a9b5998bbefae6140a19f4

General

Target

Doc_3957495686846574893974939464936488463936484,pdf.exe
Size

77KB
MD5

1662b1ff6de1371a09ecabb5a2c14905
SHA1

5a9353c5b8b1e1b19b7879cd483c9f715237c478
SHA256

3a220e6bff537b270991d1bb49e530c7279fb643f8a9b5998bbefae6140a19f4
SHA512

ae20025d79fbfbf85bceeaca71fcd170966eaa71761dffc4d96405311e314f44b4f6d5573747b6923da0477c0a2ba1ecd95c14e917aa9408c157c6964fd3b68f

Score

10^/10

formbook xloader evasion loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.aubonmarcheduparc.com/rina/

Decoy

syndicauto.net

techvorx.com

palletrackingvancouver.com

pricetrackerindia.com

photocravings.com

jenniferlwilsonrn.com

cartucce-toner.com

fred-auto-sport.com

aletheajean.com

beautyhacks.website

seoalmaguer.com

cursoencasa.net

flex-eg.com

dygdreams.com

magnoliadawson.com

whitehouseeffectband.com

visualtrigger.art

kalinahybridseeds.com

glacesnamur.com

drbordogna.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1236-18-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral2/memory/1236-19-0x000000000041D0A0-mapping.dmp	xloader

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Doc_3957495686846574893974939464936488463936484,pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Doc_3957495686846574893974939464936488463936484,pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe = "0"	Doc_3957495686846574893974939464936488463936484,pdf.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Doc_3957495686846574893974939464936488463936484,pdf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Doc_3957495686846574893974939464936488463936484,pdf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exe

pid	process
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exe

description	pid	process	target process
PID 616 set thread context of 1236	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3184 616 WerFault.exe Doc_3957495686846574893974939464936488463936484,pdf.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3440 timeout.exe

pid	pid_target	process	target process
3184	616	WerFault.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe

pid	process
3440	timeout.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

powershell.exeDoc_3957495686846574893974939464936488463936484,pdf.exeDoc_3957495686846574893974939464936488463936484,pdf.exeWerFault.exe

pid	process
3604	powershell.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
616	Doc_3957495686846574893974939464936488463936484,pdf.exe
1236	Doc_3957495686846574893974939464936488463936484,pdf.exe
1236	Doc_3957495686846574893974939464936488463936484,pdf.exe
3604	powershell.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3184	WerFault.exe
3604	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	616	Doc_3957495686846574893974939464936488463936484,pdf.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeRestorePrivilege	3184	WerFault.exe
Token: SeBackupPrivilege	3184	WerFault.exe
Token: SeDebugPrivilege	3184	WerFault.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.execmd.exe

description	pid	process	target process
PID 616 wrote to memory of 3604	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	powershell.exe
PID 616 wrote to memory of 3604	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	powershell.exe
PID 616 wrote to memory of 3604	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	powershell.exe
PID 616 wrote to memory of 1328	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	cmd.exe
PID 616 wrote to memory of 1328	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	cmd.exe
PID 616 wrote to memory of 1328	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	cmd.exe
PID 1328 wrote to memory of 3440	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 3440	1328	cmd.exe	timeout.exe
PID 1328 wrote to memory of 3440	1328	cmd.exe	timeout.exe
PID 616 wrote to memory of 3956	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 616 wrote to memory of 3956	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 616 wrote to memory of 3956	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 616 wrote to memory of 1236	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 616 wrote to memory of 1236	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 616 wrote to memory of 1236	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 616 wrote to memory of 1236	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 616 wrote to memory of 1236	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 616 wrote to memory of 1236	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 616 wrote to memory of 1236	616	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Doc_3957495686846574893974939464936488463936484,pdf.exe

C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe"
1⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3440

C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe"
2⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 1608
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

4

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/616-9-0x0000000005D80000-0x0000000005D81000-memory.dmp

Filesize
4KB

Download
memory/616-2-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download
memory/616-5-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/616-6-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/616-7-0x0000000002C20000-0x0000000002CBB000-memory.dmp

Filesize
620KB

Download
memory/616-8-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/616-3-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1236-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1236-25-0x0000000001440000-0x0000000001760000-memory.dmp

Filesize
3.1MB

Download
memory/1236-19-0x000000000041D0A0-mapping.dmp

Download
memory/1328-13-0x0000000000000000-mapping.dmp

Download
memory/3184-27-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/3184-26-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/3440-15-0x0000000000000000-mapping.dmp

Download
memory/3604-11-0x0000000073160000-0x000000007384E000-memory.dmp

Filesize
6.9MB

Download
memory/3604-30-0x00000000081C0000-0x00000000081C1000-memory.dmp

Filesize
4KB

Download
memory/3604-17-0x0000000004B42000-0x0000000004B43000-memory.dmp

Filesize
4KB

Download
memory/3604-20-0x00000000072F0000-0x00000000072F1000-memory.dmp

Filesize
4KB

Download
memory/3604-21-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/3604-23-0x0000000007CE0000-0x0000000007CE1000-memory.dmp

Filesize
4KB

Download
memory/3604-24-0x0000000007D50000-0x0000000007D51000-memory.dmp

Filesize
4KB

Download
memory/3604-14-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/3604-12-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/3604-10-0x0000000000000000-mapping.dmp

Download
memory/3604-29-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/3604-16-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3604-31-0x00000000083E0000-0x00000000083E1000-memory.dmp

Filesize
4KB

Download
memory/3604-33-0x00000000091E0000-0x0000000009213000-memory.dmp

Filesize
204KB

Download
memory/3604-40-0x00000000091C0000-0x00000000091C1000-memory.dmp

Filesize
4KB

Download
memory/3604-41-0x0000000009520000-0x0000000009521000-memory.dmp

Filesize
4KB

Download
memory/3604-42-0x000000007E750000-0x000000007E751000-memory.dmp

Filesize
4KB

Download
memory/3604-43-0x0000000004B43000-0x0000000004B44000-memory.dmp

Filesize
4KB

Download
memory/3604-44-0x00000000096E0000-0x00000000096E1000-memory.dmp

Filesize
4KB

Download
memory/3604-45-0x00000000085E0000-0x00000000085E1000-memory.dmp

Filesize
4KB

Download
memory/3604-47-0x00000000085D0000-0x00000000085D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads