formbook | 2f954a9ae45e4a7a0a1131f5ca55cd20da04b1416276897377e9490c428f691a

General

Target

scm928192.exe
Size

237KB
MD5

ea2aaf3a9a00cab64376035e9291c7cc
SHA1

28683f918a9c4195ff93ca2027642949444770c0
SHA256

7bd662ff22dd43bb8e23046925d83ae5125824776c6b4209cc50417205c91e6c
SHA512

aa50e615fb57b3ce1963b8cbdf1b561c15f72bef210e4f80e4854a98ecd4915c32636b139637c0d36b4b00e1cfbdd57418b5e2891916fb1ccc2d5ba167b4ca1d

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.dopiel.com/s0ps/

Decoy

vexura.com

xnl.xyz

lumpen.party

ourdatajourney.com

globalprofessionalsummit.com

wellnesspasssite.com

lafronteraradio.com

voterchallengeva.com

campanatv.com

militarychiro.com

cowbex.info

mosquitosolutionsalpha.com

healthykala.com

xmsealite.com

xn--ock1cjz.com

advocate-quota.com

karecfo.com

vettedwealthmanagement.com

everlein.com

lashundaclaiborn.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2004-5-0x0000000000550000-0x000000000058A000-memory.dmp	xloader
behavioral1/memory/2004-7-0x0000000000920000-0x0000000000949000-memory.dmp	xloader
behavioral1/memory/824-11-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/824-12-0x000000000041D000-mapping.dmp	xloader
behavioral1/memory/1924-19-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

scm928192.exesvchost.execmmon32.exe

description	pid	process	target process
PID 2004 set thread context of 824	2004	scm928192.exe	svchost.exe
PID 824 set thread context of 1304	824	svchost.exe	Explorer.EXE
PID 1924 set thread context of 1304	1924	cmmon32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

svchost.execmmon32.exe

pid	process
824	svchost.exe
824	svchost.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe
1924	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

svchost.execmmon32.exe

pid process

824 svchost.exe
824 svchost.exe
824 svchost.exe
1924 cmmon32.exe
1924 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.execmmon32.exe

description pid process

Token: SeDebugPrivilege 824 svchost.exe
Token: SeDebugPrivilege 1924 cmmon32.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	824	svchost.exe
Token: SeDebugPrivilege	1924	cmmon32.exe

pid	process
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE

pid	process
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

scm928192.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 2004 wrote to memory of 824	2004	scm928192.exe	svchost.exe
PID 2004 wrote to memory of 824	2004	scm928192.exe	svchost.exe
PID 2004 wrote to memory of 824	2004	scm928192.exe	svchost.exe
PID 2004 wrote to memory of 824	2004	scm928192.exe	svchost.exe
PID 2004 wrote to memory of 824	2004	scm928192.exe	svchost.exe
PID 2004 wrote to memory of 824	2004	scm928192.exe	svchost.exe
PID 2004 wrote to memory of 824	2004	scm928192.exe	svchost.exe
PID 1304 wrote to memory of 1924	1304	Explorer.EXE	cmmon32.exe
PID 1304 wrote to memory of 1924	1304	Explorer.EXE	cmmon32.exe
PID 1304 wrote to memory of 1924	1304	Explorer.EXE	cmmon32.exe
PID 1304 wrote to memory of 1924	1304	Explorer.EXE	cmmon32.exe
PID 1924 wrote to memory of 972	1924	cmmon32.exe	cmd.exe
PID 1924 wrote to memory of 972	1924	cmmon32.exe	cmd.exe
PID 1924 wrote to memory of 972	1924	cmmon32.exe	cmd.exe
PID 1924 wrote to memory of 972	1924	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\scm928192.exe
"C:\Users\Admin\AppData\Local\Temp\scm928192.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWow64\svchost.exe
"C:\\Windows\\SysWow64\\svchost.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWow64\svchost.exe"
3⤵
PID:972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/824-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/824-15-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/824-14-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/824-12-0x000000000041D000-mapping.dmp

Download
memory/972-20-0x0000000000000000-mapping.dmp

Download
memory/1304-23-0x0000000006AE0000-0x0000000006C12000-memory.dmp

Filesize
1.2MB

Download
memory/1304-16-0x0000000004910000-0x0000000004A26000-memory.dmp

Filesize
1.1MB

Download
memory/1924-17-0x0000000000000000-mapping.dmp

Download
memory/1924-18-0x00000000009B0000-0x00000000009BD000-memory.dmp

Filesize
52KB

Download
memory/1924-19-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1924-21-0x00000000020E0000-0x00000000023E3000-memory.dmp

Filesize
3.0MB

Download
memory/1924-22-0x00000000004F0000-0x000000000057F000-memory.dmp

Filesize
572KB

Download
memory/2004-9-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2004-8-0x0000000000920000-0x0000000000932000-memory.dmp

Filesize
72KB

Download
memory/2004-7-0x0000000000920000-0x0000000000949000-memory.dmp

Filesize
164KB

Download
memory/2004-6-0x000000001B5E0000-0x000000001B5E2000-memory.dmp

Filesize
8KB

Download
memory/2004-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2004-5-0x0000000000550000-0x000000000058A000-memory.dmp

Filesize
232KB

Download
memory/2004-3-0x000000013FC50000-0x000000013FC51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads