formbook | 3a220e6bff537b270991d1bb49e530c7279fb643f8a9b5998bbefae6140a19f4

General

Target

Doc_3957495686846574893974939464936488463936484,pdf.exe
Size

77KB
MD5

1662b1ff6de1371a09ecabb5a2c14905
SHA1

5a9353c5b8b1e1b19b7879cd483c9f715237c478
SHA256

3a220e6bff537b270991d1bb49e530c7279fb643f8a9b5998bbefae6140a19f4
SHA512

ae20025d79fbfbf85bceeaca71fcd170966eaa71761dffc4d96405311e314f44b4f6d5573747b6923da0477c0a2ba1ecd95c14e917aa9408c157c6964fd3b68f

Score

10^/10

formbook xloader evasion loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.aubonmarcheduparc.com/rina/

Decoy

syndicauto.net

techvorx.com

palletrackingvancouver.com

pricetrackerindia.com

photocravings.com

jenniferlwilsonrn.com

cartucce-toner.com

fred-auto-sport.com

aletheajean.com

beautyhacks.website

seoalmaguer.com

cursoencasa.net

flex-eg.com

dygdreams.com

magnoliadawson.com

whitehouseeffectband.com

visualtrigger.art

kalinahybridseeds.com

glacesnamur.com

drbordogna.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1544-16-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral1/memory/1544-17-0x000000000041D0A0-mapping.dmp	xloader

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	Doc_3957495686846574893974939464936488463936484,pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	Doc_3957495686846574893974939464936488463936484,pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe = "0"	Doc_3957495686846574893974939464936488463936484,pdf.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Doc_3957495686846574893974939464936488463936484,pdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Doc_3957495686846574893974939464936488463936484,pdf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exe

pid	process
892	Doc_3957495686846574893974939464936488463936484,pdf.exe
892	Doc_3957495686846574893974939464936488463936484,pdf.exe
892	Doc_3957495686846574893974939464936488463936484,pdf.exe
892	Doc_3957495686846574893974939464936488463936484,pdf.exe
892	Doc_3957495686846574893974939464936488463936484,pdf.exe
892	Doc_3957495686846574893974939464936488463936484,pdf.exe
892	Doc_3957495686846574893974939464936488463936484,pdf.exe
892	Doc_3957495686846574893974939464936488463936484,pdf.exe
892	Doc_3957495686846574893974939464936488463936484,pdf.exe
892	Doc_3957495686846574893974939464936488463936484,pdf.exe
892	Doc_3957495686846574893974939464936488463936484,pdf.exe
892	Doc_3957495686846574893974939464936488463936484,pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exe

description	pid	process	target process
PID 892 set thread context of 1544	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

956 timeout.exe

pid	process
956	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exeDoc_3957495686846574893974939464936488463936484,pdf.exeDoc_3957495686846574893974939464936488463936484,pdf.exe

pid	process
768	powershell.exe
892	Doc_3957495686846574893974939464936488463936484,pdf.exe
892	Doc_3957495686846574893974939464936488463936484,pdf.exe
892	Doc_3957495686846574893974939464936488463936484,pdf.exe
1544	Doc_3957495686846574893974939464936488463936484,pdf.exe
768	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exepowershell.exe

description pid process

Token: SeDebugPrivilege 892 Doc_3957495686846574893974939464936488463936484,pdf.exe
Token: SeDebugPrivilege 768 powershell.exe

description	pid	process
Token: SeDebugPrivilege	892	Doc_3957495686846574893974939464936488463936484,pdf.exe
Token: SeDebugPrivilege	768	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.execmd.exe

description	pid	process	target process
PID 892 wrote to memory of 768	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	powershell.exe
PID 892 wrote to memory of 768	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	powershell.exe
PID 892 wrote to memory of 768	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	powershell.exe
PID 892 wrote to memory of 768	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	powershell.exe
PID 892 wrote to memory of 1716	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	cmd.exe
PID 892 wrote to memory of 1716	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	cmd.exe
PID 892 wrote to memory of 1716	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	cmd.exe
PID 892 wrote to memory of 1716	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	cmd.exe
PID 1716 wrote to memory of 956	1716	cmd.exe	timeout.exe
PID 1716 wrote to memory of 956	1716	cmd.exe	timeout.exe
PID 1716 wrote to memory of 956	1716	cmd.exe	timeout.exe
PID 1716 wrote to memory of 956	1716	cmd.exe	timeout.exe
PID 892 wrote to memory of 1544	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 892 wrote to memory of 1544	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 892 wrote to memory of 1544	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 892 wrote to memory of 1544	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 892 wrote to memory of 1544	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 892 wrote to memory of 1544	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 892 wrote to memory of 1544	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe
PID 892 wrote to memory of 1544	892	Doc_3957495686846574893974939464936488463936484,pdf.exe	Doc_3957495686846574893974939464936488463936484,pdf.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

Doc_3957495686846574893974939464936488463936484,pdf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Doc_3957495686846574893974939464936488463936484,pdf.exe

C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe"
1⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:956

C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Doc_3957495686846574893974939464936488463936484,pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/768-24-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/768-12-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/768-14-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/768-53-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/768-7-0x0000000000000000-mapping.dmp

Download
memory/768-8-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download
memory/768-52-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/768-38-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/768-11-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/768-21-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/768-13-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/768-15-0x0000000000D12000-0x0000000000D13000-memory.dmp

Filesize
4KB

Download
memory/768-54-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/768-37-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/768-30-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/768-18-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/768-29-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/892-5-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/892-2-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/892-6-0x00000000008C0000-0x000000000095B000-memory.dmp

Filesize
620KB

Download
memory/892-3-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/956-10-0x0000000000000000-mapping.dmp

Download
memory/1544-20-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/1544-17-0x000000000041D0A0-mapping.dmp

Download
memory/1544-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1716-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads