formbook | a557dd45c97fa26c318728d77a46ea6b69afba06d1cbdc00975fe27492c5f17a

General

Target

Payment_receipt-jpg.exe
Size

205KB
MD5

ff3e0ab57af118dc198c22762d82a853
SHA1

7f6cc3851f4e778abad04e910849d81321b3112b
SHA256

a557dd45c97fa26c318728d77a46ea6b69afba06d1cbdc00975fe27492c5f17a
SHA512

5f18d775b0357ada24682d52f61c558db585aa8e0a1ee65cde4292ea60835e718c0bcc8daad2f264ba39cfae068aca01b4b5092a9508a6f6b1822926892576e0

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.t-delivery.com/c8bs/

Decoy

hiocast.com

osloelektriker.com

reneochoa.com

abtalna.com

inochishop.com

meetingsourcing.com

agatmato.com

subauth.com

enascenso2011.com

tapaticon.website

jpamoroso.com

theofficialgarciaapp.com

a7a2.xyz

6767998.info

travelloverstransfers.com

themetroatlantateam.com

cmilegacy.com

sportcardcon.com

signaturehosts.com

banhxeowraps.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3112-10-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3752-20-0x0000000002640000-0x0000000002668000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

q543aatx9th.exeq543aatx9th.exe

pid process

3596 q543aatx9th.exe
3112 q543aatx9th.exe
Loads dropped DLL 1 IoCs

Processes:

q543aatx9th.exe

pid process

3596 q543aatx9th.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

q543aatx9th.exeq543aatx9th.exewlanext.exe

description	pid	process	target process
PID 3596 set thread context of 3112	3596	q543aatx9th.exe	q543aatx9th.exe
PID 3112 set thread context of 3000	3112	q543aatx9th.exe	Explorer.EXE
PID 3112 set thread context of 3000	3112	q543aatx9th.exe	Explorer.EXE
PID 3752 set thread context of 3000	3752	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

q543aatx9th.exeq543aatx9th.exewlanext.exe

pid	process
3596	q543aatx9th.exe
3596	q543aatx9th.exe
3596	q543aatx9th.exe
3596	q543aatx9th.exe
3596	q543aatx9th.exe
3596	q543aatx9th.exe
3596	q543aatx9th.exe
3596	q543aatx9th.exe
3112	q543aatx9th.exe
3112	q543aatx9th.exe
3112	q543aatx9th.exe
3112	q543aatx9th.exe
3112	q543aatx9th.exe
3112	q543aatx9th.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe
3752	wlanext.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

q543aatx9th.exeq543aatx9th.exewlanext.exe

pid process

3596 q543aatx9th.exe
3112 q543aatx9th.exe
3112 q543aatx9th.exe
3112 q543aatx9th.exe
3112 q543aatx9th.exe
3752 wlanext.exe
3752 wlanext.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

q543aatx9th.exewlanext.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3112	q543aatx9th.exe
Token: SeDebugPrivilege	3752	wlanext.exe
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3000 Explorer.EXE

pid	process
3000	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Payment_receipt-jpg.exeq543aatx9th.exeq543aatx9th.exewlanext.exe

description	pid	process	target process
PID 3584 wrote to memory of 3596	3584	Payment_receipt-jpg.exe	q543aatx9th.exe
PID 3584 wrote to memory of 3596	3584	Payment_receipt-jpg.exe	q543aatx9th.exe
PID 3584 wrote to memory of 3596	3584	Payment_receipt-jpg.exe	q543aatx9th.exe
PID 3596 wrote to memory of 3112	3596	q543aatx9th.exe	q543aatx9th.exe
PID 3596 wrote to memory of 3112	3596	q543aatx9th.exe	q543aatx9th.exe
PID 3596 wrote to memory of 3112	3596	q543aatx9th.exe	q543aatx9th.exe
PID 3596 wrote to memory of 3112	3596	q543aatx9th.exe	q543aatx9th.exe
PID 3112 wrote to memory of 3752	3112	q543aatx9th.exe	wlanext.exe
PID 3112 wrote to memory of 3752	3112	q543aatx9th.exe	wlanext.exe
PID 3112 wrote to memory of 3752	3112	q543aatx9th.exe	wlanext.exe
PID 3752 wrote to memory of 3552	3752	wlanext.exe	cmd.exe
PID 3752 wrote to memory of 3552	3752	wlanext.exe	cmd.exe
PID 3752 wrote to memory of 3552	3752	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3000

C:\Users\Admin\AppData\Local\Temp\Payment_receipt-jpg.exe
"C:\Users\Admin\AppData\Local\Temp\Payment_receipt-jpg.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3584

C:\Users\Admin\AppData\Local\Temp\q543aatx9th.exe
"C:\Users\Admin\AppData\Local\Temp\q543aatx9th.exe" "C:\Users\Admin\AppData\Local\Temp\9v3vv.dll" "C:\Users\Admin\AppData\Local\Temp\nacdbu.dw"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3596

C:\Users\Admin\AppData\Local\Temp\q543aatx9th.exe
"C:\Users\Admin\AppData\Local\Temp\q543aatx9th.exe" "C:\Users\Admin\AppData\Local\Temp\9v3vv.dll" "C:\Users\Admin\AppData\Local\Temp\nacdbu.dw"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
5⤵
PID:2808

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
5⤵
PID:4036

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\q543aatx9th.exe"
6⤵
PID:3552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9v3vv.dll
MD5
ff561381a98c59a015d95a8efdb1d6a7

SHA1
0116be6300004d38b2ad869f2b93d81a329f5c47

SHA256
2591c9b97e1f4599b74cde3302c95f2b867ccd061989d32362f03ca5f8d7358e

SHA512
cab5553d602a34944605e6afb7024492e7162fa2cdc46e38b84da93d4a752a6e5e022f82dfe3d7da27579353cec22f2557d78b4578b0e98ef8993e24b0111ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\nacdbu.dw
MD5
7d0269fe295e21bdebb20f75905994d3

SHA1
a5d0a28aa49dce198346d9ff0a91ca322ae18a56

SHA256
f302190eb9a7f56f080f961b9e4535d0dcf980bdf593d2364b2812d068cd3054

SHA512
26356342a27c31f9650871b988b1387c70d3178285ba734596b8afd0385319f4cdb153a026fc847b15c68a3466948a75e2412b107713f8408f8d27c90650959f

Download Submit
C:\Users\Admin\AppData\Local\Temp\q543aatx9th.exe
MD5
096cf7fb05be684e55a5d53b14e9406e

SHA1
f3b3364078815e52cc6029075572a25dc17e242b

SHA256
ff4cd5950a1d88165b66e3d78216f8f1c0ca7a1a2bd460b4176080195a11a2fd

SHA512
26b89f7b79098bc94a278221f2e4abd80e6d568fe9e880fc3744343c8c06db5a2775134c419e1e7d84e214c47cc9cbbb9d019b82552d04bf299c585f1fb456e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\q543aatx9th.exe
MD5
096cf7fb05be684e55a5d53b14e9406e

SHA1
f3b3364078815e52cc6029075572a25dc17e242b

SHA256
ff4cd5950a1d88165b66e3d78216f8f1c0ca7a1a2bd460b4176080195a11a2fd

SHA512
26b89f7b79098bc94a278221f2e4abd80e6d568fe9e880fc3744343c8c06db5a2775134c419e1e7d84e214c47cc9cbbb9d019b82552d04bf299c585f1fb456e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\q543aatx9th.exe
MD5
096cf7fb05be684e55a5d53b14e9406e

SHA1
f3b3364078815e52cc6029075572a25dc17e242b

SHA256
ff4cd5950a1d88165b66e3d78216f8f1c0ca7a1a2bd460b4176080195a11a2fd

SHA512
26b89f7b79098bc94a278221f2e4abd80e6d568fe9e880fc3744343c8c06db5a2775134c419e1e7d84e214c47cc9cbbb9d019b82552d04bf299c585f1fb456e1

Download Submit
\Users\Admin\AppData\Local\Temp\9v3vv.dll
MD5
ff561381a98c59a015d95a8efdb1d6a7

SHA1
0116be6300004d38b2ad869f2b93d81a329f5c47

SHA256
2591c9b97e1f4599b74cde3302c95f2b867ccd061989d32362f03ca5f8d7358e

SHA512
cab5553d602a34944605e6afb7024492e7162fa2cdc46e38b84da93d4a752a6e5e022f82dfe3d7da27579353cec22f2557d78b4578b0e98ef8993e24b0111ace

Download Submit
memory/3000-14-0x00000000056B0000-0x0000000005796000-memory.dmp

Filesize
920KB

Download
memory/3000-23-0x00000000057A0000-0x0000000005901000-memory.dmp

Filesize
1.4MB

Download
memory/3000-16-0x00000000031E0000-0x00000000032BD000-memory.dmp

Filesize
884KB

Download
memory/3112-13-0x0000000001140000-0x0000000001150000-memory.dmp

Filesize
64KB

Download
memory/3112-11-0x00000000011A0000-0x00000000014C0000-memory.dmp

Filesize
3.1MB

Download
memory/3112-15-0x0000000001180000-0x0000000001190000-memory.dmp

Filesize
64KB

Download
memory/3112-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3112-8-0x000000000041D020-mapping.dmp

Download
memory/3552-18-0x0000000000000000-mapping.dmp

Download
memory/3596-2-0x0000000000000000-mapping.dmp

Download
memory/3752-17-0x0000000000000000-mapping.dmp

Download
memory/3752-20-0x0000000002640000-0x0000000002668000-memory.dmp

Filesize
160KB

Download
memory/3752-19-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/3752-21-0x0000000002BA0000-0x0000000002EC0000-memory.dmp

Filesize
3.1MB

Download
memory/3752-22-0x0000000002930000-0x00000000029BF000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads