formbook | 5be04026087a580dcf1dd996c523a3fea40d5d86f9b7f8596562dec1f7f906c7

General

Target

Swift File_pdf.exe
Size

212KB
MD5

5db240ab92ef9f9e14f96816cce4f656
SHA1

2f9b2f695654dafe3e7383bf5afa71c6277a4917
SHA256

5be04026087a580dcf1dd996c523a3fea40d5d86f9b7f8596562dec1f7f906c7
SHA512

30970072756574169b05a1e7161fd8c2e36bea6496051a867c649ed0945c4f0d34ca8ba884f5a1a460737b639ee7f5e58ac53763b7924baa3cdc213d0afdca16

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.layoutsbox.com/g832/

Decoy

thevalleycatholic.com

zhiyaanmo.com

commagx4.info

hozehapps.com

arbeitskrafte.net

mlpsdigital.com

79firerescue.com

tabby.info

ghjkl456.com

yige6688.com

mejungle.net

quanahpictures.com

swifter.tech

iraems.com

personaljie.tech

mima-tech.com

jonaskold.com

taxicabairports.com

worldarenaproperties.com

rentmy.place

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3772-6-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3176-13-0x00000000029C0000-0x00000000029E8000-memory.dmp	xloader

Blocklisted process makes network request 2 IoCs

Processes:

cmd.exe

flow pid process

32 3176 cmd.exe
37 3176 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

Swift File_pdf.exe

pid process

540 Swift File_pdf.exe
540 Swift File_pdf.exe

flow	pid	process
32	3176	cmd.exe
37	3176	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Swift File_pdf.exeSwift File_pdf.execmd.exe

description	pid	process	target process
PID 540 set thread context of 3772	540	Swift File_pdf.exe	Swift File_pdf.exe
PID 3772 set thread context of 3016	3772	Swift File_pdf.exe	Explorer.EXE
PID 3176 set thread context of 3016	3176	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Swift File_pdf.exeSwift File_pdf.execmd.exe

pid	process
540	Swift File_pdf.exe
540	Swift File_pdf.exe
540	Swift File_pdf.exe
540	Swift File_pdf.exe
540	Swift File_pdf.exe
540	Swift File_pdf.exe
540	Swift File_pdf.exe
540	Swift File_pdf.exe
3772	Swift File_pdf.exe
3772	Swift File_pdf.exe
3772	Swift File_pdf.exe
3772	Swift File_pdf.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe
3176	cmd.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Swift File_pdf.exeSwift File_pdf.execmd.exe

pid process

540 Swift File_pdf.exe
3772 Swift File_pdf.exe
3772 Swift File_pdf.exe
3772 Swift File_pdf.exe
3176 cmd.exe
3176 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Swift File_pdf.execmd.exe

description pid process

Token: SeDebugPrivilege 3772 Swift File_pdf.exe
Token: SeDebugPrivilege 3176 cmd.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE
3016 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE
3016 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3772	Swift File_pdf.exe
Token: SeDebugPrivilege	3176	cmd.exe

pid	process
3016	Explorer.EXE
3016	Explorer.EXE

pid	process
3016	Explorer.EXE
3016	Explorer.EXE

pid	process
3016	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Swift File_pdf.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 540 wrote to memory of 3772	540	Swift File_pdf.exe	Swift File_pdf.exe
PID 540 wrote to memory of 3772	540	Swift File_pdf.exe	Swift File_pdf.exe
PID 540 wrote to memory of 3772	540	Swift File_pdf.exe	Swift File_pdf.exe
PID 540 wrote to memory of 3772	540	Swift File_pdf.exe	Swift File_pdf.exe
PID 3016 wrote to memory of 3176	3016	Explorer.EXE	cmd.exe
PID 3016 wrote to memory of 3176	3016	Explorer.EXE	cmd.exe
PID 3016 wrote to memory of 3176	3016	Explorer.EXE	cmd.exe
PID 3176 wrote to memory of 3056	3176	cmd.exe	cmd.exe
PID 3176 wrote to memory of 3056	3176	cmd.exe	cmd.exe
PID 3176 wrote to memory of 3056	3176	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\Swift File_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Swift File_pdf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\Swift File_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Swift File_pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Swift File_pdf.exe"
3⤵
PID:3056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\fd9av2kfb8l.dll
MD5
1642792df35582d772a54f1e62329724

SHA1
2b3087fb3fec32e81ecf1642c05793b63ec9e3d4

SHA256
51204afe24360091ddbcc513a98296b4da60e84034bcf3cccdc1d05afd9afac3

SHA512
58e33e141b4a187968257a06d7a5a86be2e9f019f2ad9cd919fa8641cd1a9c7d45726c24ba16476ca64f728b3256d5a95e7771d5e0e66444d08521516874032f

Download Submit
\Users\Admin\AppData\Local\Temp\nsm71DB.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/3016-9-0x0000000005270000-0x00000000053D3000-memory.dmp

Filesize
1.4MB

Download
memory/3016-17-0x00000000053E0000-0x0000000005481000-memory.dmp

Filesize
644KB

Download
memory/3056-14-0x0000000000000000-mapping.dmp

Download
memory/3176-12-0x0000000003620000-0x0000000003940000-memory.dmp

Filesize
3.1MB

Download
memory/3176-10-0x0000000000000000-mapping.dmp

Download
memory/3176-11-0x0000000000860000-0x00000000008B9000-memory.dmp

Filesize
356KB

Download
memory/3176-13-0x00000000029C0000-0x00000000029E8000-memory.dmp

Filesize
160KB

Download
memory/3176-16-0x00000000033E0000-0x000000000346F000-memory.dmp

Filesize
572KB

Download
memory/3772-8-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/3772-6-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3772-7-0x0000000000BD0000-0x0000000000EF0000-memory.dmp

Filesize
3.1MB

Download
memory/3772-4-0x000000000041CFC0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads