formbook | b32d120bf6320cf1d2d2223ad2a797eb0c20efceb12bd0655642387452ef3b6e

General

Target

RAQ11986.exe
Size

361KB
MD5

725cb0465119c2d5cc1412e3d555ad04
SHA1

d6623ecd4f819c1597392fe423d41be071a000e1
SHA256

b32d120bf6320cf1d2d2223ad2a797eb0c20efceb12bd0655642387452ef3b6e
SHA512

4b9c8d288433d18be705099752bff38020c99b5496ce66e0a2cfeb99195840c9911f9b871620abb6219a873f05c2efb4b11507db6be386ba0639e545e3d53ae6

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.wissinkadams.com/iae2/

Decoy

mainstreetswimschool.com

nhadat9chu.com

guidedcommercialloan.com

quandd.site

smittysfrontlinecarriers.com

hmas-vibrant.com

pakunok.net

jiffihosting.com

shopping-container.com

quartiercreole.net

weebflix.com

gringomexico.com

whathappensnextin6minutes.com

patchealth.com

exclusivelymarissa.com

my-glp.com

trgtbk.com

sagefemmecaluire.com

fetaldiagnosislaboratorios.com

aniversariocom-presente12.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/1076-6-0x0000000001F70000-0x0000000001FC9000-memory.dmp	beds_protector

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2036-8-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2036-9-0x000000000041D0D0-mapping.dmp	xloader
behavioral1/memory/1220-19-0x00000000000C0000-0x00000000000E9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1496 cmd.exe

pid	process
1496	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

RAQ11986.exeRAQ11986.exehelp.exe

description	pid	process	target process
PID 1076 set thread context of 2036	1076	RAQ11986.exe	RAQ11986.exe
PID 2036 set thread context of 1236	2036	RAQ11986.exe	Explorer.EXE
PID 2036 set thread context of 1236	2036	RAQ11986.exe	Explorer.EXE
PID 1220 set thread context of 1236	1220	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

RAQ11986.exehelp.exe

pid	process
2036	RAQ11986.exe
2036	RAQ11986.exe
2036	RAQ11986.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe
1220	help.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RAQ11986.exehelp.exe

pid process

2036 RAQ11986.exe
2036 RAQ11986.exe
2036 RAQ11986.exe
2036 RAQ11986.exe
1220 help.exe
1220 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RAQ11986.exehelp.exe

description pid process

Token: SeDebugPrivilege 2036 RAQ11986.exe
Token: SeDebugPrivilege 1220 help.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE
1236 Explorer.EXE
1236 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE
1236 Explorer.EXE
1236 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2036	RAQ11986.exe
Token: SeDebugPrivilege	1220	help.exe

pid	process
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE

pid	process
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

RAQ11986.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 1076 wrote to memory of 2036	1076	RAQ11986.exe	RAQ11986.exe
PID 1076 wrote to memory of 2036	1076	RAQ11986.exe	RAQ11986.exe
PID 1076 wrote to memory of 2036	1076	RAQ11986.exe	RAQ11986.exe
PID 1076 wrote to memory of 2036	1076	RAQ11986.exe	RAQ11986.exe
PID 1076 wrote to memory of 2036	1076	RAQ11986.exe	RAQ11986.exe
PID 1076 wrote to memory of 2036	1076	RAQ11986.exe	RAQ11986.exe
PID 1076 wrote to memory of 2036	1076	RAQ11986.exe	RAQ11986.exe
PID 1236 wrote to memory of 1220	1236	Explorer.EXE	help.exe
PID 1236 wrote to memory of 1220	1236	Explorer.EXE	help.exe
PID 1236 wrote to memory of 1220	1236	Explorer.EXE	help.exe
PID 1236 wrote to memory of 1220	1236	Explorer.EXE	help.exe
PID 1220 wrote to memory of 1496	1220	help.exe	cmd.exe
PID 1220 wrote to memory of 1496	1220	help.exe	cmd.exe
PID 1220 wrote to memory of 1496	1220	help.exe	cmd.exe
PID 1220 wrote to memory of 1496	1220	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\RAQ11986.exe
"C:\Users\Admin\AppData\Local\Temp\RAQ11986.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\RAQ11986.exe
"C:\Users\Admin\AppData\Local\Temp\RAQ11986.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RAQ11986.exe"
3⤵
- Deletes itself
PID:1496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1076-2-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/1076-3-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/1076-5-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/1076-6-0x0000000001F70000-0x0000000001FC9000-memory.dmp

Filesize
356KB

Download
memory/1076-7-0x0000000000480000-0x000000000048F000-memory.dmp

Filesize
60KB

Download
memory/1220-16-0x0000000000000000-mapping.dmp

Download
memory/1220-19-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/1220-21-0x00000000003F0000-0x000000000047F000-memory.dmp

Filesize
572KB

Download
memory/1220-18-0x0000000000A40000-0x0000000000A46000-memory.dmp

Filesize
24KB

Download
memory/1220-20-0x0000000000A50000-0x0000000000D53000-memory.dmp

Filesize
3.0MB

Download
memory/1236-13-0x00000000061B0000-0x00000000062CF000-memory.dmp

Filesize
1.1MB

Download
memory/1236-15-0x00000000048B0000-0x0000000004967000-memory.dmp

Filesize
732KB

Download
memory/1236-22-0x0000000004A30000-0x0000000004B07000-memory.dmp

Filesize
860KB

Download
memory/1496-17-0x0000000000000000-mapping.dmp

Download
memory/2036-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2036-14-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2036-9-0x000000000041D0D0-mapping.dmp

Download
memory/2036-12-0x00000000000E0000-0x00000000000F0000-memory.dmp

Filesize
64KB

Download
memory/2036-11-0x0000000000820000-0x0000000000B23000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads