formbook | fd0d5cfec2a1908e2e3d7466984399bb8a40d91f3dde90ab77e90fb29c52e466

General

Target

RFQ356284678,pdf.exe
Size

401KB
MD5

30b799e145ec03674de8d27ae3e5c0ba
SHA1

339a5df9d70b31d0b59a5e97d672f12ccb67e45e
SHA256

5df88b107258b6f9b91512ca18b098fec01005b71eed470932f006103d5bb346
SHA512

d37d9be8f9bc3c17afead37c22b91a96fe2cb4314d09424270e75b2f36d7be4a9d560540909508170f8c0e3e2d1ba0635595045a6299ea5e6f8be215007b841e

Score

10^/10

formbook xloader gv6d loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

gv6d

C2

http://www.breakaway.uk/gv6d/

Decoy

bigfatgay.com

czrsgd168.com

bnkinvestments.com

uhchearingfl.com

hooktowingco.com

bold2x.com

dirtyhandsdigital.com

princetonreviewes.com

typhoonmusicgroup.com

onlinemathcoach.net

safecareethiopia.net

alvarogdeo.com

access-sca-login.pro

handbagswholesalemaster.com

whoaservices.com

telemunndopr.com

dream2works.com

itemconfirmation.com

kentebags.com

chennaipremium.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1960-63-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/464-69-0x00000000000C0000-0x00000000000E8000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

wincds.exewincds.exe

pid process

912 wincds.exe
1016 wincds.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1508 cmd.exe

pid	process
912	wincds.exe
1016	wincds.exe

pid	process
1508	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NAPSTAT.EXE

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	NAPSTAT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HZ5LUHMXCN = "C:\\Program Files (x86)\\Gzlj8\\wincds.exe"	NAPSTAT.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

RFQ356284678,pdf.exeRFQ356284678,pdf.exeNAPSTAT.EXEwincds.exe

description	pid	process	target process
PID 1976 set thread context of 1960	1976	RFQ356284678,pdf.exe	RFQ356284678,pdf.exe
PID 1960 set thread context of 1228	1960	RFQ356284678,pdf.exe	Explorer.EXE
PID 464 set thread context of 1228	464	NAPSTAT.EXE	Explorer.EXE
PID 912 set thread context of 1016	912	wincds.exe	wincds.exe

Drops file in Program Files directory 2 IoCs

Processes:

NAPSTAT.EXEExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Gzlj8\wincds.exe	NAPSTAT.EXE
File created	C:\Program Files (x86)\Gzlj8\wincds.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NAPSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NAPSTAT.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

RFQ356284678,pdf.exeNAPSTAT.EXEwincds.exe

pid	process
1960	RFQ356284678,pdf.exe
1960	RFQ356284678,pdf.exe
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
1016	wincds.exe
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE

pid	process
1228	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

RFQ356284678,pdf.exeRFQ356284678,pdf.exeNAPSTAT.EXEwincds.exe

pid	process
1976	RFQ356284678,pdf.exe
1960	RFQ356284678,pdf.exe
1960	RFQ356284678,pdf.exe
1960	RFQ356284678,pdf.exe
464	NAPSTAT.EXE
464	NAPSTAT.EXE
464	NAPSTAT.EXE
912	wincds.exe
464	NAPSTAT.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RFQ356284678,pdf.exeNAPSTAT.EXEExplorer.EXEwincds.exe

description	pid	process
Token: SeDebugPrivilege	1960	RFQ356284678,pdf.exe
Token: SeDebugPrivilege	464	NAPSTAT.EXE
Token: SeShutdownPrivilege	1228	Explorer.EXE
Token: SeShutdownPrivilege	1228	Explorer.EXE
Token: SeShutdownPrivilege	1228	Explorer.EXE
Token: SeDebugPrivilege	1016	wincds.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

RFQ356284678,pdf.exeExplorer.EXENAPSTAT.EXEwincds.exe

description	pid	process	target process
PID 1976 wrote to memory of 1960	1976	RFQ356284678,pdf.exe	RFQ356284678,pdf.exe
PID 1976 wrote to memory of 1960	1976	RFQ356284678,pdf.exe	RFQ356284678,pdf.exe
PID 1976 wrote to memory of 1960	1976	RFQ356284678,pdf.exe	RFQ356284678,pdf.exe
PID 1976 wrote to memory of 1960	1976	RFQ356284678,pdf.exe	RFQ356284678,pdf.exe
PID 1976 wrote to memory of 1960	1976	RFQ356284678,pdf.exe	RFQ356284678,pdf.exe
PID 1228 wrote to memory of 464	1228	Explorer.EXE	NAPSTAT.EXE
PID 1228 wrote to memory of 464	1228	Explorer.EXE	NAPSTAT.EXE
PID 1228 wrote to memory of 464	1228	Explorer.EXE	NAPSTAT.EXE
PID 1228 wrote to memory of 464	1228	Explorer.EXE	NAPSTAT.EXE
PID 464 wrote to memory of 1508	464	NAPSTAT.EXE	cmd.exe
PID 464 wrote to memory of 1508	464	NAPSTAT.EXE	cmd.exe
PID 464 wrote to memory of 1508	464	NAPSTAT.EXE	cmd.exe
PID 464 wrote to memory of 1508	464	NAPSTAT.EXE	cmd.exe
PID 464 wrote to memory of 1152	464	NAPSTAT.EXE	Firefox.exe
PID 464 wrote to memory of 1152	464	NAPSTAT.EXE	Firefox.exe
PID 464 wrote to memory of 1152	464	NAPSTAT.EXE	Firefox.exe
PID 464 wrote to memory of 1152	464	NAPSTAT.EXE	Firefox.exe
PID 1228 wrote to memory of 912	1228	Explorer.EXE	wincds.exe
PID 1228 wrote to memory of 912	1228	Explorer.EXE	wincds.exe
PID 1228 wrote to memory of 912	1228	Explorer.EXE	wincds.exe
PID 1228 wrote to memory of 912	1228	Explorer.EXE	wincds.exe
PID 912 wrote to memory of 1016	912	wincds.exe	wincds.exe
PID 912 wrote to memory of 1016	912	wincds.exe	wincds.exe
PID 912 wrote to memory of 1016	912	wincds.exe	wincds.exe
PID 912 wrote to memory of 1016	912	wincds.exe	wincds.exe
PID 912 wrote to memory of 1016	912	wincds.exe	wincds.exe
PID 464 wrote to memory of 1152	464	NAPSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\RFQ356284678,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ356284678,pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\RFQ356284678,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ356284678,pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ356284678,pdf.exe"
3⤵
- Deletes itself
PID:1508

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1152

C:\Program Files (x86)\Gzlj8\wincds.exe
"C:\Program Files (x86)\Gzlj8\wincds.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:912

C:\Program Files (x86)\Gzlj8\wincds.exe
"C:\Program Files (x86)\Gzlj8\wincds.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Gzlj8\wincds.exe
MD5
30b799e145ec03674de8d27ae3e5c0ba

SHA1
339a5df9d70b31d0b59a5e97d672f12ccb67e45e

SHA256
5df88b107258b6f9b91512ca18b098fec01005b71eed470932f006103d5bb346

SHA512
d37d9be8f9bc3c17afead37c22b91a96fe2cb4314d09424270e75b2f36d7be4a9d560540909508170f8c0e3e2d1ba0635595045a6299ea5e6f8be215007b841e

Download Submit
C:\Program Files (x86)\Gzlj8\wincds.exe
MD5
30b799e145ec03674de8d27ae3e5c0ba

SHA1
339a5df9d70b31d0b59a5e97d672f12ccb67e45e

SHA256
5df88b107258b6f9b91512ca18b098fec01005b71eed470932f006103d5bb346

SHA512
d37d9be8f9bc3c17afead37c22b91a96fe2cb4314d09424270e75b2f36d7be4a9d560540909508170f8c0e3e2d1ba0635595045a6299ea5e6f8be215007b841e

Download Submit
C:\Program Files (x86)\Gzlj8\wincds.exe
MD5
30b799e145ec03674de8d27ae3e5c0ba

SHA1
339a5df9d70b31d0b59a5e97d672f12ccb67e45e

SHA256
5df88b107258b6f9b91512ca18b098fec01005b71eed470932f006103d5bb346

SHA512
d37d9be8f9bc3c17afead37c22b91a96fe2cb4314d09424270e75b2f36d7be4a9d560540909508170f8c0e3e2d1ba0635595045a6299ea5e6f8be215007b841e

Download Submit
memory/464-70-0x0000000001F10000-0x0000000002213000-memory.dmp

Filesize
3.0MB

Download
memory/464-72-0x0000000001D80000-0x0000000001E0F000-memory.dmp

Filesize
572KB

Download
memory/464-69-0x00000000000C0000-0x00000000000E8000-memory.dmp

Filesize
160KB

Download
memory/464-68-0x00000000007A0000-0x00000000007E6000-memory.dmp

Filesize
280KB

Download
memory/464-67-0x0000000000000000-mapping.dmp

Download
memory/912-75-0x0000000000000000-mapping.dmp

Download
memory/1016-79-0x000000000041CFC0-mapping.dmp

Download
memory/1016-82-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/1152-81-0x0000000000000000-mapping.dmp

Download
memory/1152-84-0x0000000000060000-0x000000000012A000-memory.dmp

Filesize
808KB

Download
memory/1152-83-0x000000013F210000-0x000000013F2A3000-memory.dmp

Filesize
588KB

Download
memory/1228-73-0x0000000004F40000-0x0000000005071000-memory.dmp

Filesize
1.2MB

Download
memory/1228-66-0x00000000041A0000-0x000000000427A000-memory.dmp

Filesize
872KB

Download
memory/1508-71-0x0000000000000000-mapping.dmp

Download
memory/1960-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1960-61-0x000000000041CFC0-mapping.dmp

Download
memory/1960-65-0x00000000000E0000-0x00000000000F0000-memory.dmp

Filesize
64KB

Download
memory/1960-64-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/1976-62-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1976-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads