formbook | 17c043ba55fafd013b55f51874cb0d620669ca68e9a0ad2f78dbea8fafffddc6

General

Target

pay.exe
Size

493KB
MD5

d08e51116e789fa67fd4d535ad4f399b
SHA1

1d7d28fb75910f580d75167c0b30ebadd79fe8ca
SHA256

7deecd8502e99ced6aec8588840f7e972a3b030c19e0e88ef94ec3a9d2ababc9
SHA512

6a576a4765cd48138989742cad201abc09941290d70459b13e9dbe3680fe6b291a4a422fbc7dfc4c26e0b554794015194f78c6d2e2082053ba9c1a2a9313bfa1

Score

10^/10

formbook xloader t75f loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.4

Campaign

t75f

C2

http://www.438451.com/t75f/

Decoy

ice-lemon.pro

ar3spro.cloud

9055837.com

fucksociety.net

prettyofficialx.com

mfxw.xyz

relationshipquiz.info

customia.xyz

juanayjuan.com

zidiankj.com

facture-booking.com

secondmining.store

aboutyou.club

gongxichen.com

laurabraincreative.com

pierrot-bros.com

saintpaulaccountingservices.com

dom-maya.com

garderobamarzen.net

la-salamandre-assurances.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/616-59-0x000000000041D410-mapping.dmp	xloader
behavioral1/memory/616-58-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/828-66-0x00000000000D0000-0x00000000000F9000-memory.dmp	xloader

Executes dropped EXE 1 IoCs

Processes:

vgaax4duxp.exe

pid process

1716 vgaax4duxp.exe

pid	process
1716	vgaax4duxp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wuapp.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	wuapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XTMXJX5H52 = "C:\\Program Files (x86)\\Fzp1llp\\vgaax4duxp.exe"	wuapp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

pay.exeRegSvcs.exewuapp.exe

description	pid	process	target process
PID 1664 set thread context of 616	1664	pay.exe	RegSvcs.exe
PID 616 set thread context of 1376	616	RegSvcs.exe	Explorer.EXE
PID 828 set thread context of 1376	828	wuapp.exe	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

wuapp.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Fzp1llp\vgaax4duxp.exe	wuapp.exe
File created	C:\Program Files (x86)\Fzp1llp\vgaax4duxp.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wuapp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1669990088-476967504-438132596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wuapp.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

pay.exeRegSvcs.exewuapp.exe

pid	process
1664	pay.exe
1664	pay.exe
616	RegSvcs.exe
616	RegSvcs.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1376 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

RegSvcs.exewuapp.exe

pid process

616 RegSvcs.exe
616 RegSvcs.exe
616 RegSvcs.exe
828 wuapp.exe
828 wuapp.exe
828 wuapp.exe
828 wuapp.exe

pid	process
1376	Explorer.EXE

pid	process
616	RegSvcs.exe
616	RegSvcs.exe
616	RegSvcs.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe
828	wuapp.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

pay.exeRegSvcs.exewuapp.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1664	pay.exe
Token: SeDebugPrivilege	616	RegSvcs.exe
Token: SeDebugPrivilege	828	wuapp.exe
Token: SeShutdownPrivilege	1376	Explorer.EXE
Token: SeShutdownPrivilege	1376	Explorer.EXE
Token: SeShutdownPrivilege	1376	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1376 Explorer.EXE
1376 Explorer.EXE
1376 Explorer.EXE
1376 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1376 Explorer.EXE
1376 Explorer.EXE
1376 Explorer.EXE
1376 Explorer.EXE

pid	process
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE

pid	process
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE
1376	Explorer.EXE

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

pay.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 1664 wrote to memory of 616	1664	pay.exe	RegSvcs.exe
PID 1664 wrote to memory of 616	1664	pay.exe	RegSvcs.exe
PID 1664 wrote to memory of 616	1664	pay.exe	RegSvcs.exe
PID 1664 wrote to memory of 616	1664	pay.exe	RegSvcs.exe
PID 1664 wrote to memory of 616	1664	pay.exe	RegSvcs.exe
PID 1664 wrote to memory of 616	1664	pay.exe	RegSvcs.exe
PID 1664 wrote to memory of 616	1664	pay.exe	RegSvcs.exe
PID 1664 wrote to memory of 616	1664	pay.exe	RegSvcs.exe
PID 1664 wrote to memory of 616	1664	pay.exe	RegSvcs.exe
PID 1664 wrote to memory of 616	1664	pay.exe	RegSvcs.exe
PID 1376 wrote to memory of 828	1376	Explorer.EXE	wuapp.exe
PID 1376 wrote to memory of 828	1376	Explorer.EXE	wuapp.exe
PID 1376 wrote to memory of 828	1376	Explorer.EXE	wuapp.exe
PID 1376 wrote to memory of 828	1376	Explorer.EXE	wuapp.exe
PID 1376 wrote to memory of 828	1376	Explorer.EXE	wuapp.exe
PID 1376 wrote to memory of 828	1376	Explorer.EXE	wuapp.exe
PID 1376 wrote to memory of 828	1376	Explorer.EXE	wuapp.exe
PID 828 wrote to memory of 1280	828	wuapp.exe	cmd.exe
PID 828 wrote to memory of 1280	828	wuapp.exe	cmd.exe
PID 828 wrote to memory of 1280	828	wuapp.exe	cmd.exe
PID 828 wrote to memory of 1280	828	wuapp.exe	cmd.exe
PID 828 wrote to memory of 1320	828	wuapp.exe	Firefox.exe
PID 828 wrote to memory of 1320	828	wuapp.exe	Firefox.exe
PID 828 wrote to memory of 1320	828	wuapp.exe	Firefox.exe
PID 828 wrote to memory of 1320	828	wuapp.exe	Firefox.exe
PID 1376 wrote to memory of 1716	1376	Explorer.EXE	vgaax4duxp.exe
PID 1376 wrote to memory of 1716	1376	Explorer.EXE	vgaax4duxp.exe
PID 1376 wrote to memory of 1716	1376	Explorer.EXE	vgaax4duxp.exe
PID 1376 wrote to memory of 1716	1376	Explorer.EXE	vgaax4duxp.exe
PID 1376 wrote to memory of 1716	1376	Explorer.EXE	vgaax4duxp.exe
PID 1376 wrote to memory of 1716	1376	Explorer.EXE	vgaax4duxp.exe
PID 1376 wrote to memory of 1716	1376	Explorer.EXE	vgaax4duxp.exe
PID 828 wrote to memory of 1320	828	wuapp.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\pay.exe
"C:\Users\Admin\AppData\Local\Temp\pay.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1280

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1320

C:\Program Files (x86)\Fzp1llp\vgaax4duxp.exe
"C:\Program Files (x86)\Fzp1llp\vgaax4duxp.exe"
2⤵
- Executes dropped EXE
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fzp1llp\vgaax4duxp.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Program Files (x86)\Fzp1llp\vgaax4duxp.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/616-59-0x000000000041D410-mapping.dmp

Download
memory/616-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/616-60-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download
memory/616-61-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/828-66-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/828-70-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/828-68-0x0000000000480000-0x0000000000510000-memory.dmp

Filesize
576KB

Download
memory/828-67-0x0000000000C70000-0x0000000000F73000-memory.dmp

Filesize
3.0MB

Download
memory/828-63-0x0000000000000000-mapping.dmp

Download
memory/828-64-0x0000000001380000-0x000000000138B000-memory.dmp

Filesize
44KB

Download
memory/1280-65-0x0000000000000000-mapping.dmp

Download
memory/1320-76-0x0000000000000000-mapping.dmp

Download
memory/1320-78-0x0000000000060000-0x0000000000115000-memory.dmp

Filesize
724KB

Download
memory/1320-77-0x000000013F0A0000-0x000000013F133000-memory.dmp

Filesize
588KB

Download
memory/1376-62-0x00000000077E0000-0x0000000007978000-memory.dmp

Filesize
1.6MB

Download
memory/1376-69-0x0000000006520000-0x0000000006633000-memory.dmp

Filesize
1.1MB

Download
memory/1664-55-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/1664-52-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1664-54-0x00000000002D0000-0x00000000002D7000-memory.dmp

Filesize
28KB

Download
memory/1664-56-0x0000000004B60000-0x0000000004BBC000-memory.dmp

Filesize
368KB

Download
memory/1664-57-0x00000000005A0000-0x00000000005CB000-memory.dmp

Filesize
172KB

Download
memory/1716-74-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/1716-75-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1716-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads