formbook | 559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c

General

Target

RFQ8943.pdf.exe
Size

276KB
MD5

89e074f1f6ffd1421078fdab1a00ab5d
SHA1

a5c4d75dbbe10ed36f1ffaba930456592e268169
SHA256

559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c
SHA512

2992a62c4d11a605429dea066336141701852d3866c9f6ba034f753e76714deaafd0a4a51108f0bca34ca561707a47abb28870048a27efd63344249cf0b1f3c1

Score

10^/10

formbook xloader dhua loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dhua

C2

http://www.segurosramosroman.com/dhua/

Decoy

ketostar.club

icanmakeyoufamous.com

claimygdejection.com

garlicinterestedparent.xyz

bits-clicks.com

030atk.xyz

ballwiegand.com

logs-illumidesk.com

785686.com

flnewsfeed.com

transporteshrj.net

agenciamundodigital.online

bowersllc.com

urchncenw.com

wuauwuaumx.com

littlesportsacademy.com

xn--m3chb3ax0abdta3fwhk.com

prmarketings.com

jiaozhanlianmeng.com

whenisthestore.space

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3536-117-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3420-126-0x00000000003D0000-0x00000000003F9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

3fe4czkvcd.exe3fe4czkvcd.exe

pid process

752 3fe4czkvcd.exe
3164 3fe4czkvcd.exe
Loads dropped DLL 2 IoCs

Processes:

RFQ8943.pdf.exe3fe4czkvcd.exe

pid process

3608 RFQ8943.pdf.exe
752 3fe4czkvcd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
752	3fe4czkvcd.exe
3164	3fe4czkvcd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BPXTQDJ0 = "C:\\Program Files (x86)\\Yjd80\\3fe4czkvcd.exe"	msiexec.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

RFQ8943.pdf.exeRFQ8943.pdf.exemsiexec.exe3fe4czkvcd.exe

description	pid	process	target process
PID 3608 set thread context of 3536	3608	RFQ8943.pdf.exe	RFQ8943.pdf.exe
PID 3536 set thread context of 3048	3536	RFQ8943.pdf.exe	Explorer.EXE
PID 3420 set thread context of 3048	3420	msiexec.exe	Explorer.EXE
PID 752 set thread context of 3164	752	3fe4czkvcd.exe	3fe4czkvcd.exe

Drops file in Program Files directory 4 IoCs

Processes:

Explorer.EXEmsiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Yjd80	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe	nsis_installer_1
C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe	nsis_installer_2
C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe	nsis_installer_1
C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe	nsis_installer_2
C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe	nsis_installer_1
C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RFQ8943.pdf.exemsiexec.exe

pid	process
3536	RFQ8943.pdf.exe
3536	RFQ8943.pdf.exe
3536	RFQ8943.pdf.exe
3536	RFQ8943.pdf.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE

pid	process
3048	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

RFQ8943.pdf.exeRFQ8943.pdf.exemsiexec.exe3fe4czkvcd.exe

pid	process
3608	RFQ8943.pdf.exe
3536	RFQ8943.pdf.exe
3536	RFQ8943.pdf.exe
3536	RFQ8943.pdf.exe
3420	msiexec.exe
3420	msiexec.exe
3420	msiexec.exe
752	3fe4czkvcd.exe
3420	msiexec.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

RFQ8943.pdf.exemsiexec.exeExplorer.EXE3fe4czkvcd.exe

description	pid	process
Token: SeDebugPrivilege	3536	RFQ8943.pdf.exe
Token: SeDebugPrivilege	3420	msiexec.exe
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeDebugPrivilege	3164	3fe4czkvcd.exe
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

RFQ8943.pdf.exeExplorer.EXEmsiexec.exe3fe4czkvcd.exe

description	pid	process	target process
PID 3608 wrote to memory of 3536	3608	RFQ8943.pdf.exe	RFQ8943.pdf.exe
PID 3608 wrote to memory of 3536	3608	RFQ8943.pdf.exe	RFQ8943.pdf.exe
PID 3608 wrote to memory of 3536	3608	RFQ8943.pdf.exe	RFQ8943.pdf.exe
PID 3608 wrote to memory of 3536	3608	RFQ8943.pdf.exe	RFQ8943.pdf.exe
PID 3048 wrote to memory of 3420	3048	Explorer.EXE	msiexec.exe
PID 3048 wrote to memory of 3420	3048	Explorer.EXE	msiexec.exe
PID 3048 wrote to memory of 3420	3048	Explorer.EXE	msiexec.exe
PID 3420 wrote to memory of 1992	3420	msiexec.exe	cmd.exe
PID 3420 wrote to memory of 1992	3420	msiexec.exe	cmd.exe
PID 3420 wrote to memory of 1992	3420	msiexec.exe	cmd.exe
PID 3420 wrote to memory of 4516	3420	msiexec.exe	cmd.exe
PID 3420 wrote to memory of 4516	3420	msiexec.exe	cmd.exe
PID 3420 wrote to memory of 4516	3420	msiexec.exe	cmd.exe
PID 3420 wrote to memory of 728	3420	msiexec.exe	Firefox.exe
PID 3420 wrote to memory of 728	3420	msiexec.exe	Firefox.exe
PID 3048 wrote to memory of 752	3048	Explorer.EXE	3fe4czkvcd.exe
PID 3048 wrote to memory of 752	3048	Explorer.EXE	3fe4czkvcd.exe
PID 3048 wrote to memory of 752	3048	Explorer.EXE	3fe4czkvcd.exe
PID 752 wrote to memory of 3164	752	3fe4czkvcd.exe	3fe4czkvcd.exe
PID 752 wrote to memory of 3164	752	3fe4czkvcd.exe	3fe4czkvcd.exe
PID 752 wrote to memory of 3164	752	3fe4czkvcd.exe	3fe4czkvcd.exe
PID 752 wrote to memory of 3164	752	3fe4czkvcd.exe	3fe4czkvcd.exe
PID 3420 wrote to memory of 728	3420	msiexec.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\RFQ8943.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ8943.pdf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3608

C:\Users\Admin\AppData\Local\Temp\RFQ8943.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ8943.pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ8943.pdf.exe"
3⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:4516

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:728

C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe
"C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:752

C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe
"C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe
MD5
89e074f1f6ffd1421078fdab1a00ab5d

SHA1
a5c4d75dbbe10ed36f1ffaba930456592e268169

SHA256
559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c

SHA512
2992a62c4d11a605429dea066336141701852d3866c9f6ba034f753e76714deaafd0a4a51108f0bca34ca561707a47abb28870048a27efd63344249cf0b1f3c1

Download Submit
C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe
MD5
89e074f1f6ffd1421078fdab1a00ab5d

SHA1
a5c4d75dbbe10ed36f1ffaba930456592e268169

SHA256
559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c

SHA512
2992a62c4d11a605429dea066336141701852d3866c9f6ba034f753e76714deaafd0a4a51108f0bca34ca561707a47abb28870048a27efd63344249cf0b1f3c1

Download Submit
C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe
MD5
89e074f1f6ffd1421078fdab1a00ab5d

SHA1
a5c4d75dbbe10ed36f1ffaba930456592e268169

SHA256
559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c

SHA512
2992a62c4d11a605429dea066336141701852d3866c9f6ba034f753e76714deaafd0a4a51108f0bca34ca561707a47abb28870048a27efd63344249cf0b1f3c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\g7psd4htl39wovdj7s
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nsf7B80.tmp\qrtethbaa.dll
MD5
15f7482c81007eff5abdca2a8fcf93b9

SHA1
c6aad787f62ee9e6421cd8d7bcce78cdd812df4e

SHA256
acc5d7029dd7c89f300f07f3743772417081e3acc13e054f4dbfb8bf84796569

SHA512
ab6e6d602d156dc408275e03043a6f5096c31b9f9668adfe5b62335fefe43637a4a10941b011a88ac6cbbf2e0ec50ddf21c4b835a275a80cfdc9bc86d526fcf5

Download Submit
\Users\Admin\AppData\Local\Temp\nskB4D1.tmp\qrtethbaa.dll
MD5
15f7482c81007eff5abdca2a8fcf93b9

SHA1
c6aad787f62ee9e6421cd8d7bcce78cdd812df4e

SHA256
acc5d7029dd7c89f300f07f3743772417081e3acc13e054f4dbfb8bf84796569

SHA512
ab6e6d602d156dc408275e03043a6f5096c31b9f9668adfe5b62335fefe43637a4a10941b011a88ac6cbbf2e0ec50ddf21c4b835a275a80cfdc9bc86d526fcf5

Download Submit
memory/728-141-0x00007FF77F550000-0x00007FF77F5E3000-memory.dmp

Filesize
588KB

Download
memory/728-142-0x0000018E5BD30000-0x0000018E5BE3F000-memory.dmp

Filesize
1.1MB

Download
memory/728-140-0x0000000000000000-mapping.dmp

Download
memory/752-132-0x0000000000000000-mapping.dmp

Download
memory/1992-124-0x0000000000000000-mapping.dmp

Download
memory/3048-129-0x0000000002400000-0x00000000024F9000-memory.dmp

Filesize
996KB

Download
memory/3048-120-0x00000000049F0000-0x0000000004B47000-memory.dmp

Filesize
1.3MB

Download
memory/3164-137-0x000000000041D4E0-mapping.dmp

Download
memory/3164-139-0x0000000000AE0000-0x0000000000E00000-memory.dmp

Filesize
3.1MB

Download
memory/3420-125-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/3420-126-0x00000000003D0000-0x00000000003F9000-memory.dmp

Filesize
164KB

Download
memory/3420-121-0x0000000000000000-mapping.dmp

Download
memory/3420-127-0x0000000004440000-0x0000000004760000-memory.dmp

Filesize
3.1MB

Download
memory/3420-128-0x00000000042A0000-0x0000000004330000-memory.dmp

Filesize
576KB

Download
memory/3536-119-0x0000000000E80000-0x0000000000E91000-memory.dmp

Filesize
68KB

Download
memory/3536-118-0x0000000000A00000-0x0000000000D20000-memory.dmp

Filesize
3.1MB

Download
memory/3536-117-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3536-116-0x000000000041D4E0-mapping.dmp

Download
memory/4516-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads