formbook | fa76022bffd0d6d87ad3baab7b9839f0b172ce1ccd264759d88e9df1a77291f1

General

Target

HSBC94302,pdf.exe
Size

255KB
MD5

f074678a2c588e8741918098804e2a54
SHA1

8f6ece4353671a76abea3621a1ae05886bfd181c
SHA256

fa76022bffd0d6d87ad3baab7b9839f0b172ce1ccd264759d88e9df1a77291f1
SHA512

21092cf587641e2f00758b98629c086f3d04aa9ef1da4b095c5d98764d57e8ed90ec947e9787fad7dce2a2dddd0444cb3def5c5ea500e43ad081c764f5e888f2

Score

10^/10

formbook xloader dhua loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dhua

C2

http://www.segurosramosroman.com/dhua/

Decoy

ketostar.club

icanmakeyoufamous.com

claimygdejection.com

garlicinterestedparent.xyz

bits-clicks.com

030atk.xyz

ballwiegand.com

logs-illumidesk.com

785686.com

flnewsfeed.com

transporteshrj.net

agenciamundodigital.online

bowersllc.com

urchncenw.com

wuauwuaumx.com

littlesportsacademy.com

xn--m3chb3ax0abdta3fwhk.com

prmarketings.com

jiaozhanlianmeng.com

whenisthestore.space

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/988-56-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/988-57-0x000000000041D4E0-mapping.dmp	xloader
behavioral1/memory/1112-64-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader
behavioral1/memory/1476-76-0x000000000041D4E0-mapping.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wininit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wininit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TP-H0HTHUHS = "C:\\Program Files (x86)\\C_l80wbm\\ms1b0l.exe"	wininit.exe

Executes dropped EXE 2 IoCs

Processes:

ms1b0l.exems1b0l.exe

pid process

1344 ms1b0l.exe
1476 ms1b0l.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

980 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

HSBC94302,pdf.exems1b0l.exe

pid process

1628 HSBC94302,pdf.exe
1344 ms1b0l.exe

pid	process
1344	ms1b0l.exe
1476	ms1b0l.exe

pid	process
980	cmd.exe

pid	process
1628	HSBC94302,pdf.exe
1344	ms1b0l.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

HSBC94302,pdf.exeHSBC94302,pdf.exewininit.exems1b0l.exe

description	pid	process	target process
PID 1628 set thread context of 988	1628	HSBC94302,pdf.exe	HSBC94302,pdf.exe
PID 988 set thread context of 1364	988	HSBC94302,pdf.exe	Explorer.EXE
PID 1112 set thread context of 1364	1112	wininit.exe	Explorer.EXE
PID 1344 set thread context of 1476	1344	ms1b0l.exe	ms1b0l.exe

Drops file in Program Files directory 2 IoCs

Processes:

wininit.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\C_l80wbm\ms1b0l.exe	wininit.exe
File created	C:\Program Files (x86)\C_l80wbm\ms1b0l.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\C_l80wbm\ms1b0l.exe	nsis_installer_1
C:\Program Files (x86)\C_l80wbm\ms1b0l.exe	nsis_installer_2
C:\Program Files (x86)\C_l80wbm\ms1b0l.exe	nsis_installer_1
C:\Program Files (x86)\C_l80wbm\ms1b0l.exe	nsis_installer_2
C:\Program Files (x86)\C_l80wbm\ms1b0l.exe	nsis_installer_1
C:\Program Files (x86)\C_l80wbm\ms1b0l.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wininit.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wininit.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

HSBC94302,pdf.exewininit.exems1b0l.exe

pid	process
988	HSBC94302,pdf.exe
988	HSBC94302,pdf.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1476	ms1b0l.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe
1112	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1364 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

HSBC94302,pdf.exewininit.exe

pid process

988 HSBC94302,pdf.exe
988 HSBC94302,pdf.exe
988 HSBC94302,pdf.exe
1112 wininit.exe
1112 wininit.exe
1112 wininit.exe
1112 wininit.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

HSBC94302,pdf.exewininit.exems1b0l.exe

description pid process

Token: SeDebugPrivilege 988 HSBC94302,pdf.exe
Token: SeDebugPrivilege 1112 wininit.exe
Token: SeDebugPrivilege 1476 ms1b0l.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Explorer.EXE

pid process

1364 Explorer.EXE
1364 Explorer.EXE
1364 Explorer.EXE
1364 Explorer.EXE
1364 Explorer.EXE
1364 Explorer.EXE
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Explorer.EXE

pid process

1364 Explorer.EXE
1364 Explorer.EXE
1364 Explorer.EXE
1364 Explorer.EXE
1364 Explorer.EXE
1364 Explorer.EXE

pid	process
1364	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	988	HSBC94302,pdf.exe
Token: SeDebugPrivilege	1112	wininit.exe
Token: SeDebugPrivilege	1476	ms1b0l.exe

pid	process
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE

pid	process
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

HSBC94302,pdf.exeExplorer.EXEwininit.exems1b0l.exe

description	pid	process	target process
PID 1628 wrote to memory of 988	1628	HSBC94302,pdf.exe	HSBC94302,pdf.exe
PID 1628 wrote to memory of 988	1628	HSBC94302,pdf.exe	HSBC94302,pdf.exe
PID 1628 wrote to memory of 988	1628	HSBC94302,pdf.exe	HSBC94302,pdf.exe
PID 1628 wrote to memory of 988	1628	HSBC94302,pdf.exe	HSBC94302,pdf.exe
PID 1628 wrote to memory of 988	1628	HSBC94302,pdf.exe	HSBC94302,pdf.exe
PID 1628 wrote to memory of 988	1628	HSBC94302,pdf.exe	HSBC94302,pdf.exe
PID 1628 wrote to memory of 988	1628	HSBC94302,pdf.exe	HSBC94302,pdf.exe
PID 1364 wrote to memory of 1112	1364	Explorer.EXE	wininit.exe
PID 1364 wrote to memory of 1112	1364	Explorer.EXE	wininit.exe
PID 1364 wrote to memory of 1112	1364	Explorer.EXE	wininit.exe
PID 1364 wrote to memory of 1112	1364	Explorer.EXE	wininit.exe
PID 1112 wrote to memory of 980	1112	wininit.exe	cmd.exe
PID 1112 wrote to memory of 980	1112	wininit.exe	cmd.exe
PID 1112 wrote to memory of 980	1112	wininit.exe	cmd.exe
PID 1112 wrote to memory of 980	1112	wininit.exe	cmd.exe
PID 1112 wrote to memory of 1948	1112	wininit.exe	Firefox.exe
PID 1112 wrote to memory of 1948	1112	wininit.exe	Firefox.exe
PID 1112 wrote to memory of 1948	1112	wininit.exe	Firefox.exe
PID 1112 wrote to memory of 1948	1112	wininit.exe	Firefox.exe
PID 1364 wrote to memory of 1344	1364	Explorer.EXE	ms1b0l.exe
PID 1364 wrote to memory of 1344	1364	Explorer.EXE	ms1b0l.exe
PID 1364 wrote to memory of 1344	1364	Explorer.EXE	ms1b0l.exe
PID 1364 wrote to memory of 1344	1364	Explorer.EXE	ms1b0l.exe
PID 1344 wrote to memory of 1476	1344	ms1b0l.exe	ms1b0l.exe
PID 1344 wrote to memory of 1476	1344	ms1b0l.exe	ms1b0l.exe
PID 1344 wrote to memory of 1476	1344	ms1b0l.exe	ms1b0l.exe
PID 1344 wrote to memory of 1476	1344	ms1b0l.exe	ms1b0l.exe
PID 1344 wrote to memory of 1476	1344	ms1b0l.exe	ms1b0l.exe
PID 1344 wrote to memory of 1476	1344	ms1b0l.exe	ms1b0l.exe
PID 1344 wrote to memory of 1476	1344	ms1b0l.exe	ms1b0l.exe
PID 1112 wrote to memory of 1948	1112	wininit.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe"
3⤵
- Deletes itself
PID:980

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1948

C:\Program Files (x86)\C_l80wbm\ms1b0l.exe
"C:\Program Files (x86)\C_l80wbm\ms1b0l.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1344

C:\Program Files (x86)\C_l80wbm\ms1b0l.exe
"C:\Program Files (x86)\C_l80wbm\ms1b0l.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\C_l80wbm\ms1b0l.exe
MD5
f074678a2c588e8741918098804e2a54

SHA1
8f6ece4353671a76abea3621a1ae05886bfd181c

SHA256
fa76022bffd0d6d87ad3baab7b9839f0b172ce1ccd264759d88e9df1a77291f1

SHA512
21092cf587641e2f00758b98629c086f3d04aa9ef1da4b095c5d98764d57e8ed90ec947e9787fad7dce2a2dddd0444cb3def5c5ea500e43ad081c764f5e888f2

Download Submit
C:\Program Files (x86)\C_l80wbm\ms1b0l.exe
MD5
f074678a2c588e8741918098804e2a54

SHA1
8f6ece4353671a76abea3621a1ae05886bfd181c

SHA256
fa76022bffd0d6d87ad3baab7b9839f0b172ce1ccd264759d88e9df1a77291f1

SHA512
21092cf587641e2f00758b98629c086f3d04aa9ef1da4b095c5d98764d57e8ed90ec947e9787fad7dce2a2dddd0444cb3def5c5ea500e43ad081c764f5e888f2

Download Submit
C:\Program Files (x86)\C_l80wbm\ms1b0l.exe
MD5
f074678a2c588e8741918098804e2a54

SHA1
8f6ece4353671a76abea3621a1ae05886bfd181c

SHA256
fa76022bffd0d6d87ad3baab7b9839f0b172ce1ccd264759d88e9df1a77291f1

SHA512
21092cf587641e2f00758b98629c086f3d04aa9ef1da4b095c5d98764d57e8ed90ec947e9787fad7dce2a2dddd0444cb3def5c5ea500e43ad081c764f5e888f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b132iy3n65ngx
MD5
8ee59d610eb0cbd98fa1f78e25c1e0ca

SHA1
da69b87f81e27b54dc668d893f49ea08ccc60880

SHA256
bd5fb90655c8a62769c382ba17d0fdf2d396b2d59c4f2db3fd00d07868c338f5

SHA512
1cf95fc5c6e9c1f0441bf5f3d1618f62ccaed7ae455dc0a79abb96b7d1098e260abb02bef6a4b3eb5e2c77c89a0a69c5a4e4de57522e7316447306052e9562d5

Download Submit
\Users\Admin\AppData\Local\Temp\nsqE38B.tmp\injpp.dll
MD5
52230408da822ac77450b0e11c41d28d

SHA1
7c5394bb747a4a6fea18955e1da878cd87a7e86a

SHA256
7318f7a1bb662ba2d27530ec87866144ac7a0532a642a27e1924987e498af153

SHA512
fae0a23cb2e3bcecaca88307c1584462645db1c7fab08fc9327419fdae533e213e5968604d7ea49b4705f62c29824e171bb004b9ae426bff3aa7ae0dd4079ef1

Download Submit
\Users\Admin\AppData\Local\Temp\nsrC764.tmp\injpp.dll
MD5
52230408da822ac77450b0e11c41d28d

SHA1
7c5394bb747a4a6fea18955e1da878cd87a7e86a

SHA256
7318f7a1bb662ba2d27530ec87866144ac7a0532a642a27e1924987e498af153

SHA512
fae0a23cb2e3bcecaca88307c1584462645db1c7fab08fc9327419fdae533e213e5968604d7ea49b4705f62c29824e171bb004b9ae426bff3aa7ae0dd4079ef1

Download Submit
memory/980-62-0x0000000000000000-mapping.dmp

Download
memory/988-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/988-57-0x000000000041D4E0-mapping.dmp

Download
memory/988-59-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/988-58-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/1112-66-0x0000000000490000-0x0000000000520000-memory.dmp

Filesize
576KB

Download
memory/1112-61-0x0000000000000000-mapping.dmp

Download
memory/1112-63-0x0000000000470000-0x000000000048A000-memory.dmp

Filesize
104KB

Download
memory/1112-64-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1112-65-0x00000000020A0000-0x00000000023A3000-memory.dmp

Filesize
3.0MB

Download
memory/1344-69-0x0000000000000000-mapping.dmp

Download
memory/1364-67-0x0000000006FE0000-0x000000000713C000-memory.dmp

Filesize
1.4MB

Download
memory/1364-60-0x0000000003FB0000-0x0000000004073000-memory.dmp

Filesize
780KB

Download
memory/1476-76-0x000000000041D4E0-mapping.dmp

Download
memory/1476-78-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/1628-54-0x0000000076B61000-0x0000000076B63000-memory.dmp

Filesize
8KB

Download
memory/1948-79-0x0000000000000000-mapping.dmp

Download
memory/1948-80-0x000000013FC10000-0x000000013FCA3000-memory.dmp

Filesize
588KB

Download
memory/1948-81-0x00000000024B0000-0x0000000002631000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads