formbook | ddd4407a9fabbb095399cf7e7ed9d7106b5a8368d61e68ca882a1ebf6a0360a8

General

Target

QUOTE PRICE.exe
Size

558KB
MD5

3a35017603b428f692151484ad54ded0
SHA1

ac071c363f33e2a28aaffc77e5a34642d8246fe0
SHA256

45f5e2a682896ac3380522e26a0398b8112bafc42948666c9fecafa3dcab69e3
SHA512

6a2c113565aca37d63de00cdd59354400e901bb731d35e53a42951463662374dec5dfb83d109f059b59733abaf3c0f2057a87c22f69b2d738af37b6f19409d8d

Score

10^/10

formbook xloader m6rs loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m6rs

C2

http://www.litediv.com/m6rs/

Decoy

globalsovereignbank.com

ktnrape.xyz

churchybulletin.com

ddyla.com

imatge.cat

iwholesalestore.com

cultivapro.club

ibcfcl.com

refurbisheddildo.com

killerinktnpasumo4.xyz

mdphotoart.com

smi-ity.com

stanprolearningcenter.com

companyintelapp.com

tacticarc.com

soolls.com

gra68.net

cedricettori.digital

mossobuy.com

way2liv.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3732-124-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3732-125-0x000000000041D3D0-mapping.dmp	xloader
behavioral2/memory/2628-132-0x0000000001150000-0x0000000001179000-memory.dmp	xloader
behavioral2/memory/3544-153-0x000000000041D3D0-mapping.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	netsh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OVUHMBMXCNY = "C:\\Program Files (x86)\\Gofrp\\-zhyvyl3zix.exe"	netsh.exe

Executes dropped EXE 2 IoCs

Processes:

-zhyvyl3zix.exe-zhyvyl3zix.exe

pid process

2528 -zhyvyl3zix.exe
3544 -zhyvyl3zix.exe

pid	process
2528	-zhyvyl3zix.exe
3544	-zhyvyl3zix.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

QUOTE PRICE.exeQUOTE PRICE.exenetsh.exe-zhyvyl3zix.exe

description	pid	process	target process
PID 796 set thread context of 3732	796	QUOTE PRICE.exe	QUOTE PRICE.exe
PID 3732 set thread context of 3024	3732	QUOTE PRICE.exe	Explorer.EXE
PID 2628 set thread context of 3024	2628	netsh.exe	Explorer.EXE
PID 2528 set thread context of 3544	2528	-zhyvyl3zix.exe	-zhyvyl3zix.exe

Drops file in Program Files directory 4 IoCs

Processes:

Explorer.EXEnetsh.exe

description	ioc	process
File created	C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe	netsh.exe
File opened for modification	C:\Program Files (x86)\Gofrp	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

QUOTE PRICE.exenetsh.exe

pid	process
3732	QUOTE PRICE.exe
3732	QUOTE PRICE.exe
3732	QUOTE PRICE.exe
3732	QUOTE PRICE.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe
2628	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

QUOTE PRICE.exenetsh.exe

pid process

3732 QUOTE PRICE.exe
3732 QUOTE PRICE.exe
3732 QUOTE PRICE.exe
2628 netsh.exe
2628 netsh.exe
2628 netsh.exe
2628 netsh.exe

pid	process
3024	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

QUOTE PRICE.exenetsh.exeExplorer.EXE-zhyvyl3zix.exe

description	pid	process
Token: SeDebugPrivilege	3732	QUOTE PRICE.exe
Token: SeDebugPrivilege	2628	netsh.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeDebugPrivilege	3544	-zhyvyl3zix.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE

pid	process
3024	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

QUOTE PRICE.exeExplorer.EXEnetsh.exe-zhyvyl3zix.exe

description	pid	process	target process
PID 796 wrote to memory of 3732	796	QUOTE PRICE.exe	QUOTE PRICE.exe
PID 796 wrote to memory of 3732	796	QUOTE PRICE.exe	QUOTE PRICE.exe
PID 796 wrote to memory of 3732	796	QUOTE PRICE.exe	QUOTE PRICE.exe
PID 796 wrote to memory of 3732	796	QUOTE PRICE.exe	QUOTE PRICE.exe
PID 796 wrote to memory of 3732	796	QUOTE PRICE.exe	QUOTE PRICE.exe
PID 796 wrote to memory of 3732	796	QUOTE PRICE.exe	QUOTE PRICE.exe
PID 3024 wrote to memory of 2628	3024	Explorer.EXE	netsh.exe
PID 3024 wrote to memory of 2628	3024	Explorer.EXE	netsh.exe
PID 3024 wrote to memory of 2628	3024	Explorer.EXE	netsh.exe
PID 2628 wrote to memory of 1020	2628	netsh.exe	cmd.exe
PID 2628 wrote to memory of 1020	2628	netsh.exe	cmd.exe
PID 2628 wrote to memory of 1020	2628	netsh.exe	cmd.exe
PID 2628 wrote to memory of 1164	2628	netsh.exe	Firefox.exe
PID 2628 wrote to memory of 1164	2628	netsh.exe	Firefox.exe
PID 3024 wrote to memory of 2528	3024	Explorer.EXE	-zhyvyl3zix.exe
PID 3024 wrote to memory of 2528	3024	Explorer.EXE	-zhyvyl3zix.exe
PID 3024 wrote to memory of 2528	3024	Explorer.EXE	-zhyvyl3zix.exe
PID 2628 wrote to memory of 1164	2628	netsh.exe	Firefox.exe
PID 2528 wrote to memory of 3544	2528	-zhyvyl3zix.exe	-zhyvyl3zix.exe
PID 2528 wrote to memory of 3544	2528	-zhyvyl3zix.exe	-zhyvyl3zix.exe
PID 2528 wrote to memory of 3544	2528	-zhyvyl3zix.exe	-zhyvyl3zix.exe
PID 2528 wrote to memory of 3544	2528	-zhyvyl3zix.exe	-zhyvyl3zix.exe
PID 2528 wrote to memory of 3544	2528	-zhyvyl3zix.exe	-zhyvyl3zix.exe
PID 2528 wrote to memory of 3544	2528	-zhyvyl3zix.exe	-zhyvyl3zix.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\QUOTE PRICE.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTE PRICE.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\QUOTE PRICE.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTE PRICE.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3976

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1876

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:632

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:572

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3268

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:576

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:412

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2864

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\QUOTE PRICE.exe"
3⤵
PID:1020

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1164

C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe
"C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2528

C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe
"C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe
MD5
3a35017603b428f692151484ad54ded0

SHA1
ac071c363f33e2a28aaffc77e5a34642d8246fe0

SHA256
45f5e2a682896ac3380522e26a0398b8112bafc42948666c9fecafa3dcab69e3

SHA512
6a2c113565aca37d63de00cdd59354400e901bb731d35e53a42951463662374dec5dfb83d109f059b59733abaf3c0f2057a87c22f69b2d738af37b6f19409d8d

Download Submit
C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe
MD5
3a35017603b428f692151484ad54ded0

SHA1
ac071c363f33e2a28aaffc77e5a34642d8246fe0

SHA256
45f5e2a682896ac3380522e26a0398b8112bafc42948666c9fecafa3dcab69e3

SHA512
6a2c113565aca37d63de00cdd59354400e901bb731d35e53a42951463662374dec5dfb83d109f059b59733abaf3c0f2057a87c22f69b2d738af37b6f19409d8d

Download Submit
C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe
MD5
3a35017603b428f692151484ad54ded0

SHA1
ac071c363f33e2a28aaffc77e5a34642d8246fe0

SHA256
45f5e2a682896ac3380522e26a0398b8112bafc42948666c9fecafa3dcab69e3

SHA512
6a2c113565aca37d63de00cdd59354400e901bb731d35e53a42951463662374dec5dfb83d109f059b59733abaf3c0f2057a87c22f69b2d738af37b6f19409d8d

Download Submit
memory/796-123-0x0000000007B50000-0x0000000007B8A000-memory.dmp

Filesize
232KB

Download
memory/796-119-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/796-120-0x00000000052C0000-0x00000000052DD000-memory.dmp

Filesize
116KB

Download
memory/796-121-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/796-122-0x0000000007AE0000-0x0000000007B49000-memory.dmp

Filesize
420KB

Download
memory/796-114-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/796-118-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/796-117-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/796-116-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/1020-130-0x0000000000000000-mapping.dmp

Download
memory/1164-147-0x00007FF639090000-0x00007FF639123000-memory.dmp

Filesize
588KB

Download
memory/1164-148-0x000002E960250000-0x000002E9603CF000-memory.dmp

Filesize
1.5MB

Download
memory/1164-146-0x0000000000000000-mapping.dmp

Download
memory/2528-136-0x0000000000000000-mapping.dmp

Download
memory/2528-145-0x0000000005610000-0x0000000005B0E000-memory.dmp

Filesize
5.0MB

Download
memory/2628-131-0x0000000001600000-0x000000000161E000-memory.dmp

Filesize
120KB

Download
memory/2628-133-0x0000000003AE0000-0x0000000003E00000-memory.dmp

Filesize
3.1MB

Download
memory/2628-134-0x0000000003930000-0x00000000039C0000-memory.dmp

Filesize
576KB

Download
memory/2628-132-0x0000000001150000-0x0000000001179000-memory.dmp

Filesize
164KB

Download
memory/2628-129-0x0000000000000000-mapping.dmp

Download
memory/3024-128-0x0000000005CB0000-0x0000000005DAC000-memory.dmp

Filesize
1008KB

Download
memory/3024-135-0x0000000005E30000-0x0000000005F43000-memory.dmp

Filesize
1.1MB

Download
memory/3544-153-0x000000000041D3D0-mapping.dmp

Download
memory/3544-155-0x00000000016F0000-0x0000000001A10000-memory.dmp

Filesize
3.1MB

Download
memory/3732-127-0x00000000013B0000-0x000000000145E000-memory.dmp

Filesize
696KB

Download
memory/3732-126-0x0000000001920000-0x0000000001C40000-memory.dmp

Filesize
3.1MB

Download
memory/3732-125-0x000000000041D3D0-mapping.dmp

Download
memory/3732-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads