formbook | 1ea2c02f87744c96ef37390bbc851ddffde8cf691356a07810e590056acf7556

General

Target

BERN210819.exe
Size

614KB
MD5

5bc6fa2221eed7444ea7d51dea3d1b4e
SHA1

e7509c6facf6b09971739123aeacd555d9fb64b5
SHA256

8d20c36d499a614206967f9ffe68885a78aa2e7c718512a31b185bbaa529a4f6
SHA512

b5d9efc7070a38d6d4dcbc015a931c6a5bc45356879abe118bf55b4f366533ca47fd94527c4e2ceb225ad3d2e34f0e7c4f7d59e1d0d4f18483dfcb9abab406d4

Score

10^/10

formbook xloader dhua loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dhua

C2

http://www.segurosramosroman.com/dhua/

Decoy

ketostar.club

icanmakeyoufamous.com

claimygdejection.com

garlicinterestedparent.xyz

bits-clicks.com

030atk.xyz

ballwiegand.com

logs-illumidesk.com

785686.com

flnewsfeed.com

transporteshrj.net

agenciamundodigital.online

bowersllc.com

urchncenw.com

wuauwuaumx.com

littlesportsacademy.com

xn--m3chb3ax0abdta3fwhk.com

prmarketings.com

jiaozhanlianmeng.com

whenisthestore.space

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2596-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2596-117-0x000000000041D4E0-mapping.dmp	xloader
behavioral2/memory/2660-124-0x00000000027D0000-0x00000000027F9000-memory.dmp	xloader
behavioral2/memory/2744-136-0x000000000041D4E0-mapping.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msdt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TFI8FTB = "C:\\Program Files (x86)\\Znbc8rtbp\\servicesmnsd.exe"	msdt.exe

Executes dropped EXE 2 IoCs

Processes:

servicesmnsd.exeservicesmnsd.exe

pid process

932 servicesmnsd.exe
2744 servicesmnsd.exe
Loads dropped DLL 2 IoCs

Processes:

BERN210819.exeservicesmnsd.exe

pid process

2384 BERN210819.exe
932 servicesmnsd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
932	servicesmnsd.exe
2744	servicesmnsd.exe

pid	process
2384	BERN210819.exe
932	servicesmnsd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

BERN210819.exeBERN210819.exemsdt.exeservicesmnsd.exe

description	pid	process	target process
PID 2384 set thread context of 2596	2384	BERN210819.exe	BERN210819.exe
PID 2596 set thread context of 1588	2596	BERN210819.exe	Explorer.EXE
PID 2660 set thread context of 1588	2660	msdt.exe	Explorer.EXE
PID 932 set thread context of 2744	932	servicesmnsd.exe	servicesmnsd.exe

Drops file in Program Files directory 4 IoCs

Processes:

msdt.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Znbc8rtbp\servicesmnsd.exe	msdt.exe
File opened for modification	C:\Program Files (x86)\Znbc8rtbp	Explorer.EXE
File created	C:\Program Files (x86)\Znbc8rtbp\servicesmnsd.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Znbc8rtbp\servicesmnsd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Znbc8rtbp\servicesmnsd.exe	nsis_installer_1
C:\Program Files (x86)\Znbc8rtbp\servicesmnsd.exe	nsis_installer_2
C:\Program Files (x86)\Znbc8rtbp\servicesmnsd.exe	nsis_installer_1
C:\Program Files (x86)\Znbc8rtbp\servicesmnsd.exe	nsis_installer_2
C:\Program Files (x86)\Znbc8rtbp\servicesmnsd.exe	nsis_installer_1
C:\Program Files (x86)\Znbc8rtbp\servicesmnsd.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

BERN210819.exemsdt.exeservicesmnsd.exe

pid	process
2596	BERN210819.exe
2596	BERN210819.exe
2596	BERN210819.exe
2596	BERN210819.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2660	msdt.exe
2744	servicesmnsd.exe
2744	servicesmnsd.exe
2660	msdt.exe
2660	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1588 Explorer.EXE
Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

BERN210819.exemsdt.exe

pid process

2596 BERN210819.exe
2596 BERN210819.exe
2596 BERN210819.exe
2660 msdt.exe
2660 msdt.exe
2660 msdt.exe
2660 msdt.exe
2660 msdt.exe
2660 msdt.exe

pid	process
1588	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

BERN210819.exemsdt.exeExplorer.EXEservicesmnsd.exe

description	pid	process
Token: SeDebugPrivilege	2596	BERN210819.exe
Token: SeDebugPrivilege	2660	msdt.exe
Token: SeShutdownPrivilege	1588	Explorer.EXE
Token: SeCreatePagefilePrivilege	1588	Explorer.EXE
Token: SeDebugPrivilege	2744	servicesmnsd.exe
Token: SeShutdownPrivilege	1588	Explorer.EXE
Token: SeCreatePagefilePrivilege	1588	Explorer.EXE
Token: SeShutdownPrivilege	1588	Explorer.EXE
Token: SeCreatePagefilePrivilege	1588	Explorer.EXE

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

BERN210819.exeExplorer.EXEmsdt.exeservicesmnsd.exe

description	pid	process	target process
PID 2384 wrote to memory of 2596	2384	BERN210819.exe	BERN210819.exe
PID 2384 wrote to memory of 2596	2384	BERN210819.exe	BERN210819.exe
PID 2384 wrote to memory of 2596	2384	BERN210819.exe	BERN210819.exe
PID 2384 wrote to memory of 2596	2384	BERN210819.exe	BERN210819.exe
PID 2384 wrote to memory of 2596	2384	BERN210819.exe	BERN210819.exe
PID 2384 wrote to memory of 2596	2384	BERN210819.exe	BERN210819.exe
PID 1588 wrote to memory of 2660	1588	Explorer.EXE	msdt.exe
PID 1588 wrote to memory of 2660	1588	Explorer.EXE	msdt.exe
PID 1588 wrote to memory of 2660	1588	Explorer.EXE	msdt.exe
PID 2660 wrote to memory of 2904	2660	msdt.exe	cmd.exe
PID 2660 wrote to memory of 2904	2660	msdt.exe	cmd.exe
PID 2660 wrote to memory of 2904	2660	msdt.exe	cmd.exe
PID 2660 wrote to memory of 1468	2660	msdt.exe	cmd.exe
PID 2660 wrote to memory of 1468	2660	msdt.exe	cmd.exe
PID 2660 wrote to memory of 1468	2660	msdt.exe	cmd.exe
PID 2660 wrote to memory of 928	2660	msdt.exe	Firefox.exe
PID 2660 wrote to memory of 928	2660	msdt.exe	Firefox.exe
PID 1588 wrote to memory of 932	1588	Explorer.EXE	servicesmnsd.exe
PID 1588 wrote to memory of 932	1588	Explorer.EXE	servicesmnsd.exe
PID 1588 wrote to memory of 932	1588	Explorer.EXE	servicesmnsd.exe
PID 932 wrote to memory of 2744	932	servicesmnsd.exe	servicesmnsd.exe
PID 932 wrote to memory of 2744	932	servicesmnsd.exe	servicesmnsd.exe
PID 932 wrote to memory of 2744	932	servicesmnsd.exe	servicesmnsd.exe
PID 932 wrote to memory of 2744	932	servicesmnsd.exe	servicesmnsd.exe
PID 932 wrote to memory of 2744	932	servicesmnsd.exe	servicesmnsd.exe
PID 932 wrote to memory of 2744	932	servicesmnsd.exe	servicesmnsd.exe
PID 2660 wrote to memory of 928	2660	msdt.exe	Firefox.exe
PID 2660 wrote to memory of 3768	2660	msdt.exe	cmd.exe
PID 2660 wrote to memory of 3768	2660	msdt.exe	cmd.exe
PID 2660 wrote to memory of 3768	2660	msdt.exe	cmd.exe
PID 2660 wrote to memory of 3576	2660	msdt.exe	Firefox.exe
PID 2660 wrote to memory of 3576	2660	msdt.exe	Firefox.exe
PID 2660 wrote to memory of 3576	2660	msdt.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\BERN210819.exe
"C:\Users\Admin\AppData\Local\Temp\BERN210819.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\BERN210819.exe
"C:\Users\Admin\AppData\Local\Temp\BERN210819.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\BERN210819.exe"
3⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:1468

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:928

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3768

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3576

C:\Program Files (x86)\Znbc8rtbp\servicesmnsd.exe
"C:\Program Files (x86)\Znbc8rtbp\servicesmnsd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:932

C:\Program Files (x86)\Znbc8rtbp\servicesmnsd.exe
"C:\Program Files (x86)\Znbc8rtbp\servicesmnsd.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Znbc8rtbp\servicesmnsd.exe
MD5
5bc6fa2221eed7444ea7d51dea3d1b4e

SHA1
e7509c6facf6b09971739123aeacd555d9fb64b5

SHA256
8d20c36d499a614206967f9ffe68885a78aa2e7c718512a31b185bbaa529a4f6

SHA512
b5d9efc7070a38d6d4dcbc015a931c6a5bc45356879abe118bf55b4f366533ca47fd94527c4e2ceb225ad3d2e34f0e7c4f7d59e1d0d4f18483dfcb9abab406d4

Download Submit
C:\Program Files (x86)\Znbc8rtbp\servicesmnsd.exe
MD5
5bc6fa2221eed7444ea7d51dea3d1b4e

SHA1
e7509c6facf6b09971739123aeacd555d9fb64b5

SHA256
8d20c36d499a614206967f9ffe68885a78aa2e7c718512a31b185bbaa529a4f6

SHA512
b5d9efc7070a38d6d4dcbc015a931c6a5bc45356879abe118bf55b4f366533ca47fd94527c4e2ceb225ad3d2e34f0e7c4f7d59e1d0d4f18483dfcb9abab406d4

Download Submit
C:\Program Files (x86)\Znbc8rtbp\servicesmnsd.exe
MD5
5bc6fa2221eed7444ea7d51dea3d1b4e

SHA1
e7509c6facf6b09971739123aeacd555d9fb64b5

SHA256
8d20c36d499a614206967f9ffe68885a78aa2e7c718512a31b185bbaa529a4f6

SHA512
b5d9efc7070a38d6d4dcbc015a931c6a5bc45356879abe118bf55b4f366533ca47fd94527c4e2ceb225ad3d2e34f0e7c4f7d59e1d0d4f18483dfcb9abab406d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbsuivaaf4
MD5
0d53d64e21e891a353d637ba79dacab9

SHA1
c81dac8be9d20441695ae93bac12ae1684807ced

SHA256
40183f1a4e282a6bc4239ee44da42d0bb36b882c10b2c10085ba27294d1d0c02

SHA512
3a530bd9e120c258cf93123e1811dd2138686acf3d54bfd44466c5987626b210398c044636ac22c4f5459dcfd3d46870c64747dc36180ce06a4010ae70d6fc15

Download Submit
\Users\Admin\AppData\Local\Temp\nswE135.tmp\xvrlmglvtnb.dll
MD5
02f8787fdc824f7c77ce36b099c49d3e

SHA1
0c2071220aeef55aac18c7046cfb0e3816ac35ef

SHA256
efe3e128ae092ca256430703134726a18a1e033d17743699fafda97116b3aa0f

SHA512
78439a21655661d42371264ef202b0216737ca91128be80259a9f0d4dc868de17fe2c14c850136bf743f70e74badf381d147f119e8b1d491f2cf74dcdcd72f83

Download Submit
\Users\Admin\AppData\Local\Temp\nsy83CD.tmp\xvrlmglvtnb.dll
MD5
02f8787fdc824f7c77ce36b099c49d3e

SHA1
0c2071220aeef55aac18c7046cfb0e3816ac35ef

SHA256
efe3e128ae092ca256430703134726a18a1e033d17743699fafda97116b3aa0f

SHA512
78439a21655661d42371264ef202b0216737ca91128be80259a9f0d4dc868de17fe2c14c850136bf743f70e74badf381d147f119e8b1d491f2cf74dcdcd72f83

Download Submit
memory/928-141-0x00000279C50D0000-0x00000279C51AB000-memory.dmp

Filesize
876KB

Download
memory/928-139-0x0000000000000000-mapping.dmp

Download
memory/928-140-0x00007FF776950000-0x00007FF7769E3000-memory.dmp

Filesize
588KB

Download
memory/932-130-0x0000000000000000-mapping.dmp

Download
memory/1468-128-0x0000000000000000-mapping.dmp

Download
memory/1588-127-0x0000000004FF0000-0x00000000050AA000-memory.dmp

Filesize
744KB

Download
memory/1588-120-0x0000000004ED0000-0x0000000004FC0000-memory.dmp

Filesize
960KB

Download
memory/2596-118-0x00000000009F0000-0x0000000000D10000-memory.dmp

Filesize
3.1MB

Download
memory/2596-119-0x00000000009D0000-0x00000000009E1000-memory.dmp

Filesize
68KB

Download
memory/2596-117-0x000000000041D4E0-mapping.dmp

Download
memory/2596-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2660-126-0x0000000004660000-0x00000000046F0000-memory.dmp

Filesize
576KB

Download
memory/2660-123-0x0000000000340000-0x00000000004B3000-memory.dmp

Filesize
1.4MB

Download
memory/2660-125-0x00000000049A0000-0x0000000004CC0000-memory.dmp

Filesize
3.1MB

Download
memory/2660-124-0x00000000027D0000-0x00000000027F9000-memory.dmp

Filesize
164KB

Download
memory/2660-121-0x0000000000000000-mapping.dmp

Download
memory/2744-136-0x000000000041D4E0-mapping.dmp

Download
memory/2744-138-0x0000000000A30000-0x0000000000D50000-memory.dmp

Filesize
3.1MB

Download
memory/2904-122-0x0000000000000000-mapping.dmp

Download
memory/3576-144-0x0000000000000000-mapping.dmp

Download
memory/3576-146-0x000001CE156B0000-0x000001CE15821000-memory.dmp

Filesize
1.4MB

Download
memory/3576-145-0x00007FF776950000-0x00007FF7769E3000-memory.dmp

Filesize
588KB

Download
memory/3768-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads