formbook | d78c836b04c545ba988741e695408016f8ec243f4eab09893b5b1b790bd62067

General

Target

bank swift scan pdf....exe
Size

323KB
MD5

6308a0ee4b50deb37f6f6a6205d5b2d6
SHA1

0a0f239995f1be45263bc2c96440cfd3dd751cc9
SHA256

f3296e298b22250cb64e01c5e737c924410ea4489867b61758a5e0906f3d1161
SHA512

96dc213ec553ac61eeda230e74515443f9a7d708f73a6bfa4bf02b33ef7519a41f584ceb6c1db903dd8e0237444f19d33c0e513f785fbfeb5c0a822c2f3d78cc

Score

10^/10

formbook xloader di4c loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.4

Campaign

di4c

C2

http://www.dropadsmedia.com/di4c/

Decoy

oscd.store

simplyminiatures.com

famouslovebackbaba.com

turkesteronesupplement.com

most-attractive.com

le-thermoplongeur.com

joydeb.xyz

incomepanther.com

infoterkiinii.xyz

indigocard.website

plasthecnolgy.com

canmamap.com

aviationtrainingworldusa.com

successoffplan.com

desert-breeze.com

nilavarna.com

stanthonyswelfare.com

shezefy.com

shcq08.xyz

spencerpauley.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1040-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1028-70-0x00000000000D0000-0x00000000000F9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

audiodgaz7.exeaudiodgaz7.exe

pid process

996 audiodgaz7.exe
1716 audiodgaz7.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1616 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

bank swift scan pdf....exeaudiodgaz7.exe

pid process

1304 bank swift scan pdf....exe
996 audiodgaz7.exe
996 audiodgaz7.exe

pid	process
996	audiodgaz7.exe
1716	audiodgaz7.exe

pid	process
1616	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\K4XDLDWH54F = "C:\\Program Files (x86)\\Fwnuxv4rh\\audiodgaz7.exe"	chkdsk.exe
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	chkdsk.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

bank swift scan pdf....exebank swift scan pdf....exechkdsk.exeaudiodgaz7.exe

description	pid	process	target process
PID 1304 set thread context of 1040	1304	bank swift scan pdf....exe	bank swift scan pdf....exe
PID 1040 set thread context of 1196	1040	bank swift scan pdf....exe	Explorer.EXE
PID 1028 set thread context of 1196	1028	chkdsk.exe	Explorer.EXE
PID 996 set thread context of 1716	996	audiodgaz7.exe	audiodgaz7.exe

Drops file in Program Files directory 2 IoCs

Processes:

Explorer.EXEchkdsk.exe

description	ioc	process
File created	C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe	chkdsk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe	nsis_installer_1
C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe	nsis_installer_2
C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe	nsis_installer_1
C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe	nsis_installer_2
\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe	nsis_installer_1
\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe	nsis_installer_2
C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe	nsis_installer_1
C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe	nsis_installer_2

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bank swift scan pdf....exechkdsk.exeaudiodgaz7.exe

pid	process
1040	bank swift scan pdf....exe
1040	bank swift scan pdf....exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1716	audiodgaz7.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE

pid	process
1196	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

bank swift scan pdf....exebank swift scan pdf....exechkdsk.exeaudiodgaz7.exe

pid	process
1304	bank swift scan pdf....exe
1040	bank swift scan pdf....exe
1040	bank swift scan pdf....exe
1040	bank swift scan pdf....exe
1028	chkdsk.exe
1028	chkdsk.exe
1028	chkdsk.exe
996	audiodgaz7.exe
1028	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

bank swift scan pdf....exechkdsk.exeaudiodgaz7.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1040	bank swift scan pdf....exe
Token: SeDebugPrivilege	1028	chkdsk.exe
Token: SeDebugPrivilege	1716	audiodgaz7.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE
1196 Explorer.EXE
1196 Explorer.EXE
1196 Explorer.EXE
1196 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE
1196 Explorer.EXE
1196 Explorer.EXE
1196 Explorer.EXE

pid	process
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE

pid	process
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

bank swift scan pdf....exeExplorer.EXEchkdsk.exeaudiodgaz7.exe

description	pid	process	target process
PID 1304 wrote to memory of 1040	1304	bank swift scan pdf....exe	bank swift scan pdf....exe
PID 1304 wrote to memory of 1040	1304	bank swift scan pdf....exe	bank swift scan pdf....exe
PID 1304 wrote to memory of 1040	1304	bank swift scan pdf....exe	bank swift scan pdf....exe
PID 1304 wrote to memory of 1040	1304	bank swift scan pdf....exe	bank swift scan pdf....exe
PID 1304 wrote to memory of 1040	1304	bank swift scan pdf....exe	bank swift scan pdf....exe
PID 1196 wrote to memory of 1028	1196	Explorer.EXE	chkdsk.exe
PID 1196 wrote to memory of 1028	1196	Explorer.EXE	chkdsk.exe
PID 1196 wrote to memory of 1028	1196	Explorer.EXE	chkdsk.exe
PID 1196 wrote to memory of 1028	1196	Explorer.EXE	chkdsk.exe
PID 1028 wrote to memory of 1616	1028	chkdsk.exe	cmd.exe
PID 1028 wrote to memory of 1616	1028	chkdsk.exe	cmd.exe
PID 1028 wrote to memory of 1616	1028	chkdsk.exe	cmd.exe
PID 1028 wrote to memory of 1616	1028	chkdsk.exe	cmd.exe
PID 1028 wrote to memory of 784	1028	chkdsk.exe	Firefox.exe
PID 1028 wrote to memory of 784	1028	chkdsk.exe	Firefox.exe
PID 1028 wrote to memory of 784	1028	chkdsk.exe	Firefox.exe
PID 1028 wrote to memory of 784	1028	chkdsk.exe	Firefox.exe
PID 1196 wrote to memory of 996	1196	Explorer.EXE	audiodgaz7.exe
PID 1196 wrote to memory of 996	1196	Explorer.EXE	audiodgaz7.exe
PID 1196 wrote to memory of 996	1196	Explorer.EXE	audiodgaz7.exe
PID 1196 wrote to memory of 996	1196	Explorer.EXE	audiodgaz7.exe
PID 996 wrote to memory of 1716	996	audiodgaz7.exe	audiodgaz7.exe
PID 996 wrote to memory of 1716	996	audiodgaz7.exe	audiodgaz7.exe
PID 996 wrote to memory of 1716	996	audiodgaz7.exe	audiodgaz7.exe
PID 996 wrote to memory of 1716	996	audiodgaz7.exe	audiodgaz7.exe
PID 996 wrote to memory of 1716	996	audiodgaz7.exe	audiodgaz7.exe
PID 1028 wrote to memory of 784	1028	chkdsk.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\bank swift scan pdf....exe
"C:\Users\Admin\AppData\Local\Temp\bank swift scan pdf....exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\bank swift scan pdf....exe
"C:\Users\Admin\AppData\Local\Temp\bank swift scan pdf....exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\bank swift scan pdf....exe"
3⤵
- Deletes itself
PID:1616

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:784

C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe
"C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:996

C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe
"C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe
MD5
6308a0ee4b50deb37f6f6a6205d5b2d6

SHA1
0a0f239995f1be45263bc2c96440cfd3dd751cc9

SHA256
f3296e298b22250cb64e01c5e737c924410ea4489867b61758a5e0906f3d1161

SHA512
96dc213ec553ac61eeda230e74515443f9a7d708f73a6bfa4bf02b33ef7519a41f584ceb6c1db903dd8e0237444f19d33c0e513f785fbfeb5c0a822c2f3d78cc

Download Submit
C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe
MD5
6308a0ee4b50deb37f6f6a6205d5b2d6

SHA1
0a0f239995f1be45263bc2c96440cfd3dd751cc9

SHA256
f3296e298b22250cb64e01c5e737c924410ea4489867b61758a5e0906f3d1161

SHA512
96dc213ec553ac61eeda230e74515443f9a7d708f73a6bfa4bf02b33ef7519a41f584ceb6c1db903dd8e0237444f19d33c0e513f785fbfeb5c0a822c2f3d78cc

Download Submit
C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe
MD5
6308a0ee4b50deb37f6f6a6205d5b2d6

SHA1
0a0f239995f1be45263bc2c96440cfd3dd751cc9

SHA256
f3296e298b22250cb64e01c5e737c924410ea4489867b61758a5e0906f3d1161

SHA512
96dc213ec553ac61eeda230e74515443f9a7d708f73a6bfa4bf02b33ef7519a41f584ceb6c1db903dd8e0237444f19d33c0e513f785fbfeb5c0a822c2f3d78cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\guh0enx88idzpfg
MD5
18ca13a9fd7e368e0d52cc8818837849

SHA1
82d71db26417db8d604fc8e627d900869cfd90a3

SHA256
51202e8200d2369f29ff0078a6ff489b1aac07f7855387afcd7aca322808a377

SHA512
e93be6a911f730dc43b2796c9ea85149e259a2f771c92d4504f3893d33d34c25e371ee985f4af765520ae69ae2aa556d9fe3040371ea2b1ed9c8317ef1cae7a9

Download Submit
\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe
MD5
6308a0ee4b50deb37f6f6a6205d5b2d6

SHA1
0a0f239995f1be45263bc2c96440cfd3dd751cc9

SHA256
f3296e298b22250cb64e01c5e737c924410ea4489867b61758a5e0906f3d1161

SHA512
96dc213ec553ac61eeda230e74515443f9a7d708f73a6bfa4bf02b33ef7519a41f584ceb6c1db903dd8e0237444f19d33c0e513f785fbfeb5c0a822c2f3d78cc

Download Submit
\Users\Admin\AppData\Local\Temp\nsf4402.tmp\fplpyn.dll
MD5
c86ab83feeeb519425ab355b5dfac558

SHA1
a73a950c1d7e9e93c61d5e1ae9f728191a73aa70

SHA256
3f72aec204fa837e016d24ea563309d3814ead06fa8a4c2d651066f46cb85b37

SHA512
ef6c81291b1b5a9e27dc0485b1e3c926efabd56141d67ec9873ee68628e4dfa536ddc30798a6bc9dfa6e1a66637ab1c6cac4ac9a84c134b721774a45994c89a5

Download Submit
\Users\Admin\AppData\Local\Temp\nsm7723.tmp\fplpyn.dll
MD5
c86ab83feeeb519425ab355b5dfac558

SHA1
a73a950c1d7e9e93c61d5e1ae9f728191a73aa70

SHA256
3f72aec204fa837e016d24ea563309d3814ead06fa8a4c2d651066f46cb85b37

SHA512
ef6c81291b1b5a9e27dc0485b1e3c926efabd56141d67ec9873ee68628e4dfa536ddc30798a6bc9dfa6e1a66637ab1c6cac4ac9a84c134b721774a45994c89a5

Download Submit
memory/784-88-0x0000000000060000-0x0000000000144000-memory.dmp

Filesize
912KB

Download
memory/784-87-0x000000013FDB0000-0x000000013FE43000-memory.dmp

Filesize
588KB

Download
memory/784-86-0x0000000000000000-mapping.dmp

Download
memory/996-76-0x0000000000000000-mapping.dmp

Download
memory/1028-72-0x00000000004C0000-0x0000000000550000-memory.dmp

Filesize
576KB

Download
memory/1028-71-0x0000000002090000-0x0000000002393000-memory.dmp

Filesize
3.0MB

Download
memory/1028-70-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/1028-69-0x0000000000560000-0x0000000000567000-memory.dmp

Filesize
28KB

Download
memory/1028-67-0x0000000000000000-mapping.dmp

Download
memory/1040-64-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/1040-62-0x000000000041D4B0-mapping.dmp

Download
memory/1040-65-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/1040-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1196-73-0x0000000004280000-0x0000000004341000-memory.dmp

Filesize
772KB

Download
memory/1196-74-0x0000000003A30000-0x0000000003A40000-memory.dmp

Filesize
64KB

Download
memory/1196-66-0x0000000006D20000-0x0000000006E11000-memory.dmp

Filesize
964KB

Download
memory/1304-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/1616-68-0x0000000000000000-mapping.dmp

Download
memory/1716-85-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1716-83-0x000000000041D4B0-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads