formbook | c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb

General

Target

loader1.exe
Size

253KB
MD5

196ef716e51eb90f7ffcfd2219ce1d5e
SHA1

3c5d438cb3dee2b0474ea45be67069db184e26bb
SHA256

c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb
SHA512

e303bd36a6cd409bf146b0716a52c50ab5069b3dd513303a8c63c1494013450e5a84ee0bf7eb5d7396946080f57ef08275e09326bc2bd3fc80f94f911e872759

Score

10^/10

formbook xloader m0np loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m0np

C2

http://www.devmedicalcentre.com/m0np/

Decoy

gruppovimar.com

seniordatingtv.com

pinpinyouqian.website

retreatreflectreplenish.com

baby-handmade.store

econsupplies.com

helloaustinpodcast.com

europe-lodging.com

ferahanaokulu.com

thehomeinspo.com

rawhoneytnpasumo6.xyz

tyckasei.quest

scissorsandbuffer.com

jatinvestmentsmaldives.com

softandcute.store

afuturemakerspromotions.online

leonsigntech.com

havetheshortscovered.com

cvkf.email

iplyyu.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/768-56-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/768-57-0x000000000041D450-mapping.dmp	xloader
behavioral1/memory/1472-66-0x00000000000C0000-0x00000000000E9000-memory.dmp	xloader
behavioral1/memory/1692-78-0x000000000041D450-mapping.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

gdi002th.exegdi002th.exe

pid process

1632 gdi002th.exe
1692 gdi002th.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

544 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

loader1.exegdi002th.exe

pid process

1532 loader1.exe
1632 gdi002th.exe

pid	process
1632	gdi002th.exe
1692	gdi002th.exe

pid	process
544	cmd.exe

pid	process
1532	loader1.exe
1632	gdi002th.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

help.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	help.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T4XDCX58GPG = "C:\\Program Files (x86)\\Hozktmdz\\gdi002th.exe"	help.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

loader1.exeloader1.exehelp.exegdi002th.exe

description	pid	process	target process
PID 1532 set thread context of 768	1532	loader1.exe	loader1.exe
PID 768 set thread context of 1404	768	loader1.exe	Explorer.EXE
PID 768 set thread context of 1404	768	loader1.exe	Explorer.EXE
PID 1472 set thread context of 1404	1472	help.exe	Explorer.EXE
PID 1632 set thread context of 1692	1632	gdi002th.exe	gdi002th.exe

Drops file in Program Files directory 2 IoCs

Processes:

help.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Hozktmdz\gdi002th.exe	help.exe
File created	C:\Program Files (x86)\Hozktmdz\gdi002th.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Hozktmdz\gdi002th.exe	nsis_installer_1
C:\Program Files (x86)\Hozktmdz\gdi002th.exe	nsis_installer_2
C:\Program Files (x86)\Hozktmdz\gdi002th.exe	nsis_installer_1
C:\Program Files (x86)\Hozktmdz\gdi002th.exe	nsis_installer_2
C:\Program Files (x86)\Hozktmdz\gdi002th.exe	nsis_installer_1
C:\Program Files (x86)\Hozktmdz\gdi002th.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

help.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

loader1.exehelp.exegdi002th.exe

pid	process
768	loader1.exe
768	loader1.exe
768	loader1.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1692	gdi002th.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe
1472	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1404 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

loader1.exehelp.exe

pid process

768 loader1.exe
768 loader1.exe
768 loader1.exe
768 loader1.exe
1472 help.exe
1472 help.exe
1472 help.exe
1472 help.exe

pid	process
1404	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

loader1.exehelp.exeExplorer.EXEgdi002th.exe

description	pid	process
Token: SeDebugPrivilege	768	loader1.exe
Token: SeDebugPrivilege	1472	help.exe
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: SeDebugPrivilege	1692	gdi002th.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Explorer.EXE

pid process

1404 Explorer.EXE
1404 Explorer.EXE
1404 Explorer.EXE
1404 Explorer.EXE
1404 Explorer.EXE
1404 Explorer.EXE
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Explorer.EXE

pid process

1404 Explorer.EXE
1404 Explorer.EXE
1404 Explorer.EXE
1404 Explorer.EXE
1404 Explorer.EXE
1404 Explorer.EXE

pid	process
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE

pid	process
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

loader1.exeExplorer.EXEhelp.exegdi002th.exe

description	pid	process	target process
PID 1532 wrote to memory of 768	1532	loader1.exe	loader1.exe
PID 1532 wrote to memory of 768	1532	loader1.exe	loader1.exe
PID 1532 wrote to memory of 768	1532	loader1.exe	loader1.exe
PID 1532 wrote to memory of 768	1532	loader1.exe	loader1.exe
PID 1532 wrote to memory of 768	1532	loader1.exe	loader1.exe
PID 1532 wrote to memory of 768	1532	loader1.exe	loader1.exe
PID 1532 wrote to memory of 768	1532	loader1.exe	loader1.exe
PID 1404 wrote to memory of 1472	1404	Explorer.EXE	help.exe
PID 1404 wrote to memory of 1472	1404	Explorer.EXE	help.exe
PID 1404 wrote to memory of 1472	1404	Explorer.EXE	help.exe
PID 1404 wrote to memory of 1472	1404	Explorer.EXE	help.exe
PID 1472 wrote to memory of 544	1472	help.exe	cmd.exe
PID 1472 wrote to memory of 544	1472	help.exe	cmd.exe
PID 1472 wrote to memory of 544	1472	help.exe	cmd.exe
PID 1472 wrote to memory of 544	1472	help.exe	cmd.exe
PID 1472 wrote to memory of 1552	1472	help.exe	Firefox.exe
PID 1472 wrote to memory of 1552	1472	help.exe	Firefox.exe
PID 1472 wrote to memory of 1552	1472	help.exe	Firefox.exe
PID 1472 wrote to memory of 1552	1472	help.exe	Firefox.exe
PID 1404 wrote to memory of 1632	1404	Explorer.EXE	gdi002th.exe
PID 1404 wrote to memory of 1632	1404	Explorer.EXE	gdi002th.exe
PID 1404 wrote to memory of 1632	1404	Explorer.EXE	gdi002th.exe
PID 1404 wrote to memory of 1632	1404	Explorer.EXE	gdi002th.exe
PID 1632 wrote to memory of 1692	1632	gdi002th.exe	gdi002th.exe
PID 1632 wrote to memory of 1692	1632	gdi002th.exe	gdi002th.exe
PID 1632 wrote to memory of 1692	1632	gdi002th.exe	gdi002th.exe
PID 1632 wrote to memory of 1692	1632	gdi002th.exe	gdi002th.exe
PID 1632 wrote to memory of 1692	1632	gdi002th.exe	gdi002th.exe
PID 1632 wrote to memory of 1692	1632	gdi002th.exe	gdi002th.exe
PID 1632 wrote to memory of 1692	1632	gdi002th.exe	gdi002th.exe
PID 1472 wrote to memory of 1552	1472	help.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\loader1.exe
"C:\Users\Admin\AppData\Local\Temp\loader1.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\loader1.exe
"C:\Users\Admin\AppData\Local\Temp\loader1.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1744

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1836

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\loader1.exe"
3⤵
- Deletes itself
PID:544

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1552

C:\Program Files (x86)\Hozktmdz\gdi002th.exe
"C:\Program Files (x86)\Hozktmdz\gdi002th.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632

C:\Program Files (x86)\Hozktmdz\gdi002th.exe
"C:\Program Files (x86)\Hozktmdz\gdi002th.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Hozktmdz\gdi002th.exe
MD5
196ef716e51eb90f7ffcfd2219ce1d5e

SHA1
3c5d438cb3dee2b0474ea45be67069db184e26bb

SHA256
c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb

SHA512
e303bd36a6cd409bf146b0716a52c50ab5069b3dd513303a8c63c1494013450e5a84ee0bf7eb5d7396946080f57ef08275e09326bc2bd3fc80f94f911e872759

Download Submit
C:\Program Files (x86)\Hozktmdz\gdi002th.exe
MD5
196ef716e51eb90f7ffcfd2219ce1d5e

SHA1
3c5d438cb3dee2b0474ea45be67069db184e26bb

SHA256
c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb

SHA512
e303bd36a6cd409bf146b0716a52c50ab5069b3dd513303a8c63c1494013450e5a84ee0bf7eb5d7396946080f57ef08275e09326bc2bd3fc80f94f911e872759

Download Submit
C:\Program Files (x86)\Hozktmdz\gdi002th.exe
MD5
196ef716e51eb90f7ffcfd2219ce1d5e

SHA1
3c5d438cb3dee2b0474ea45be67069db184e26bb

SHA256
c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb

SHA512
e303bd36a6cd409bf146b0716a52c50ab5069b3dd513303a8c63c1494013450e5a84ee0bf7eb5d7396946080f57ef08275e09326bc2bd3fc80f94f911e872759

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxp407vczottn
MD5
ac7a35a54ad3d34e18ee939ea1678e21

SHA1
5a673519a148588580d76db26f72bfecfddedf24

SHA256
bb46faeb56bad25dba83768bbbb1f91a57c535b2aad86ce6d1253b8dfedd8f3e

SHA512
1140fef1699b9bf4a8d1f4a04a55f33aab019008259776babb973169ede9031c37ee3c0da0567d634c2563a687332624040ae9b6e48367805eb0f06363ecc3c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsc705F.tmp\wkpnpsjabyz.dll
MD5
cceb1c08032a04804191f34f7e070d5d

SHA1
7a6628b4b164874e61a034b17b669631dc3d7eb7

SHA256
eed96b31d0af300135ddd50ba8274b31d7902564bcb5c84224e5d1b2e357aaae

SHA512
e5ac48d0d422dc53133c15a1e8029cdf500186096b253e9893568410a20dfe25301e897db2b1cf902e2d1c85cde0309b1e4ac2c9b7cdeed5c41f1af472c23467

Download Submit
\Users\Admin\AppData\Local\Temp\nsqA209.tmp\wkpnpsjabyz.dll
MD5
cceb1c08032a04804191f34f7e070d5d

SHA1
7a6628b4b164874e61a034b17b669631dc3d7eb7

SHA256
eed96b31d0af300135ddd50ba8274b31d7902564bcb5c84224e5d1b2e357aaae

SHA512
e5ac48d0d422dc53133c15a1e8029cdf500186096b253e9893568410a20dfe25301e897db2b1cf902e2d1c85cde0309b1e4ac2c9b7cdeed5c41f1af472c23467

Download Submit
memory/544-64-0x0000000000000000-mapping.dmp

Download
memory/768-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/768-57-0x000000000041D450-mapping.dmp

Download
memory/768-58-0x00000000006E0000-0x00000000009E3000-memory.dmp

Filesize
3.0MB

Download
memory/768-59-0x0000000000A10000-0x0000000000A21000-memory.dmp

Filesize
68KB

Download
memory/768-61-0x0000000002280000-0x0000000002291000-memory.dmp

Filesize
68KB

Download
memory/1404-60-0x0000000006FC0000-0x000000000713A000-memory.dmp

Filesize
1.5MB

Download
memory/1404-62-0x0000000006050000-0x000000000613E000-memory.dmp

Filesize
952KB

Download
memory/1404-69-0x00000000065C0000-0x0000000006698000-memory.dmp

Filesize
864KB

Download
memory/1472-68-0x00000000004E0000-0x0000000000570000-memory.dmp

Filesize
576KB

Download
memory/1472-67-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/1472-66-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/1472-65-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/1472-63-0x0000000000000000-mapping.dmp

Download
memory/1532-54-0x00000000751D1000-0x00000000751D3000-memory.dmp

Filesize
8KB

Download
memory/1552-81-0x0000000000000000-mapping.dmp

Download
memory/1552-82-0x000000013FA80000-0x000000013FB13000-memory.dmp

Filesize
588KB

Download
memory/1552-83-0x00000000023D0000-0x000000000246C000-memory.dmp

Filesize
624KB

Download
memory/1632-71-0x0000000000000000-mapping.dmp

Download
memory/1692-78-0x000000000041D450-mapping.dmp

Download
memory/1692-80-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads