formbook | 6e58ae351edc0756ce48324a8847e810c3452a1a6d92be5ccbac0e2a063a8808

General

Target

REVISED OFFER.exe
Size

1.5MB
MD5

a23d32321c572b877246453f426494d2
SHA1

23f03a3533053b06acc915bcb33e9a8ebfdfa010
SHA256

9748d96e1143a06277d9cc3e9398d366fe3fa21c4316b8134462c42a0020fe87
SHA512

356ddaaf71c6d409450a558a51d8c43a8edcccf283fdf24d1c7d81a10bf21123e1b1abffae63694219bb7b2192704fd885d8a8a7409e481a6629763b7d5e2555

Score

10^/10

formbook xloader c2ue loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

c2ue

C2

http://www.heidevelop.xyz/c2ue/

Decoy

isportdata.com

stellarex.energy

hsucollections.com

menuhaisan.com

joe-tzu.com

lumichargemktg.com

uae.tires

rapidcae.com

softwaresystemsolutions.com

s-galaxy.website

daewon-talks.net

northgamesnetwork.com

catalogue-bouyguestele.com

criativanet.com

theseasonalshift.com

actionfoto.online

openmaildoe.com

trashpenguin.com

ennopure.net

azurermine.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3364-128-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3364-129-0x000000000041D3A0-mapping.dmp	xloader
behavioral2/memory/688-136-0x0000000000BA0000-0x0000000000BC9000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

83 688 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

regsvc2drxg.exe

pid process

1664 regsvc2drxg.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
83	688	cmd.exe

pid	process
1664	regsvc2drxg.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6LCXULEXCN = "C:\\Program Files (x86)\\Abrk\\regsvc2drxg.exe"	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

REVISED OFFER.exeREVISED OFFER.execmd.exe

description	pid	process	target process
PID 2384 set thread context of 3364	2384	REVISED OFFER.exe	REVISED OFFER.exe
PID 3364 set thread context of 1588	3364	REVISED OFFER.exe	Explorer.EXE
PID 688 set thread context of 1588	688	cmd.exe	Explorer.EXE

Drops file in Program Files directory 4 IoCs

Processes:

Explorer.EXEcmd.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Abrk	Explorer.EXE
File created	C:\Program Files (x86)\Abrk\regsvc2drxg.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Abrk\regsvc2drxg.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Abrk\regsvc2drxg.exe	cmd.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1780 1664 WerFault.exe regsvc2drxg.exe

pid	pid_target	process	target process
1780	1664	WerFault.exe	regsvc2drxg.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

REVISED OFFER.execmd.exeWerFault.exe

pid	process
3364	REVISED OFFER.exe
3364	REVISED OFFER.exe
3364	REVISED OFFER.exe
3364	REVISED OFFER.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
688	cmd.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
688	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1588 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

REVISED OFFER.execmd.exe

pid process

3364 REVISED OFFER.exe
3364 REVISED OFFER.exe
3364 REVISED OFFER.exe
688 cmd.exe
688 cmd.exe
688 cmd.exe
688 cmd.exe

pid	process
1588	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

REVISED OFFER.execmd.exeWerFault.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3364	REVISED OFFER.exe
Token: SeDebugPrivilege	688	cmd.exe
Token: SeRestorePrivilege	1780	WerFault.exe
Token: SeBackupPrivilege	1780	WerFault.exe
Token: SeDebugPrivilege	1780	WerFault.exe
Token: SeShutdownPrivilege	1588	Explorer.EXE
Token: SeCreatePagefilePrivilege	1588	Explorer.EXE
Token: SeShutdownPrivilege	1588	Explorer.EXE
Token: SeCreatePagefilePrivilege	1588	Explorer.EXE
Token: SeShutdownPrivilege	1588	Explorer.EXE
Token: SeCreatePagefilePrivilege	1588	Explorer.EXE
Token: SeShutdownPrivilege	1588	Explorer.EXE
Token: SeCreatePagefilePrivilege	1588	Explorer.EXE
Token: SeShutdownPrivilege	1588	Explorer.EXE
Token: SeCreatePagefilePrivilege	1588	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

REVISED OFFER.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2384 wrote to memory of 3364	2384	REVISED OFFER.exe	REVISED OFFER.exe
PID 2384 wrote to memory of 3364	2384	REVISED OFFER.exe	REVISED OFFER.exe
PID 2384 wrote to memory of 3364	2384	REVISED OFFER.exe	REVISED OFFER.exe
PID 2384 wrote to memory of 3364	2384	REVISED OFFER.exe	REVISED OFFER.exe
PID 2384 wrote to memory of 3364	2384	REVISED OFFER.exe	REVISED OFFER.exe
PID 2384 wrote to memory of 3364	2384	REVISED OFFER.exe	REVISED OFFER.exe
PID 1588 wrote to memory of 688	1588	Explorer.EXE	cmd.exe
PID 1588 wrote to memory of 688	1588	Explorer.EXE	cmd.exe
PID 1588 wrote to memory of 688	1588	Explorer.EXE	cmd.exe
PID 688 wrote to memory of 3656	688	cmd.exe	cmd.exe
PID 688 wrote to memory of 3656	688	cmd.exe	cmd.exe
PID 688 wrote to memory of 3656	688	cmd.exe	cmd.exe
PID 688 wrote to memory of 2744	688	cmd.exe	cmd.exe
PID 688 wrote to memory of 2744	688	cmd.exe	cmd.exe
PID 688 wrote to memory of 2744	688	cmd.exe	cmd.exe
PID 688 wrote to memory of 832	688	cmd.exe	Firefox.exe
PID 688 wrote to memory of 832	688	cmd.exe	Firefox.exe
PID 1588 wrote to memory of 1664	1588	Explorer.EXE	regsvc2drxg.exe
PID 1588 wrote to memory of 1664	1588	Explorer.EXE	regsvc2drxg.exe
PID 1588 wrote to memory of 1664	1588	Explorer.EXE	regsvc2drxg.exe
PID 688 wrote to memory of 832	688	cmd.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\REVISED OFFER.exe
"C:\Users\Admin\AppData\Local\Temp\REVISED OFFER.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\REVISED OFFER.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\REVISED OFFER.exe"
3⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:2744

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:832

C:\Program Files (x86)\Abrk\regsvc2drxg.exe
"C:\Program Files (x86)\Abrk\regsvc2drxg.exe"
2⤵
- Executes dropped EXE
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1384
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Abrk\regsvc2drxg.exe
MD5
a4053642ae0117de67a2294a84cfb849

SHA1
e905481a61bf2bfad205036a4669554e577cd48f

SHA256
2cee699a912f1570ce8e5511ea10fba38446a1605f3fef1cbe32f683bb41ccc2

SHA512
7688578b5c8aff975653b42fcd9001f9424d195b9a1484233205c5bccef9c8ac139341105de32aa354edfa63f83334533076412d0d4ba529a64a30969ca6e98a

Download Submit
C:\Program Files (x86)\Abrk\regsvc2drxg.exe
MD5
a4053642ae0117de67a2294a84cfb849

SHA1
e905481a61bf2bfad205036a4669554e577cd48f

SHA256
2cee699a912f1570ce8e5511ea10fba38446a1605f3fef1cbe32f683bb41ccc2

SHA512
7688578b5c8aff975653b42fcd9001f9424d195b9a1484233205c5bccef9c8ac139341105de32aa354edfa63f83334533076412d0d4ba529a64a30969ca6e98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
memory/688-133-0x0000000000000000-mapping.dmp

Download
memory/688-136-0x0000000000BA0000-0x0000000000BC9000-memory.dmp

Filesize
164KB

Download
memory/688-137-0x0000000003480000-0x00000000037A0000-memory.dmp

Filesize
3.1MB

Download
memory/688-138-0x00000000037A0000-0x0000000003830000-memory.dmp

Filesize
576KB

Download
memory/688-135-0x0000000000D90000-0x0000000000DE9000-memory.dmp

Filesize
356KB

Download
memory/832-155-0x0000000000000000-mapping.dmp

Download
memory/832-156-0x00007FF776950000-0x00007FF7769E3000-memory.dmp

Filesize
588KB

Download
memory/832-157-0x00000198B8CD0000-0x00000198B8DE7000-memory.dmp

Filesize
1.1MB

Download
memory/1588-132-0x0000000000880000-0x0000000000957000-memory.dmp

Filesize
860KB

Download
memory/1588-139-0x0000000004ED0000-0x0000000004F89000-memory.dmp

Filesize
740KB

Download
memory/1664-154-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/1664-142-0x0000000000000000-mapping.dmp

Download
memory/1664-151-0x00000000074C0000-0x00000000074C1000-memory.dmp

Filesize
4KB

Download
memory/2384-124-0x0000000008EA0000-0x0000000008EA1000-memory.dmp

Filesize
4KB

Download
memory/2384-121-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/2384-117-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/2384-118-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/2384-119-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/2384-120-0x0000000005060000-0x000000000555E000-memory.dmp

Filesize
5.0MB

Download
memory/2384-127-0x0000000009170000-0x000000000919B000-memory.dmp

Filesize
172KB

Download
memory/2384-126-0x00000000090F0000-0x000000000916E000-memory.dmp

Filesize
504KB

Download
memory/2384-122-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/2384-125-0x0000000004990000-0x000000000499E000-memory.dmp

Filesize
56KB

Download
memory/2384-115-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2384-123-0x0000000008E50000-0x0000000008E51000-memory.dmp

Filesize
4KB

Download
memory/2744-140-0x0000000000000000-mapping.dmp

Download
memory/3364-130-0x00000000015E0000-0x0000000001900000-memory.dmp

Filesize
3.1MB

Download
memory/3364-128-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3364-129-0x000000000041D3A0-mapping.dmp

Download
memory/3364-131-0x0000000001320000-0x0000000001331000-memory.dmp

Filesize
68KB

Download
memory/3656-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads