formbook | a680711b06aea48f7ad417905cd5ea531e15f82d8881409bd72efb470dea06cf

General

Target

QUOTE_PRICE_REQUEST.exe
Size

252KB
MD5

48043c9a21d0547478331c1613660595
SHA1

9985a65e0aa690308454632223393d8d18a1c744
SHA256

75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6
SHA512

408613c89266eedf165e465e6021880cb4e2db943bec88d068db954ee23f80b55445fd9fd66f42f08924a93fa11f25e343c8f654c7cc2918efa09b00570294db

Score

10^/10

formbook xloader m6rs loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m6rs

C2

http://www.litediv.com/m6rs/

Decoy

globalsovereignbank.com

ktnrape.xyz

churchybulletin.com

ddyla.com

imatge.cat

iwholesalestore.com

cultivapro.club

ibcfcl.com

refurbisheddildo.com

killerinktnpasumo4.xyz

mdphotoart.com

smi-ity.com

stanprolearningcenter.com

companyintelapp.com

tacticarc.com

soolls.com

gra68.net

cedricettori.digital

mossobuy.com

way2liv.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/864-115-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/864-116-0x000000000041D3D0-mapping.dmp	xloader
behavioral2/memory/616-122-0x00000000008D0000-0x00000000008F9000-memory.dmp	xloader
behavioral2/memory/3148-133-0x000000000041D3D0-mapping.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

help.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OFUDRZZHOL6 = "C:\\Program Files (x86)\\Z8p8tit\\0zhhzlp2u8ft.exe"	help.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	help.exe

Executes dropped EXE 2 IoCs

Processes:

0zhhzlp2u8ft.exe0zhhzlp2u8ft.exe

pid process

1268 0zhhzlp2u8ft.exe
3148 0zhhzlp2u8ft.exe
Loads dropped DLL 2 IoCs

Processes:

QUOTE_PRICE_REQUEST.exe0zhhzlp2u8ft.exe

pid process

636 QUOTE_PRICE_REQUEST.exe
1268 0zhhzlp2u8ft.exe

pid	process
1268	0zhhzlp2u8ft.exe
3148	0zhhzlp2u8ft.exe

pid	process
636	QUOTE_PRICE_REQUEST.exe
1268	0zhhzlp2u8ft.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

QUOTE_PRICE_REQUEST.exeQUOTE_PRICE_REQUEST.exehelp.exe0zhhzlp2u8ft.exe

description	pid	process	target process
PID 636 set thread context of 864	636	QUOTE_PRICE_REQUEST.exe	QUOTE_PRICE_REQUEST.exe
PID 864 set thread context of 3052	864	QUOTE_PRICE_REQUEST.exe	Explorer.EXE
PID 616 set thread context of 3052	616	help.exe	Explorer.EXE
PID 1268 set thread context of 3148	1268	0zhhzlp2u8ft.exe	0zhhzlp2u8ft.exe

Drops file in Program Files directory 4 IoCs

Processes:

help.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe	help.exe
File opened for modification	C:\Program Files (x86)\Z8p8tit	Explorer.EXE
File created	C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe	nsis_installer_1
C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe	nsis_installer_2
C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe	nsis_installer_1
C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe	nsis_installer_2
C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe	nsis_installer_1
C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

help.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

QUOTE_PRICE_REQUEST.exehelp.exe0zhhzlp2u8ft.exe

pid	process
864	QUOTE_PRICE_REQUEST.exe
864	QUOTE_PRICE_REQUEST.exe
864	QUOTE_PRICE_REQUEST.exe
864	QUOTE_PRICE_REQUEST.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
616	help.exe
3148	0zhhzlp2u8ft.exe
3148	0zhhzlp2u8ft.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

QUOTE_PRICE_REQUEST.exehelp.exe

pid process

864 QUOTE_PRICE_REQUEST.exe
864 QUOTE_PRICE_REQUEST.exe
864 QUOTE_PRICE_REQUEST.exe
616 help.exe
616 help.exe
616 help.exe
616 help.exe

pid	process
3052	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

QUOTE_PRICE_REQUEST.exehelp.exeExplorer.EXE0zhhzlp2u8ft.exe

description	pid	process
Token: SeDebugPrivilege	864	QUOTE_PRICE_REQUEST.exe
Token: SeDebugPrivilege	616	help.exe
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeDebugPrivilege	3148	0zhhzlp2u8ft.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE
3052 Explorer.EXE
3052 Explorer.EXE
3052 Explorer.EXE
3052 Explorer.EXE
3052 Explorer.EXE
3052 Explorer.EXE
3052 Explorer.EXE

pid	process
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE
3052	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

QUOTE_PRICE_REQUEST.exeExplorer.EXEhelp.exe0zhhzlp2u8ft.exe

description	pid	process	target process
PID 636 wrote to memory of 864	636	QUOTE_PRICE_REQUEST.exe	QUOTE_PRICE_REQUEST.exe
PID 636 wrote to memory of 864	636	QUOTE_PRICE_REQUEST.exe	QUOTE_PRICE_REQUEST.exe
PID 636 wrote to memory of 864	636	QUOTE_PRICE_REQUEST.exe	QUOTE_PRICE_REQUEST.exe
PID 636 wrote to memory of 864	636	QUOTE_PRICE_REQUEST.exe	QUOTE_PRICE_REQUEST.exe
PID 636 wrote to memory of 864	636	QUOTE_PRICE_REQUEST.exe	QUOTE_PRICE_REQUEST.exe
PID 636 wrote to memory of 864	636	QUOTE_PRICE_REQUEST.exe	QUOTE_PRICE_REQUEST.exe
PID 3052 wrote to memory of 616	3052	Explorer.EXE	help.exe
PID 3052 wrote to memory of 616	3052	Explorer.EXE	help.exe
PID 3052 wrote to memory of 616	3052	Explorer.EXE	help.exe
PID 616 wrote to memory of 1120	616	help.exe	cmd.exe
PID 616 wrote to memory of 1120	616	help.exe	cmd.exe
PID 616 wrote to memory of 1120	616	help.exe	cmd.exe
PID 616 wrote to memory of 824	616	help.exe	Firefox.exe
PID 616 wrote to memory of 824	616	help.exe	Firefox.exe
PID 3052 wrote to memory of 1268	3052	Explorer.EXE	0zhhzlp2u8ft.exe
PID 3052 wrote to memory of 1268	3052	Explorer.EXE	0zhhzlp2u8ft.exe
PID 3052 wrote to memory of 1268	3052	Explorer.EXE	0zhhzlp2u8ft.exe
PID 1268 wrote to memory of 3148	1268	0zhhzlp2u8ft.exe	0zhhzlp2u8ft.exe
PID 1268 wrote to memory of 3148	1268	0zhhzlp2u8ft.exe	0zhhzlp2u8ft.exe
PID 1268 wrote to memory of 3148	1268	0zhhzlp2u8ft.exe	0zhhzlp2u8ft.exe
PID 1268 wrote to memory of 3148	1268	0zhhzlp2u8ft.exe	0zhhzlp2u8ft.exe
PID 1268 wrote to memory of 3148	1268	0zhhzlp2u8ft.exe	0zhhzlp2u8ft.exe
PID 1268 wrote to memory of 3148	1268	0zhhzlp2u8ft.exe	0zhhzlp2u8ft.exe
PID 616 wrote to memory of 824	616	help.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\QUOTE_PRICE_REQUEST.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTE_PRICE_REQUEST.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\QUOTE_PRICE_REQUEST.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTE_PRICE_REQUEST.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\QUOTE_PRICE_REQUEST.exe"
3⤵
PID:1120

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:824

C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe
"C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1268

C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe
"C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe
MD5
48043c9a21d0547478331c1613660595

SHA1
9985a65e0aa690308454632223393d8d18a1c744

SHA256
75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6

SHA512
408613c89266eedf165e465e6021880cb4e2db943bec88d068db954ee23f80b55445fd9fd66f42f08924a93fa11f25e343c8f654c7cc2918efa09b00570294db

Download Submit
C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe
MD5
48043c9a21d0547478331c1613660595

SHA1
9985a65e0aa690308454632223393d8d18a1c744

SHA256
75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6

SHA512
408613c89266eedf165e465e6021880cb4e2db943bec88d068db954ee23f80b55445fd9fd66f42f08924a93fa11f25e343c8f654c7cc2918efa09b00570294db

Download Submit
C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe
MD5
48043c9a21d0547478331c1613660595

SHA1
9985a65e0aa690308454632223393d8d18a1c744

SHA256
75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6

SHA512
408613c89266eedf165e465e6021880cb4e2db943bec88d068db954ee23f80b55445fd9fd66f42f08924a93fa11f25e343c8f654c7cc2918efa09b00570294db

Download Submit
C:\Users\Admin\AppData\Local\Temp\th19982acu
MD5
1c6b09fb0644c6df432a098c2fd13fe9

SHA1
ea0972772fc86209e8b3ea7fe83e053aa54d339a

SHA256
2678c4bbb08d2bb52156db1b66e528c44bb18d212f077dcc28675f73435eda7b

SHA512
5538a3a3353ea736bff0aa2993c88f8551fd5d1dec9fa679a69b7ce70f0f236e6734cd6dd6d49586d8a33b93fd4ec8e3cb79e461b4acc192a33e6e98ed4cbad5

Download Submit
\Users\Admin\AppData\Local\Temp\nsj61F2.tmp\vogxk.dll
MD5
1fea91e3debf7c3115cd97b8be64da57

SHA1
dc1fd88108a94cea7d802f9e8ab20c8d120c7602

SHA256
fae6a3048e91247206a42ee5f9261b9602afc2bd7fd8665f5a08b82c517a1789

SHA512
76357d24719d57f73b39fa3418897e90a817fdea4f54f588cc7958baeefa0028310b8a94b08627d45fd1a4f7a5a63b54a470bc02ccd24bbcf3f6df4a7039a850

Download Submit
\Users\Admin\AppData\Local\Temp\nsrD62E.tmp\vogxk.dll
MD5
1fea91e3debf7c3115cd97b8be64da57

SHA1
dc1fd88108a94cea7d802f9e8ab20c8d120c7602

SHA256
fae6a3048e91247206a42ee5f9261b9602afc2bd7fd8665f5a08b82c517a1789

SHA512
76357d24719d57f73b39fa3418897e90a817fdea4f54f588cc7958baeefa0028310b8a94b08627d45fd1a4f7a5a63b54a470bc02ccd24bbcf3f6df4a7039a850

Download Submit
memory/616-124-0x00000000031A0000-0x00000000034C0000-memory.dmp

Filesize
3.1MB

Download
memory/616-125-0x0000000003090000-0x0000000003120000-memory.dmp

Filesize
576KB

Download
memory/616-121-0x0000000000910000-0x0000000000917000-memory.dmp

Filesize
28KB

Download
memory/616-122-0x00000000008D0000-0x00000000008F9000-memory.dmp

Filesize
164KB

Download
memory/616-120-0x0000000000000000-mapping.dmp

Download
memory/824-137-0x00007FF7B2F80000-0x00007FF7B3013000-memory.dmp

Filesize
588KB

Download
memory/824-136-0x0000000000000000-mapping.dmp

Download
memory/824-138-0x0000018AD2770000-0x0000018AD2806000-memory.dmp

Filesize
600KB

Download
memory/864-118-0x00000000006E0000-0x00000000006F1000-memory.dmp

Filesize
68KB

Download
memory/864-117-0x0000000000B40000-0x0000000000E60000-memory.dmp

Filesize
3.1MB

Download
memory/864-116-0x000000000041D3D0-mapping.dmp

Download
memory/864-115-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1120-123-0x0000000000000000-mapping.dmp

Download
memory/1268-127-0x0000000000000000-mapping.dmp

Download
memory/3052-126-0x0000000005C80000-0x0000000005DC4000-memory.dmp

Filesize
1.3MB

Download
memory/3052-119-0x0000000002550000-0x0000000002625000-memory.dmp

Filesize
852KB

Download
memory/3148-135-0x00000000009B0000-0x0000000000CD0000-memory.dmp

Filesize
3.1MB

Download
memory/3148-133-0x000000000041D3D0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads