formbook | eec96529834b477322282fdc1f9a976905677cd0e57389b81fd7039247515568

General

Target

UPStracking0940292.exe
Size

256KB
MD5

ecad1092417fae79942a0022ce770621
SHA1

661d76ff20089a6926c95a934b4619baefd230c5
SHA256

86ccf51a612ccf7c07b1e356636e236abca7bd99b3176e983d777f07fde6a757
SHA512

9a428228b6f66d3cd200f698e910c1c0a88f361638a47891a6a5eb59871e536d07f5607483cee31d810984af509f293b09a77261b766ea957bba449de21207e7

Score

10^/10

formbook xloader dhua loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dhua

C2

http://www.segurosramosroman.com/dhua/

Decoy

ketostar.club

icanmakeyoufamous.com

claimygdejection.com

garlicinterestedparent.xyz

bits-clicks.com

030atk.xyz

ballwiegand.com

logs-illumidesk.com

785686.com

flnewsfeed.com

transporteshrj.net

agenciamundodigital.online

bowersllc.com

urchncenw.com

wuauwuaumx.com

littlesportsacademy.com

xn--m3chb3ax0abdta3fwhk.com

prmarketings.com

jiaozhanlianmeng.com

whenisthestore.space

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1092-55-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1092-56-0x000000000041D4E0-mapping.dmp	xloader
behavioral1/memory/1676-67-0x0000000000120000-0x0000000000149000-memory.dmp	xloader
behavioral1/memory/1668-78-0x000000000041D4E0-mapping.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

regsvcnnu0.exeregsvcnnu0.exe

pid process

1200 regsvcnnu0.exe
1668 regsvcnnu0.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1428 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

UPStracking0940292.exeregsvcnnu0.exe

pid process

1776 UPStracking0940292.exe
1200 regsvcnnu0.exe

pid	process
1200	regsvcnnu0.exe
1668	regsvcnnu0.exe

pid	process
1428	cmd.exe

pid	process
1776	UPStracking0940292.exe
1200	regsvcnnu0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MRKPNJ28HP = "C:\\Program Files (x86)\\L4h9l_r5h\\regsvcnnu0.exe"	explorer.exe
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

UPStracking0940292.exeUPStracking0940292.exeexplorer.exeregsvcnnu0.exe

description	pid	process	target process
PID 1776 set thread context of 1092	1776	UPStracking0940292.exe	UPStracking0940292.exe
PID 1092 set thread context of 1204	1092	UPStracking0940292.exe	Explorer.EXE
PID 1092 set thread context of 1204	1092	UPStracking0940292.exe	Explorer.EXE
PID 1676 set thread context of 1204	1676	explorer.exe	Explorer.EXE
PID 1200 set thread context of 1668	1200	regsvcnnu0.exe	regsvcnnu0.exe

Drops file in Program Files directory 2 IoCs

Processes:

explorer.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\L4h9l_r5h\regsvcnnu0.exe	explorer.exe
File created	C:\Program Files (x86)\L4h9l_r5h\regsvcnnu0.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\L4h9l_r5h\regsvcnnu0.exe	nsis_installer_1
C:\Program Files (x86)\L4h9l_r5h\regsvcnnu0.exe	nsis_installer_2
C:\Program Files (x86)\L4h9l_r5h\regsvcnnu0.exe	nsis_installer_1
C:\Program Files (x86)\L4h9l_r5h\regsvcnnu0.exe	nsis_installer_2
C:\Program Files (x86)\L4h9l_r5h\regsvcnnu0.exe	nsis_installer_1
C:\Program Files (x86)\L4h9l_r5h\regsvcnnu0.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

UPStracking0940292.exeexplorer.exeregsvcnnu0.exe

pid	process
1092	UPStracking0940292.exe
1092	UPStracking0940292.exe
1092	UPStracking0940292.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1668	regsvcnnu0.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

UPStracking0940292.exeexplorer.exe

pid	process
1092	UPStracking0940292.exe
1092	UPStracking0940292.exe
1092	UPStracking0940292.exe
1092	UPStracking0940292.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe
1676	explorer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

UPStracking0940292.exeexplorer.exeregsvcnnu0.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1092	UPStracking0940292.exe
Token: SeDebugPrivilege	1676	explorer.exe
Token: SeDebugPrivilege	1668	regsvcnnu0.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

Explorer.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

UPStracking0940292.exeUPStracking0940292.exeexplorer.exeExplorer.EXEregsvcnnu0.exe

description	pid	process	target process
PID 1776 wrote to memory of 1092	1776	UPStracking0940292.exe	UPStracking0940292.exe
PID 1776 wrote to memory of 1092	1776	UPStracking0940292.exe	UPStracking0940292.exe
PID 1776 wrote to memory of 1092	1776	UPStracking0940292.exe	UPStracking0940292.exe
PID 1776 wrote to memory of 1092	1776	UPStracking0940292.exe	UPStracking0940292.exe
PID 1776 wrote to memory of 1092	1776	UPStracking0940292.exe	UPStracking0940292.exe
PID 1776 wrote to memory of 1092	1776	UPStracking0940292.exe	UPStracking0940292.exe
PID 1776 wrote to memory of 1092	1776	UPStracking0940292.exe	UPStracking0940292.exe
PID 1092 wrote to memory of 1676	1092	UPStracking0940292.exe	explorer.exe
PID 1092 wrote to memory of 1676	1092	UPStracking0940292.exe	explorer.exe
PID 1092 wrote to memory of 1676	1092	UPStracking0940292.exe	explorer.exe
PID 1092 wrote to memory of 1676	1092	UPStracking0940292.exe	explorer.exe
PID 1676 wrote to memory of 1428	1676	explorer.exe	cmd.exe
PID 1676 wrote to memory of 1428	1676	explorer.exe	cmd.exe
PID 1676 wrote to memory of 1428	1676	explorer.exe	cmd.exe
PID 1676 wrote to memory of 1428	1676	explorer.exe	cmd.exe
PID 1676 wrote to memory of 1784	1676	explorer.exe	Firefox.exe
PID 1676 wrote to memory of 1784	1676	explorer.exe	Firefox.exe
PID 1676 wrote to memory of 1784	1676	explorer.exe	Firefox.exe
PID 1676 wrote to memory of 1784	1676	explorer.exe	Firefox.exe
PID 1204 wrote to memory of 1200	1204	Explorer.EXE	regsvcnnu0.exe
PID 1204 wrote to memory of 1200	1204	Explorer.EXE	regsvcnnu0.exe
PID 1204 wrote to memory of 1200	1204	Explorer.EXE	regsvcnnu0.exe
PID 1204 wrote to memory of 1200	1204	Explorer.EXE	regsvcnnu0.exe
PID 1200 wrote to memory of 1668	1200	regsvcnnu0.exe	regsvcnnu0.exe
PID 1200 wrote to memory of 1668	1200	regsvcnnu0.exe	regsvcnnu0.exe
PID 1200 wrote to memory of 1668	1200	regsvcnnu0.exe	regsvcnnu0.exe
PID 1200 wrote to memory of 1668	1200	regsvcnnu0.exe	regsvcnnu0.exe
PID 1200 wrote to memory of 1668	1200	regsvcnnu0.exe	regsvcnnu0.exe
PID 1200 wrote to memory of 1668	1200	regsvcnnu0.exe	regsvcnnu0.exe
PID 1200 wrote to memory of 1668	1200	regsvcnnu0.exe	regsvcnnu0.exe
PID 1676 wrote to memory of 1784	1676	explorer.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\UPStracking0940292.exe
"C:\Users\Admin\AppData\Local\Temp\UPStracking0940292.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Temp\UPStracking0940292.exe
"C:\Users\Admin\AppData\Local\Temp\UPStracking0940292.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\UPStracking0940292.exe"
5⤵
- Deletes itself
PID:1428

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
5⤵
PID:1784

C:\Program Files (x86)\L4h9l_r5h\regsvcnnu0.exe
"C:\Program Files (x86)\L4h9l_r5h\regsvcnnu0.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1200

C:\Program Files (x86)\L4h9l_r5h\regsvcnnu0.exe
"C:\Program Files (x86)\L4h9l_r5h\regsvcnnu0.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\L4h9l_r5h\regsvcnnu0.exe
MD5
ecad1092417fae79942a0022ce770621

SHA1
661d76ff20089a6926c95a934b4619baefd230c5

SHA256
86ccf51a612ccf7c07b1e356636e236abca7bd99b3176e983d777f07fde6a757

SHA512
9a428228b6f66d3cd200f698e910c1c0a88f361638a47891a6a5eb59871e536d07f5607483cee31d810984af509f293b09a77261b766ea957bba449de21207e7

Download Submit
C:\Program Files (x86)\L4h9l_r5h\regsvcnnu0.exe
MD5
ecad1092417fae79942a0022ce770621

SHA1
661d76ff20089a6926c95a934b4619baefd230c5

SHA256
86ccf51a612ccf7c07b1e356636e236abca7bd99b3176e983d777f07fde6a757

SHA512
9a428228b6f66d3cd200f698e910c1c0a88f361638a47891a6a5eb59871e536d07f5607483cee31d810984af509f293b09a77261b766ea957bba449de21207e7

Download Submit
C:\Program Files (x86)\L4h9l_r5h\regsvcnnu0.exe
MD5
ecad1092417fae79942a0022ce770621

SHA1
661d76ff20089a6926c95a934b4619baefd230c5

SHA256
86ccf51a612ccf7c07b1e356636e236abca7bd99b3176e983d777f07fde6a757

SHA512
9a428228b6f66d3cd200f698e910c1c0a88f361638a47891a6a5eb59871e536d07f5607483cee31d810984af509f293b09a77261b766ea957bba449de21207e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kk3ingy62g95a4edy
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nsbB6B2.tmp\zflbzcl.dll
MD5
0200fe8ceab8e27bcdeec801d6e8910f

SHA1
255d5d2a8b7893d456fe6181764e52558d89834c

SHA256
d454fb68308a5bdfb263da7b4dad9c9a074af50e4bb9ac4fd9d5231aa65eaced

SHA512
71b862e4530f72c3cbf05d413ad25825670819da2454e9049338e4cb823384f47c96a140891070d9818758b11ef6bf7abd820920844e9faf9d3bb333c3687036

Download Submit
\Users\Admin\AppData\Local\Temp\nsw34E5.tmp\zflbzcl.dll
MD5
0200fe8ceab8e27bcdeec801d6e8910f

SHA1
255d5d2a8b7893d456fe6181764e52558d89834c

SHA256
d454fb68308a5bdfb263da7b4dad9c9a074af50e4bb9ac4fd9d5231aa65eaced

SHA512
71b862e4530f72c3cbf05d413ad25825670819da2454e9049338e4cb823384f47c96a140891070d9818758b11ef6bf7abd820920844e9faf9d3bb333c3687036

Download Submit
memory/1092-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1092-56-0x000000000041D4E0-mapping.dmp

Download
memory/1092-57-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1092-58-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/1092-60-0x00000000004C0000-0x00000000004D1000-memory.dmp

Filesize
68KB

Download
memory/1200-71-0x0000000000000000-mapping.dmp

Download
memory/1204-61-0x0000000004D00000-0x0000000004E1B000-memory.dmp

Filesize
1.1MB

Download
memory/1204-70-0x0000000004E20000-0x0000000004F61000-memory.dmp

Filesize
1.3MB

Download
memory/1204-59-0x0000000004BB0000-0x0000000004CF1000-memory.dmp

Filesize
1.3MB

Download
memory/1428-65-0x0000000000000000-mapping.dmp

Download
memory/1668-78-0x000000000041D4E0-mapping.dmp

Download
memory/1668-81-0x0000000000950000-0x0000000000C53000-memory.dmp

Filesize
3.0MB

Download
memory/1676-66-0x00000000003C0000-0x0000000000641000-memory.dmp

Filesize
2.5MB

Download
memory/1676-69-0x0000000002030000-0x00000000020C0000-memory.dmp

Filesize
576KB

Download
memory/1676-64-0x00000000750F1000-0x00000000750F3000-memory.dmp

Filesize
8KB

Download
memory/1676-62-0x0000000000000000-mapping.dmp

Download
memory/1676-67-0x0000000000120000-0x0000000000149000-memory.dmp

Filesize
164KB

Download
memory/1676-68-0x0000000002410000-0x0000000002713000-memory.dmp

Filesize
3.0MB

Download
memory/1776-53-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/1784-80-0x0000000000000000-mapping.dmp

Download
memory/1784-82-0x000000013F800000-0x000000013F893000-memory.dmp

Filesize
588KB

Download
memory/1784-83-0x0000000002450000-0x00000000025A0000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads