formbook | cb14692eac3d5825fa466d731c8692b2ec6c1ea94e4c0ef515738844eeb91ec1

General

Target

Inquiry Order.exe
Size

382KB
MD5

a5b0ce8922a255ec0365017fa0cb8ba8
SHA1

911b6222cf8c51f69f70923b13e3bbad0e0699f7
SHA256

417269750915b1599cde84c6af73f00f5dbb8be287b1b03dc34887e8eab1105f
SHA512

73be6f42fe620c1c65ea35f2408055eceba0ff11347b4a3dc4f6f55161b06335a65d7dd922aa53174a49de0075159eef5bca7df50e8b46ff83ba4fdf6bd39300

Score

10^/10

formbook xloader b5ce loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b5ce

C2

http://www.rheilea.com/b5ce/

Decoy

advellerd.xyz

giasuvina.com

arab-xt-pro.com

ahsltu2ua4.com

trasportesemmanuel.com

kissimmeesoccercup.com

studyengland.com

m2volleyballclub.com

shyuehuan.com

elsml.com

blog-x-history.top

coditeu.com

allattachments.net

vigautruc.com

mentication.com

zambiaedu.xyz

filadelfiacenter.com

avlaborsourceinc.info

tameka-stewart.com

studio-cleo.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2916-124-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2916-125-0x000000000041D430-mapping.dmp	xloader
behavioral2/memory/3780-132-0x00000000010C0000-0x00000000010E9000-memory.dmp	xloader
behavioral2/memory/1156-154-0x000000000041D430-mapping.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\8PCXNZIX = "C:\\Program Files (x86)\\Rkx4duf\\mfc1b0p.exe"	svchost.exe

Executes dropped EXE 2 IoCs

Processes:

mfc1b0p.exemfc1b0p.exe

pid process

3976 mfc1b0p.exe
1156 mfc1b0p.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3976	mfc1b0p.exe
1156	mfc1b0p.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Inquiry Order.exeInquiry Order.exesvchost.exemfc1b0p.exe

description	pid	process	target process
PID 2384 set thread context of 2916	2384	Inquiry Order.exe	Inquiry Order.exe
PID 2916 set thread context of 1588	2916	Inquiry Order.exe	Explorer.EXE
PID 3780 set thread context of 1588	3780	svchost.exe	Explorer.EXE
PID 3976 set thread context of 1156	3976	mfc1b0p.exe	mfc1b0p.exe

Drops file in Program Files directory 4 IoCs

Processes:

Explorer.EXEsvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Rkx4duf	Explorer.EXE
File created	C:\Program Files (x86)\Rkx4duf\mfc1b0p.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Rkx4duf\mfc1b0p.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Rkx4duf\mfc1b0p.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Inquiry Order.exeInquiry Order.exesvchost.exe

pid	process
2384	Inquiry Order.exe
2384	Inquiry Order.exe
2916	Inquiry Order.exe
2916	Inquiry Order.exe
2916	Inquiry Order.exe
2916	Inquiry Order.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1588 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Inquiry Order.exesvchost.exe

pid process

2916 Inquiry Order.exe
2916 Inquiry Order.exe
2916 Inquiry Order.exe
3780 svchost.exe
3780 svchost.exe
3780 svchost.exe
3780 svchost.exe

pid	process
1588	Explorer.EXE

pid	process
2916	Inquiry Order.exe
2916	Inquiry Order.exe
2916	Inquiry Order.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Inquiry Order.exeInquiry Order.exesvchost.exeExplorer.EXEmfc1b0p.exe

description	pid	process
Token: SeDebugPrivilege	2384	Inquiry Order.exe
Token: SeDebugPrivilege	2916	Inquiry Order.exe
Token: SeDebugPrivilege	3780	svchost.exe
Token: SeShutdownPrivilege	1588	Explorer.EXE
Token: SeCreatePagefilePrivilege	1588	Explorer.EXE
Token: SeDebugPrivilege	1156	mfc1b0p.exe
Token: SeShutdownPrivilege	1588	Explorer.EXE
Token: SeCreatePagefilePrivilege	1588	Explorer.EXE

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

Inquiry Order.exeExplorer.EXEsvchost.exemfc1b0p.exe

description	pid	process	target process
PID 2384 wrote to memory of 2708	2384	Inquiry Order.exe	Inquiry Order.exe
PID 2384 wrote to memory of 2708	2384	Inquiry Order.exe	Inquiry Order.exe
PID 2384 wrote to memory of 2708	2384	Inquiry Order.exe	Inquiry Order.exe
PID 2384 wrote to memory of 2916	2384	Inquiry Order.exe	Inquiry Order.exe
PID 2384 wrote to memory of 2916	2384	Inquiry Order.exe	Inquiry Order.exe
PID 2384 wrote to memory of 2916	2384	Inquiry Order.exe	Inquiry Order.exe
PID 2384 wrote to memory of 2916	2384	Inquiry Order.exe	Inquiry Order.exe
PID 2384 wrote to memory of 2916	2384	Inquiry Order.exe	Inquiry Order.exe
PID 2384 wrote to memory of 2916	2384	Inquiry Order.exe	Inquiry Order.exe
PID 1588 wrote to memory of 3780	1588	Explorer.EXE	svchost.exe
PID 1588 wrote to memory of 3780	1588	Explorer.EXE	svchost.exe
PID 1588 wrote to memory of 3780	1588	Explorer.EXE	svchost.exe
PID 3780 wrote to memory of 2192	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 2192	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 2192	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 932	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 932	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 932	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 2744	3780	svchost.exe	Firefox.exe
PID 3780 wrote to memory of 2744	3780	svchost.exe	Firefox.exe
PID 1588 wrote to memory of 3976	1588	Explorer.EXE	mfc1b0p.exe
PID 1588 wrote to memory of 3976	1588	Explorer.EXE	mfc1b0p.exe
PID 1588 wrote to memory of 3976	1588	Explorer.EXE	mfc1b0p.exe
PID 3780 wrote to memory of 2744	3780	svchost.exe	Firefox.exe
PID 3976 wrote to memory of 1156	3976	mfc1b0p.exe	mfc1b0p.exe
PID 3976 wrote to memory of 1156	3976	mfc1b0p.exe	mfc1b0p.exe
PID 3976 wrote to memory of 1156	3976	mfc1b0p.exe	mfc1b0p.exe
PID 3976 wrote to memory of 1156	3976	mfc1b0p.exe	mfc1b0p.exe
PID 3976 wrote to memory of 1156	3976	mfc1b0p.exe	mfc1b0p.exe
PID 3976 wrote to memory of 1156	3976	mfc1b0p.exe	mfc1b0p.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\Inquiry Order.exe
"C:\Users\Admin\AppData\Local\Temp\Inquiry Order.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\Inquiry Order.exe
"C:\Users\Admin\AppData\Local\Temp\Inquiry Order.exe"
3⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\Inquiry Order.exe
"C:\Users\Admin\AppData\Local\Temp\Inquiry Order.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Inquiry Order.exe"
3⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:932

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2744

C:\Program Files (x86)\Rkx4duf\mfc1b0p.exe
"C:\Program Files (x86)\Rkx4duf\mfc1b0p.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3976

C:\Program Files (x86)\Rkx4duf\mfc1b0p.exe
"C:\Program Files (x86)\Rkx4duf\mfc1b0p.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Rkx4duf\mfc1b0p.exe
MD5
a5b0ce8922a255ec0365017fa0cb8ba8

SHA1
911b6222cf8c51f69f70923b13e3bbad0e0699f7

SHA256
417269750915b1599cde84c6af73f00f5dbb8be287b1b03dc34887e8eab1105f

SHA512
73be6f42fe620c1c65ea35f2408055eceba0ff11347b4a3dc4f6f55161b06335a65d7dd922aa53174a49de0075159eef5bca7df50e8b46ff83ba4fdf6bd39300

Download Submit
C:\Program Files (x86)\Rkx4duf\mfc1b0p.exe
MD5
a5b0ce8922a255ec0365017fa0cb8ba8

SHA1
911b6222cf8c51f69f70923b13e3bbad0e0699f7

SHA256
417269750915b1599cde84c6af73f00f5dbb8be287b1b03dc34887e8eab1105f

SHA512
73be6f42fe620c1c65ea35f2408055eceba0ff11347b4a3dc4f6f55161b06335a65d7dd922aa53174a49de0075159eef5bca7df50e8b46ff83ba4fdf6bd39300

Download Submit
C:\Program Files (x86)\Rkx4duf\mfc1b0p.exe
MD5
a5b0ce8922a255ec0365017fa0cb8ba8

SHA1
911b6222cf8c51f69f70923b13e3bbad0e0699f7

SHA256
417269750915b1599cde84c6af73f00f5dbb8be287b1b03dc34887e8eab1105f

SHA512
73be6f42fe620c1c65ea35f2408055eceba0ff11347b4a3dc4f6f55161b06335a65d7dd922aa53174a49de0075159eef5bca7df50e8b46ff83ba4fdf6bd39300

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
memory/932-136-0x0000000000000000-mapping.dmp

Download
memory/1156-154-0x000000000041D430-mapping.dmp

Download
memory/1156-156-0x00000000017C0000-0x0000000001AE0000-memory.dmp

Filesize
3.1MB

Download
memory/1588-135-0x0000000000880000-0x0000000000982000-memory.dmp

Filesize
1.0MB

Download
memory/1588-128-0x0000000004FF0000-0x0000000005162000-memory.dmp

Filesize
1.4MB

Download
memory/2192-130-0x0000000000000000-mapping.dmp

Download
memory/2384-121-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/2384-115-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2384-123-0x0000000005BC0000-0x0000000005C0B000-memory.dmp

Filesize
300KB

Download
memory/2384-122-0x0000000004F80000-0x0000000004F8A000-memory.dmp

Filesize
40KB

Download
memory/2384-120-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/2384-119-0x0000000004E00000-0x00000000052FE000-memory.dmp

Filesize
5.0MB

Download
memory/2384-118-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/2384-117-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/2744-151-0x00000225445D0000-0x000002254475C000-memory.dmp

Filesize
1.5MB

Download
memory/2744-150-0x00007FF776950000-0x00007FF7769E3000-memory.dmp

Filesize
588KB

Download
memory/2744-149-0x0000000000000000-mapping.dmp

Download
memory/2916-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2916-127-0x0000000001000000-0x0000000001011000-memory.dmp

Filesize
68KB

Download
memory/2916-126-0x0000000001330000-0x0000000001650000-memory.dmp

Filesize
3.1MB

Download
memory/2916-125-0x000000000041D430-mapping.dmp

Download
memory/3780-134-0x0000000003500000-0x0000000003590000-memory.dmp

Filesize
576KB

Download
memory/3780-133-0x0000000003B00000-0x0000000003E20000-memory.dmp

Filesize
3.1MB

Download
memory/3780-132-0x00000000010C0000-0x00000000010E9000-memory.dmp

Filesize
164KB

Download
memory/3780-131-0x0000000001260000-0x000000000126C000-memory.dmp

Filesize
48KB

Download
memory/3780-129-0x0000000000000000-mapping.dmp

Download
memory/3976-138-0x0000000000000000-mapping.dmp

Download
memory/3976-147-0x0000000005490000-0x000000000598E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads