formbook | 12fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a

General

Target

Nuevo Pago 15.10.2021.exe
Size

247KB
MD5

b50f2ee58a34c1e367450e1e2bc107bf
SHA1

9a5bc255948f7b16eb3d109808d8d1bafd1f6070
SHA256

12fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a
SHA512

fc3aed1caf7cdc271bfca44c8a7bcb254c7331f882c2a5903be7e9921ce71563dcfe305ed0f24838707f30909fa5cbb60854a187e46dc308bbb2c206a71148bb

Score

10^/10

formbook xloader u9xn loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u9xn

C2

http://www.crisisinterventionadvocates.com/u9xn/

Decoy

lifeguardingcoursenearme.com

bolsaspapelcdmx.com

parsleypkllqu.xyz

68134.online

shopthatlookboutique.com

canlibahisportal.com

oligopoly.city

srchwithus.online

151motors.com

17yue.info

auntmarysnj.com

hanansalman.com

heyunshangcheng.info

doorslamersplus.com

sfcn-dng.com

highvizpeople.com

seoexpertinbangladesh.com

christinegagnonjewellery.com

artifactorie.biz

mre3.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4032-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4032-117-0x000000000041D4F0-mapping.dmp	xloader
behavioral2/memory/920-125-0x0000000000610000-0x0000000000639000-memory.dmp	xloader

Executes dropped EXE 1 IoCs

Processes:

evnhj7njpftb.exe

pid process

2156 evnhj7njpftb.exe
Loads dropped DLL 1 IoCs

Processes:

Nuevo Pago 15.10.2021.exe

pid process

2504 Nuevo Pago 15.10.2021.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2156	evnhj7njpftb.exe

pid	process
2504	Nuevo Pago 15.10.2021.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KX4P-6RHUBO = "C:\\Program Files (x86)\\Bp6h\\evnhj7njpftb.exe"	cmstp.exe
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	cmstp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Nuevo Pago 15.10.2021.exeNuevo Pago 15.10.2021.execmstp.exe

description	pid	process	target process
PID 2504 set thread context of 4032	2504	Nuevo Pago 15.10.2021.exe	Nuevo Pago 15.10.2021.exe
PID 4032 set thread context of 3024	4032	Nuevo Pago 15.10.2021.exe	Explorer.EXE
PID 920 set thread context of 3024	920	cmstp.exe	Explorer.EXE

Drops file in Program Files directory 4 IoCs

Processes:

cmstp.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe	cmstp.exe
File opened for modification	C:\Program Files (x86)\Bp6h	Explorer.EXE
File created	C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe	nsis_installer_1
C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe	nsis_installer_2
C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe	nsis_installer_1
C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

Nuevo Pago 15.10.2021.execmstp.exe

pid	process
4032	Nuevo Pago 15.10.2021.exe
4032	Nuevo Pago 15.10.2021.exe
4032	Nuevo Pago 15.10.2021.exe
4032	Nuevo Pago 15.10.2021.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe
920	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Nuevo Pago 15.10.2021.execmstp.exe

pid process

4032 Nuevo Pago 15.10.2021.exe
4032 Nuevo Pago 15.10.2021.exe
4032 Nuevo Pago 15.10.2021.exe
920 cmstp.exe
920 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Nuevo Pago 15.10.2021.execmstp.exe

description pid process

Token: SeDebugPrivilege 4032 Nuevo Pago 15.10.2021.exe
Token: SeDebugPrivilege 920 cmstp.exe

pid	process
3024	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4032	Nuevo Pago 15.10.2021.exe
Token: SeDebugPrivilege	920	cmstp.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Nuevo Pago 15.10.2021.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 2504 wrote to memory of 4032	2504	Nuevo Pago 15.10.2021.exe	Nuevo Pago 15.10.2021.exe
PID 2504 wrote to memory of 4032	2504	Nuevo Pago 15.10.2021.exe	Nuevo Pago 15.10.2021.exe
PID 2504 wrote to memory of 4032	2504	Nuevo Pago 15.10.2021.exe	Nuevo Pago 15.10.2021.exe
PID 2504 wrote to memory of 4032	2504	Nuevo Pago 15.10.2021.exe	Nuevo Pago 15.10.2021.exe
PID 2504 wrote to memory of 4032	2504	Nuevo Pago 15.10.2021.exe	Nuevo Pago 15.10.2021.exe
PID 2504 wrote to memory of 4032	2504	Nuevo Pago 15.10.2021.exe	Nuevo Pago 15.10.2021.exe
PID 3024 wrote to memory of 920	3024	Explorer.EXE	cmstp.exe
PID 3024 wrote to memory of 920	3024	Explorer.EXE	cmstp.exe
PID 3024 wrote to memory of 920	3024	Explorer.EXE	cmstp.exe
PID 920 wrote to memory of 1232	920	cmstp.exe	cmd.exe
PID 920 wrote to memory of 1232	920	cmstp.exe	cmd.exe
PID 920 wrote to memory of 1232	920	cmstp.exe	cmd.exe
PID 920 wrote to memory of 712	920	cmstp.exe	cmd.exe
PID 920 wrote to memory of 712	920	cmstp.exe	cmd.exe
PID 920 wrote to memory of 712	920	cmstp.exe	cmd.exe
PID 3024 wrote to memory of 2156	3024	Explorer.EXE	evnhj7njpftb.exe
PID 3024 wrote to memory of 2156	3024	Explorer.EXE	evnhj7njpftb.exe
PID 3024 wrote to memory of 2156	3024	Explorer.EXE	evnhj7njpftb.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe
"C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe
"C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe"
3⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:712

C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe
"C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe"
2⤵
- Executes dropped EXE
PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe
MD5
b50f2ee58a34c1e367450e1e2bc107bf

SHA1
9a5bc255948f7b16eb3d109808d8d1bafd1f6070

SHA256
12fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a

SHA512
fc3aed1caf7cdc271bfca44c8a7bcb254c7331f882c2a5903be7e9921ce71563dcfe305ed0f24838707f30909fa5cbb60854a187e46dc308bbb2c206a71148bb

Download Submit
C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe
MD5
b50f2ee58a34c1e367450e1e2bc107bf

SHA1
9a5bc255948f7b16eb3d109808d8d1bafd1f6070

SHA256
12fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a

SHA512
fc3aed1caf7cdc271bfca44c8a7bcb254c7331f882c2a5903be7e9921ce71563dcfe305ed0f24838707f30909fa5cbb60854a187e46dc308bbb2c206a71148bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
\Users\Admin\AppData\Local\Temp\nss1589.tmp\gibh.dll
MD5
6a6e5ce1da420ef522bed80375260881

SHA1
acc4a1f85c397d6b93ba69f43182cbaf8d9cd768

SHA256
829d331503e630301cb7e037a7e451e5e697db9573ee5ea5e2e2e2e5d195e6b1

SHA512
1f1bdab25301ac57cd5d796557625a6a812900f01c44bf391fa1052f5fecf05b8c8edcb80b44ab1a7e4a74943aa722fc801b28e1212e6858c4d8b7b8d64f7102

Download Submit
memory/712-129-0x0000000000000000-mapping.dmp

Download
memory/920-127-0x0000000000F70000-0x0000000001000000-memory.dmp

Filesize
576KB

Download
memory/920-122-0x0000000000000000-mapping.dmp

Download
memory/920-125-0x0000000000610000-0x0000000000639000-memory.dmp

Filesize
164KB

Download
memory/920-124-0x0000000001240000-0x0000000001256000-memory.dmp

Filesize
88KB

Download
memory/920-126-0x0000000004660000-0x0000000004980000-memory.dmp

Filesize
3.1MB

Download
memory/1232-123-0x0000000000000000-mapping.dmp

Download
memory/2156-131-0x0000000000000000-mapping.dmp

Download
memory/3024-128-0x0000000002450000-0x0000000002529000-memory.dmp

Filesize
868KB

Download
memory/3024-121-0x0000000005D00000-0x0000000005E35000-memory.dmp

Filesize
1.2MB

Download
memory/4032-119-0x0000000000A90000-0x0000000000DB0000-memory.dmp

Filesize
3.1MB

Download
memory/4032-120-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download
memory/4032-117-0x000000000041D4F0-mapping.dmp

Download
memory/4032-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads