formbook | 163a5b1e5e3c3a30cd0502f6e6b93e0f493ceaade091d5841a2143210894522b

General

Target

Swift copy.exe
Size

375KB
MD5

480c3e5e116382f76da67e92b0c06b5d
SHA1

77e95fea7b8afcce773e8c3592e199c71dd03172
SHA256

2c78fa1d90fe76c14f0a642af43c560875054e342bbb144aa9ff8f0fdbb0670f
SHA512

5798198704ff3b3db9d7f4037db9c4b6315faa77c2f330e70fc68c081ff9c96e7753d6ab871e4024b8d630649bbd682816fd96d4c6766164839be6b4431d985c

Score

10^/10

formbook xloader snec loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

snec

C2

http://www.go2payme.com/snec/

Decoy

sacramentoscoop.com

auroraeqp.com

ontactfactory.com

abenakigroup.com

xander-tech.com

cocaineislegal.com

carbondouze.com

louisvilleestatelawyer.com

sundaytejero.quest

arti-faqs.com

thisandthat.store

biodyne-el-salvador.com

18504seheritageoakslane.com

mfialias.xyz

whitestoneclo.com

6288117.com

oficiosuy.com

autogift.xyz

wallbabyshell.com

chaletlabaie.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1920-124-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1920-125-0x000000000041D460-mapping.dmp	xloader
behavioral2/memory/588-132-0x0000000002C00000-0x0000000002C29000-memory.dmp	xloader

Executes dropped EXE 1 IoCs

Processes:

bbxczlt.exe

pid process

1328 bbxczlt.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1328	bbxczlt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mstsc.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	mstsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TVVHHBMXCN = "C:\\Program Files (x86)\\U_brtedw8\\bbxczlt.exe"	mstsc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Swift copy.exeSwift copy.exemstsc.exe

description	pid	process	target process
PID 3284 set thread context of 1920	3284	Swift copy.exe	Swift copy.exe
PID 1920 set thread context of 2800	1920	Swift copy.exe	Explorer.EXE
PID 588 set thread context of 2800	588	mstsc.exe	Explorer.EXE

Drops file in Program Files directory 4 IoCs

Processes:

Explorer.EXEmstsc.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\U_brtedw8	Explorer.EXE
File created	C:\Program Files (x86)\U_brtedw8\bbxczlt.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\U_brtedw8\bbxczlt.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\U_brtedw8\bbxczlt.exe	mstsc.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mstsc.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Swift copy.exemstsc.exe

pid	process
1920	Swift copy.exe
1920	Swift copy.exe
1920	Swift copy.exe
1920	Swift copy.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe
588	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2800 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Swift copy.exemstsc.exe

pid process

1920 Swift copy.exe
1920 Swift copy.exe
1920 Swift copy.exe
588 mstsc.exe
588 mstsc.exe
588 mstsc.exe
588 mstsc.exe

pid	process
2800	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Swift copy.exemstsc.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1920	Swift copy.exe
Token: SeDebugPrivilege	588	mstsc.exe
Token: SeShutdownPrivilege	2800	Explorer.EXE
Token: SeCreatePagefilePrivilege	2800	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Swift copy.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 3284 wrote to memory of 1920	3284	Swift copy.exe	Swift copy.exe
PID 3284 wrote to memory of 1920	3284	Swift copy.exe	Swift copy.exe
PID 3284 wrote to memory of 1920	3284	Swift copy.exe	Swift copy.exe
PID 3284 wrote to memory of 1920	3284	Swift copy.exe	Swift copy.exe
PID 3284 wrote to memory of 1920	3284	Swift copy.exe	Swift copy.exe
PID 3284 wrote to memory of 1920	3284	Swift copy.exe	Swift copy.exe
PID 2800 wrote to memory of 588	2800	Explorer.EXE	mstsc.exe
PID 2800 wrote to memory of 588	2800	Explorer.EXE	mstsc.exe
PID 2800 wrote to memory of 588	2800	Explorer.EXE	mstsc.exe
PID 588 wrote to memory of 2864	588	mstsc.exe	cmd.exe
PID 588 wrote to memory of 2864	588	mstsc.exe	cmd.exe
PID 588 wrote to memory of 2864	588	mstsc.exe	cmd.exe
PID 588 wrote to memory of 2780	588	mstsc.exe	cmd.exe
PID 588 wrote to memory of 2780	588	mstsc.exe	cmd.exe
PID 588 wrote to memory of 2780	588	mstsc.exe	cmd.exe
PID 588 wrote to memory of 1340	588	mstsc.exe	Firefox.exe
PID 588 wrote to memory of 1340	588	mstsc.exe	Firefox.exe
PID 2800 wrote to memory of 1328	2800	Explorer.EXE	bbxczlt.exe
PID 2800 wrote to memory of 1328	2800	Explorer.EXE	bbxczlt.exe
PID 2800 wrote to memory of 1328	2800	Explorer.EXE	bbxczlt.exe
PID 588 wrote to memory of 1340	588	mstsc.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Local\Temp\Swift copy.exe
"C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3284

C:\Users\Admin\AppData\Local\Temp\Swift copy.exe
"C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Swift copy.exe"
3⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:2780

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1340

C:\Program Files (x86)\U_brtedw8\bbxczlt.exe
"C:\Program Files (x86)\U_brtedw8\bbxczlt.exe"
2⤵
- Executes dropped EXE
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\U_brtedw8\bbxczlt.exe
MD5
480c3e5e116382f76da67e92b0c06b5d

SHA1
77e95fea7b8afcce773e8c3592e199c71dd03172

SHA256
2c78fa1d90fe76c14f0a642af43c560875054e342bbb144aa9ff8f0fdbb0670f

SHA512
5798198704ff3b3db9d7f4037db9c4b6315faa77c2f330e70fc68c081ff9c96e7753d6ab871e4024b8d630649bbd682816fd96d4c6766164839be6b4431d985c

Download Submit
C:\Program Files (x86)\U_brtedw8\bbxczlt.exe
MD5
480c3e5e116382f76da67e92b0c06b5d

SHA1
77e95fea7b8afcce773e8c3592e199c71dd03172

SHA256
2c78fa1d90fe76c14f0a642af43c560875054e342bbb144aa9ff8f0fdbb0670f

SHA512
5798198704ff3b3db9d7f4037db9c4b6315faa77c2f330e70fc68c081ff9c96e7753d6ab871e4024b8d630649bbd682816fd96d4c6766164839be6b4431d985c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
memory/588-134-0x0000000004C60000-0x0000000004F80000-memory.dmp

Filesize
3.1MB

Download
memory/588-132-0x0000000002C00000-0x0000000002C29000-memory.dmp

Filesize
164KB

Download
memory/588-135-0x00000000049B0000-0x0000000004A40000-memory.dmp

Filesize
576KB

Download
memory/588-130-0x0000000000000000-mapping.dmp

Download
memory/588-131-0x0000000000870000-0x0000000000B6C000-memory.dmp

Filesize
3.0MB

Download
memory/1328-147-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/1328-139-0x0000000000000000-mapping.dmp

Download
memory/1920-125-0x000000000041D460-mapping.dmp

Download
memory/1920-127-0x0000000001060000-0x0000000001380000-memory.dmp

Filesize
3.1MB

Download
memory/1920-128-0x0000000001030000-0x0000000001041000-memory.dmp

Filesize
68KB

Download
memory/1920-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2780-137-0x0000000000000000-mapping.dmp

Download
memory/2800-129-0x0000000005260000-0x00000000053A6000-memory.dmp

Filesize
1.3MB

Download
memory/2800-136-0x0000000002900000-0x0000000002995000-memory.dmp

Filesize
596KB

Download
memory/2864-133-0x0000000000000000-mapping.dmp

Download
memory/3284-115-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/3284-123-0x00000000084D0000-0x000000000851B000-memory.dmp

Filesize
300KB

Download
memory/3284-122-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/3284-121-0x0000000007FF0000-0x0000000007FF7000-memory.dmp

Filesize
28KB

Download
memory/3284-120-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/3284-119-0x0000000004870000-0x0000000004D6E000-memory.dmp

Filesize
5.0MB

Download
memory/3284-118-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/3284-117-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads