formbook | 18e91cbaa2d04fa969e97e947ccd011d494f68eb6375b067f0342a7765fb3119

General

Target

QUOTATION.exe
Size

253KB
MD5

cadf879ded4e6a753d7b172b77bce50d
SHA1

ab4f8431c170d75040d8b2984f5e7eadeeeedab9
SHA256

18e91cbaa2d04fa969e97e947ccd011d494f68eb6375b067f0342a7765fb3119
SHA512

c685444886b555978228cd2fb47b0725b25443b8fcd19be70f804a5bf433ebc9a35291ea33edf6fcc9030fcd26a89009a3b223c39432a001842494b20bf5f5d7

Score

10^/10

formbook xloader d6pu loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

d6pu

C2

http://www.bonitaspringshomesearch.com/d6pu/

Decoy

ifixcreditatl.com

productgeekout.com

electricvehicle-insurance.com

kuiper.business

cloudenglabs.com

gorbepari.com

collecthappy.com

amykrussell.store

clubhousebusinesscourse.com

aplussinifiklima.com

slewis.design

atticwitt.com

galenota.com

griphook.xyz

gsjbd1.club

bootystrapfitness.com

emflawrhks.com

alternativedata.investments

eyehealthtnpasumo3.xyz

naturanzaec.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1636-56-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1636-57-0x000000000041D4E0-mapping.dmp	xloader
behavioral1/memory/1836-64-0x00000000000D0000-0x00000000000F9000-memory.dmp	xloader
behavioral1/memory/1168-77-0x000000000041D4E0-mapping.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

vgazvqlxvc0.exevgazvqlxvc0.exe

pid process

1652 vgazvqlxvc0.exe
1168 vgazvqlxvc0.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

632 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

QUOTATION.exevgazvqlxvc0.exe

pid process

1132 QUOTATION.exe
1652 vgazvqlxvc0.exe

pid	process
1652	vgazvqlxvc0.exe
1168	vgazvqlxvc0.exe

pid	process
632	cmd.exe

pid	process
1132	QUOTATION.exe
1652	vgazvqlxvc0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wuapp.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	wuapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OBG4Z = "C:\\Program Files (x86)\\Tqjvh\\vgazvqlxvc0.exe"	wuapp.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

QUOTATION.exeQUOTATION.exewuapp.exevgazvqlxvc0.exe

description	pid	process	target process
PID 1132 set thread context of 1636	1132	QUOTATION.exe	QUOTATION.exe
PID 1636 set thread context of 1360	1636	QUOTATION.exe	Explorer.EXE
PID 1836 set thread context of 1360	1836	wuapp.exe	Explorer.EXE
PID 1652 set thread context of 1168	1652	vgazvqlxvc0.exe	vgazvqlxvc0.exe

Drops file in Program Files directory 2 IoCs

Processes:

wuapp.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Tqjvh\vgazvqlxvc0.exe	wuapp.exe
File created	C:\Program Files (x86)\Tqjvh\vgazvqlxvc0.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Tqjvh\vgazvqlxvc0.exe	nsis_installer_1
C:\Program Files (x86)\Tqjvh\vgazvqlxvc0.exe	nsis_installer_2
C:\Program Files (x86)\Tqjvh\vgazvqlxvc0.exe	nsis_installer_1
C:\Program Files (x86)\Tqjvh\vgazvqlxvc0.exe	nsis_installer_2
C:\Program Files (x86)\Tqjvh\vgazvqlxvc0.exe	nsis_installer_1
C:\Program Files (x86)\Tqjvh\vgazvqlxvc0.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wuapp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wuapp.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

QUOTATION.exewuapp.exevgazvqlxvc0.exe

pid	process
1636	QUOTATION.exe
1636	QUOTATION.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe
1168	vgazvqlxvc0.exe
1836	wuapp.exe
1836	wuapp.exe
1836	wuapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

QUOTATION.exewuapp.exe

pid process

1636 QUOTATION.exe
1636 QUOTATION.exe
1636 QUOTATION.exe
1836 wuapp.exe
1836 wuapp.exe
1836 wuapp.exe
1836 wuapp.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

QUOTATION.exewuapp.exevgazvqlxvc0.exe

description pid process

Token: SeDebugPrivilege 1636 QUOTATION.exe
Token: SeDebugPrivilege 1836 wuapp.exe
Token: SeDebugPrivilege 1168 vgazvqlxvc0.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
1360 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
1360 Explorer.EXE

pid	process
1360	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1636	QUOTATION.exe
Token: SeDebugPrivilege	1836	wuapp.exe
Token: SeDebugPrivilege	1168	vgazvqlxvc0.exe

pid	process
1360	Explorer.EXE
1360	Explorer.EXE

pid	process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

QUOTATION.exeExplorer.EXEwuapp.exevgazvqlxvc0.exe

description	pid	process	target process
PID 1132 wrote to memory of 1636	1132	QUOTATION.exe	QUOTATION.exe
PID 1132 wrote to memory of 1636	1132	QUOTATION.exe	QUOTATION.exe
PID 1132 wrote to memory of 1636	1132	QUOTATION.exe	QUOTATION.exe
PID 1132 wrote to memory of 1636	1132	QUOTATION.exe	QUOTATION.exe
PID 1132 wrote to memory of 1636	1132	QUOTATION.exe	QUOTATION.exe
PID 1132 wrote to memory of 1636	1132	QUOTATION.exe	QUOTATION.exe
PID 1132 wrote to memory of 1636	1132	QUOTATION.exe	QUOTATION.exe
PID 1360 wrote to memory of 1836	1360	Explorer.EXE	wuapp.exe
PID 1360 wrote to memory of 1836	1360	Explorer.EXE	wuapp.exe
PID 1360 wrote to memory of 1836	1360	Explorer.EXE	wuapp.exe
PID 1360 wrote to memory of 1836	1360	Explorer.EXE	wuapp.exe
PID 1360 wrote to memory of 1836	1360	Explorer.EXE	wuapp.exe
PID 1360 wrote to memory of 1836	1360	Explorer.EXE	wuapp.exe
PID 1360 wrote to memory of 1836	1360	Explorer.EXE	wuapp.exe
PID 1836 wrote to memory of 632	1836	wuapp.exe	cmd.exe
PID 1836 wrote to memory of 632	1836	wuapp.exe	cmd.exe
PID 1836 wrote to memory of 632	1836	wuapp.exe	cmd.exe
PID 1836 wrote to memory of 632	1836	wuapp.exe	cmd.exe
PID 1360 wrote to memory of 1652	1360	Explorer.EXE	vgazvqlxvc0.exe
PID 1360 wrote to memory of 1652	1360	Explorer.EXE	vgazvqlxvc0.exe
PID 1360 wrote to memory of 1652	1360	Explorer.EXE	vgazvqlxvc0.exe
PID 1360 wrote to memory of 1652	1360	Explorer.EXE	vgazvqlxvc0.exe
PID 1836 wrote to memory of 1684	1836	wuapp.exe	Firefox.exe
PID 1836 wrote to memory of 1684	1836	wuapp.exe	Firefox.exe
PID 1836 wrote to memory of 1684	1836	wuapp.exe	Firefox.exe
PID 1836 wrote to memory of 1684	1836	wuapp.exe	Firefox.exe
PID 1652 wrote to memory of 1168	1652	vgazvqlxvc0.exe	vgazvqlxvc0.exe
PID 1652 wrote to memory of 1168	1652	vgazvqlxvc0.exe	vgazvqlxvc0.exe
PID 1652 wrote to memory of 1168	1652	vgazvqlxvc0.exe	vgazvqlxvc0.exe
PID 1652 wrote to memory of 1168	1652	vgazvqlxvc0.exe	vgazvqlxvc0.exe
PID 1652 wrote to memory of 1168	1652	vgazvqlxvc0.exe	vgazvqlxvc0.exe
PID 1652 wrote to memory of 1168	1652	vgazvqlxvc0.exe	vgazvqlxvc0.exe
PID 1652 wrote to memory of 1168	1652	vgazvqlxvc0.exe	vgazvqlxvc0.exe
PID 1836 wrote to memory of 1684	1836	wuapp.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
3⤵
- Deletes itself
PID:632

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1684

C:\Program Files (x86)\Tqjvh\vgazvqlxvc0.exe
"C:\Program Files (x86)\Tqjvh\vgazvqlxvc0.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652

C:\Program Files (x86)\Tqjvh\vgazvqlxvc0.exe
"C:\Program Files (x86)\Tqjvh\vgazvqlxvc0.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Tqjvh\vgazvqlxvc0.exe
MD5
cadf879ded4e6a753d7b172b77bce50d

SHA1
ab4f8431c170d75040d8b2984f5e7eadeeeedab9

SHA256
18e91cbaa2d04fa969e97e947ccd011d494f68eb6375b067f0342a7765fb3119

SHA512
c685444886b555978228cd2fb47b0725b25443b8fcd19be70f804a5bf433ebc9a35291ea33edf6fcc9030fcd26a89009a3b223c39432a001842494b20bf5f5d7

Download Submit
C:\Program Files (x86)\Tqjvh\vgazvqlxvc0.exe
MD5
cadf879ded4e6a753d7b172b77bce50d

SHA1
ab4f8431c170d75040d8b2984f5e7eadeeeedab9

SHA256
18e91cbaa2d04fa969e97e947ccd011d494f68eb6375b067f0342a7765fb3119

SHA512
c685444886b555978228cd2fb47b0725b25443b8fcd19be70f804a5bf433ebc9a35291ea33edf6fcc9030fcd26a89009a3b223c39432a001842494b20bf5f5d7

Download Submit
C:\Program Files (x86)\Tqjvh\vgazvqlxvc0.exe
MD5
cadf879ded4e6a753d7b172b77bce50d

SHA1
ab4f8431c170d75040d8b2984f5e7eadeeeedab9

SHA256
18e91cbaa2d04fa969e97e947ccd011d494f68eb6375b067f0342a7765fb3119

SHA512
c685444886b555978228cd2fb47b0725b25443b8fcd19be70f804a5bf433ebc9a35291ea33edf6fcc9030fcd26a89009a3b223c39432a001842494b20bf5f5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\phz51u0bs5r87
MD5
95bdcc6a7d42149f66a87e7270e65935

SHA1
1fd0f5f3c689cd3d9243991b54c2d32ebb3fa0c3

SHA256
0238bf372c00fa7351fc3ee201126ca50d3ee7422243ded052dd9b2faa0d46b5

SHA512
8abcaa06f6e6410ecb716e675ce5b8a09e24f30561cb4d4a40cc056d6bdc5de3eb61f5f64a9cefaa20f22045bf40ae11f13625b6c82d99e4389066c36f0734dc

Download Submit
\Users\Admin\AppData\Local\Temp\nsiB433.tmp\zntsolrgxs.dll
MD5
fe76b0ef249aebd98f82d6437721c047

SHA1
b1d40595e05da9c6f8627885b36177d4ecd54f21

SHA256
39724fa50de7a8937dec84a3f00fe23c9dea895d312bdce8133db18f15ee1a81

SHA512
abff3bc26f23c3c864bca8bb4ef1191278bb88bf5d604db949a822fc98525bcecdc21acceffbca1aae5557c8a13e9e15092837bc1c16b3ec2d03c6b3fc8fd725

Download Submit
\Users\Admin\AppData\Local\Temp\nstB53C.tmp\zntsolrgxs.dll
MD5
fe76b0ef249aebd98f82d6437721c047

SHA1
b1d40595e05da9c6f8627885b36177d4ecd54f21

SHA256
39724fa50de7a8937dec84a3f00fe23c9dea895d312bdce8133db18f15ee1a81

SHA512
abff3bc26f23c3c864bca8bb4ef1191278bb88bf5d604db949a822fc98525bcecdc21acceffbca1aae5557c8a13e9e15092837bc1c16b3ec2d03c6b3fc8fd725

Download Submit
memory/632-66-0x0000000000000000-mapping.dmp

Download
memory/1132-54-0x0000000074B41000-0x0000000074B43000-memory.dmp

Filesize
8KB

Download
memory/1168-79-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/1168-77-0x000000000041D4E0-mapping.dmp

Download
memory/1360-60-0x0000000007140000-0x00000000072B9000-memory.dmp

Filesize
1.5MB

Download
memory/1360-68-0x0000000004DC0000-0x0000000004E7C000-memory.dmp

Filesize
752KB

Download
memory/1636-61-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/1636-59-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1636-57-0x000000000041D4E0-mapping.dmp

Download
memory/1636-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1652-70-0x0000000000000000-mapping.dmp

Download
memory/1836-65-0x0000000002010000-0x0000000002313000-memory.dmp

Filesize
3.0MB

Download
memory/1836-67-0x00000000008D0000-0x0000000000960000-memory.dmp

Filesize
576KB

Download
memory/1836-64-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/1836-63-0x0000000000C00000-0x0000000000C0B000-memory.dmp

Filesize
44KB

Download
memory/1836-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads