formbook | 497c4b0121e59a1fdeb370b38acf6d33f846a399ed3bdc47f51a230e1c198a25

General

Target

factura.exe
Size

684KB
MD5

7c6766218c6f18eb3f8be7391e8e62cc
SHA1

9cddeb0d7aa5e7206cd2b0a34c924ee5eb81ebe3
SHA256

2edd9500d065d10587fcb4f5551095e420c40f3bc5e406dd74bf23f954e01ada
SHA512

1da399c56670c79e725ebebb49f7c78cefeb652fea089f5e5961bce38803b4f687b04b09e7ea92bc13f1e23abee8b97a8f11f8d6bf76b2e0355380e1f224531f

Score

10^/10

formbook xloader snec loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

snec

C2

http://www.go2payme.com/snec/

Decoy

sacramentoscoop.com

auroraeqp.com

ontactfactory.com

abenakigroup.com

xander-tech.com

cocaineislegal.com

carbondouze.com

louisvilleestatelawyer.com

sundaytejero.quest

arti-faqs.com

thisandthat.store

biodyne-el-salvador.com

18504seheritageoakslane.com

mfialias.xyz

whitestoneclo.com

6288117.com

oficiosuy.com

autogift.xyz

wallbabyshell.com

chaletlabaie.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1824-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1824-63-0x000000000041D460-mapping.dmp	xloader
behavioral1/memory/752-71-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader
behavioral1/memory/1476-87-0x000000000041D460-mapping.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

igfxztkpnz.exeigfxztkpnz.exe

pid process

1896 igfxztkpnz.exe
1476 igfxztkpnz.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1480 cmd.exe

pid	process
1896	igfxztkpnz.exe
1476	igfxztkpnz.exe

pid	process
1480	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NAPSTAT.EXE

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	NAPSTAT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\C8L8FTBPPFMT = "C:\\Program Files (x86)\\Sbx4h_rn\\igfxztkpnz.exe"	NAPSTAT.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

factura.exefactura.exeNAPSTAT.EXEigfxztkpnz.exe

description	pid	process	target process
PID 948 set thread context of 1824	948	factura.exe	factura.exe
PID 1824 set thread context of 1352	1824	factura.exe	Explorer.EXE
PID 752 set thread context of 1352	752	NAPSTAT.EXE	Explorer.EXE
PID 1896 set thread context of 1476	1896	igfxztkpnz.exe	igfxztkpnz.exe

Drops file in Program Files directory 2 IoCs

Processes:

NAPSTAT.EXEExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Sbx4h_rn\igfxztkpnz.exe	NAPSTAT.EXE
File created	C:\Program Files (x86)\Sbx4h_rn\igfxztkpnz.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NAPSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-2955169046-2371869340-1800780948-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NAPSTAT.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

factura.exeNAPSTAT.EXEigfxztkpnz.exe

pid	process
1824	factura.exe
1824	factura.exe
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
1476	igfxztkpnz.exe
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE
752	NAPSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1352 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

factura.exeNAPSTAT.EXE

pid process

1824 factura.exe
1824 factura.exe
1824 factura.exe
752 NAPSTAT.EXE
752 NAPSTAT.EXE
752 NAPSTAT.EXE
752 NAPSTAT.EXE

pid	process
1352	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

factura.exeNAPSTAT.EXEigfxztkpnz.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1824	factura.exe
Token: SeDebugPrivilege	752	NAPSTAT.EXE
Token: SeDebugPrivilege	1476	igfxztkpnz.exe
Token: SeShutdownPrivilege	1352	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1352 Explorer.EXE
1352 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1352 Explorer.EXE
1352 Explorer.EXE

pid	process
1352	Explorer.EXE
1352	Explorer.EXE

pid	process
1352	Explorer.EXE
1352	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

factura.exeExplorer.EXENAPSTAT.EXEigfxztkpnz.exe

description	pid	process	target process
PID 948 wrote to memory of 1824	948	factura.exe	factura.exe
PID 948 wrote to memory of 1824	948	factura.exe	factura.exe
PID 948 wrote to memory of 1824	948	factura.exe	factura.exe
PID 948 wrote to memory of 1824	948	factura.exe	factura.exe
PID 948 wrote to memory of 1824	948	factura.exe	factura.exe
PID 948 wrote to memory of 1824	948	factura.exe	factura.exe
PID 948 wrote to memory of 1824	948	factura.exe	factura.exe
PID 1352 wrote to memory of 752	1352	Explorer.EXE	NAPSTAT.EXE
PID 1352 wrote to memory of 752	1352	Explorer.EXE	NAPSTAT.EXE
PID 1352 wrote to memory of 752	1352	Explorer.EXE	NAPSTAT.EXE
PID 1352 wrote to memory of 752	1352	Explorer.EXE	NAPSTAT.EXE
PID 752 wrote to memory of 1480	752	NAPSTAT.EXE	cmd.exe
PID 752 wrote to memory of 1480	752	NAPSTAT.EXE	cmd.exe
PID 752 wrote to memory of 1480	752	NAPSTAT.EXE	cmd.exe
PID 752 wrote to memory of 1480	752	NAPSTAT.EXE	cmd.exe
PID 752 wrote to memory of 1992	752	NAPSTAT.EXE	Firefox.exe
PID 752 wrote to memory of 1992	752	NAPSTAT.EXE	Firefox.exe
PID 752 wrote to memory of 1992	752	NAPSTAT.EXE	Firefox.exe
PID 752 wrote to memory of 1992	752	NAPSTAT.EXE	Firefox.exe
PID 1352 wrote to memory of 1896	1352	Explorer.EXE	igfxztkpnz.exe
PID 1352 wrote to memory of 1896	1352	Explorer.EXE	igfxztkpnz.exe
PID 1352 wrote to memory of 1896	1352	Explorer.EXE	igfxztkpnz.exe
PID 1352 wrote to memory of 1896	1352	Explorer.EXE	igfxztkpnz.exe
PID 752 wrote to memory of 1992	752	NAPSTAT.EXE	Firefox.exe
PID 1896 wrote to memory of 1476	1896	igfxztkpnz.exe	igfxztkpnz.exe
PID 1896 wrote to memory of 1476	1896	igfxztkpnz.exe	igfxztkpnz.exe
PID 1896 wrote to memory of 1476	1896	igfxztkpnz.exe	igfxztkpnz.exe
PID 1896 wrote to memory of 1476	1896	igfxztkpnz.exe	igfxztkpnz.exe
PID 1896 wrote to memory of 1476	1896	igfxztkpnz.exe	igfxztkpnz.exe
PID 1896 wrote to memory of 1476	1896	igfxztkpnz.exe	igfxztkpnz.exe
PID 1896 wrote to memory of 1476	1896	igfxztkpnz.exe	igfxztkpnz.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\factura.exe
"C:\Users\Admin\AppData\Local\Temp\factura.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\factura.exe
"C:\Users\Admin\AppData\Local\Temp\factura.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\factura.exe"
3⤵
- Deletes itself
PID:1480

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1992

C:\Program Files (x86)\Sbx4h_rn\igfxztkpnz.exe
"C:\Program Files (x86)\Sbx4h_rn\igfxztkpnz.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896

C:\Program Files (x86)\Sbx4h_rn\igfxztkpnz.exe
"C:\Program Files (x86)\Sbx4h_rn\igfxztkpnz.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Sbx4h_rn\igfxztkpnz.exe
MD5
7c6766218c6f18eb3f8be7391e8e62cc

SHA1
9cddeb0d7aa5e7206cd2b0a34c924ee5eb81ebe3

SHA256
2edd9500d065d10587fcb4f5551095e420c40f3bc5e406dd74bf23f954e01ada

SHA512
1da399c56670c79e725ebebb49f7c78cefeb652fea089f5e5961bce38803b4f687b04b09e7ea92bc13f1e23abee8b97a8f11f8d6bf76b2e0355380e1f224531f

Download Submit
C:\Program Files (x86)\Sbx4h_rn\igfxztkpnz.exe
MD5
7c6766218c6f18eb3f8be7391e8e62cc

SHA1
9cddeb0d7aa5e7206cd2b0a34c924ee5eb81ebe3

SHA256
2edd9500d065d10587fcb4f5551095e420c40f3bc5e406dd74bf23f954e01ada

SHA512
1da399c56670c79e725ebebb49f7c78cefeb652fea089f5e5961bce38803b4f687b04b09e7ea92bc13f1e23abee8b97a8f11f8d6bf76b2e0355380e1f224531f

Download Submit
C:\Program Files (x86)\Sbx4h_rn\igfxztkpnz.exe
MD5
7c6766218c6f18eb3f8be7391e8e62cc

SHA1
9cddeb0d7aa5e7206cd2b0a34c924ee5eb81ebe3

SHA256
2edd9500d065d10587fcb4f5551095e420c40f3bc5e406dd74bf23f954e01ada

SHA512
1da399c56670c79e725ebebb49f7c78cefeb652fea089f5e5961bce38803b4f687b04b09e7ea92bc13f1e23abee8b97a8f11f8d6bf76b2e0355380e1f224531f

Download Submit
memory/752-75-0x0000000075D31000-0x0000000075D33000-memory.dmp

Filesize
8KB

Download
memory/752-73-0x00000000009C0000-0x0000000000A50000-memory.dmp

Filesize
576KB

Download
memory/752-72-0x0000000002170000-0x0000000002473000-memory.dmp

Filesize
3.0MB

Download
memory/752-71-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/752-70-0x0000000000D20000-0x0000000000D66000-memory.dmp

Filesize
280KB

Download
memory/752-68-0x0000000000000000-mapping.dmp

Download
memory/948-55-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/948-59-0x0000000004AB0000-0x0000000004AFB000-memory.dmp

Filesize
300KB

Download
memory/948-58-0x00000000003F0000-0x00000000003F7000-memory.dmp

Filesize
28KB

Download
memory/948-57-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/1352-67-0x0000000005130000-0x0000000005225000-memory.dmp

Filesize
980KB

Download
memory/1352-74-0x0000000006B50000-0x0000000006C9D000-memory.dmp

Filesize
1.3MB

Download
memory/1476-87-0x000000000041D460-mapping.dmp

Download
memory/1476-89-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/1480-69-0x0000000000000000-mapping.dmp

Download
memory/1824-66-0x0000000000140000-0x0000000000151000-memory.dmp

Filesize
68KB

Download
memory/1824-65-0x00000000009A0000-0x0000000000CA3000-memory.dmp

Filesize
3.0MB

Download
memory/1824-63-0x000000000041D460-mapping.dmp

Download
memory/1824-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1824-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1824-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1896-76-0x0000000000000000-mapping.dmp

Download
memory/1896-79-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/1896-82-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads