formbook | 68aba64ef9b4e5af747005ea8efdd213a80e86e45e9b4f480a54af016e3c6c95

General

Target

payment advice_16000.exe
Size

254KB
MD5

a1c481bb9474e04781840009a3c10664
SHA1

c432b71a2f493e7c7a120d42d41bf7e4de2053f8
SHA256

68aba64ef9b4e5af747005ea8efdd213a80e86e45e9b4f480a54af016e3c6c95
SHA512

831053501f491e71664ef594394772f18a5197989c4b4dd625572efa5e508a27ef6d3469a94fad64b7c2dee44904400cd9173edaf1fa5049b21e952bf4903f68

Score

10^/10

formbook xloader d6pu loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

d6pu

C2

http://www.bonitaspringshomesearch.com/d6pu/

Decoy

ifixcreditatl.com

productgeekout.com

electricvehicle-insurance.com

kuiper.business

cloudenglabs.com

gorbepari.com

collecthappy.com

amykrussell.store

clubhousebusinesscourse.com

aplussinifiklima.com

slewis.design

atticwitt.com

galenota.com

griphook.xyz

gsjbd1.club

bootystrapfitness.com

emflawrhks.com

alternativedata.investments

eyehealthtnpasumo3.xyz

naturanzaec.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2684-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2684-117-0x000000000041D4E0-mapping.dmp	xloader
behavioral2/memory/4044-125-0x0000000000F10000-0x0000000000F39000-memory.dmp	xloader
behavioral2/memory/3068-135-0x000000000041D4E0-mapping.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

winktyl00.exewinktyl00.exe

pid process

360 winktyl00.exe
3068 winktyl00.exe
Loads dropped DLL 2 IoCs

Processes:

payment advice_16000.exewinktyl00.exe

pid process

2708 payment advice_16000.exe
360 winktyl00.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
360	winktyl00.exe
3068	winktyl00.exe

pid	process
2708	payment advice_16000.exe
360	winktyl00.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ILMDQRT8YJ = "C:\\Program Files (x86)\\Zuv1xjlm\\winktyl00.exe"	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

payment advice_16000.exepayment advice_16000.execmd.exewinktyl00.exe

description	pid	process	target process
PID 2708 set thread context of 2684	2708	payment advice_16000.exe	payment advice_16000.exe
PID 2684 set thread context of 3056	2684	payment advice_16000.exe	Explorer.EXE
PID 4044 set thread context of 3056	4044	cmd.exe	Explorer.EXE
PID 360 set thread context of 3068	360	winktyl00.exe	winktyl00.exe

Drops file in Program Files directory 4 IoCs

Processes:

cmd.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Zuv1xjlm	Explorer.EXE
File created	C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe	nsis_installer_1
C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe	nsis_installer_2
C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe	nsis_installer_1
C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe	nsis_installer_2
C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe	nsis_installer_1
C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmd.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

payment advice_16000.execmd.exewinktyl00.exe

pid	process
2684	payment advice_16000.exe
2684	payment advice_16000.exe
2684	payment advice_16000.exe
2684	payment advice_16000.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
3068	winktyl00.exe
3068	winktyl00.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe
4044	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3056 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

payment advice_16000.execmd.exe

pid process

2684 payment advice_16000.exe
2684 payment advice_16000.exe
2684 payment advice_16000.exe
4044 cmd.exe
4044 cmd.exe
4044 cmd.exe
4044 cmd.exe

pid	process
3056	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

payment advice_16000.execmd.exeExplorer.EXEwinktyl00.exe

description	pid	process
Token: SeDebugPrivilege	2684	payment advice_16000.exe
Token: SeDebugPrivilege	4044	cmd.exe
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: SeDebugPrivilege	3068	winktyl00.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

payment advice_16000.exeExplorer.EXEcmd.exewinktyl00.exe

description	pid	process	target process
PID 2708 wrote to memory of 2684	2708	payment advice_16000.exe	payment advice_16000.exe
PID 2708 wrote to memory of 2684	2708	payment advice_16000.exe	payment advice_16000.exe
PID 2708 wrote to memory of 2684	2708	payment advice_16000.exe	payment advice_16000.exe
PID 2708 wrote to memory of 2684	2708	payment advice_16000.exe	payment advice_16000.exe
PID 2708 wrote to memory of 2684	2708	payment advice_16000.exe	payment advice_16000.exe
PID 2708 wrote to memory of 2684	2708	payment advice_16000.exe	payment advice_16000.exe
PID 3056 wrote to memory of 4044	3056	Explorer.EXE	cmd.exe
PID 3056 wrote to memory of 4044	3056	Explorer.EXE	cmd.exe
PID 3056 wrote to memory of 4044	3056	Explorer.EXE	cmd.exe
PID 4044 wrote to memory of 388	4044	cmd.exe	cmd.exe
PID 4044 wrote to memory of 388	4044	cmd.exe	cmd.exe
PID 4044 wrote to memory of 388	4044	cmd.exe	cmd.exe
PID 3056 wrote to memory of 360	3056	Explorer.EXE	winktyl00.exe
PID 3056 wrote to memory of 360	3056	Explorer.EXE	winktyl00.exe
PID 3056 wrote to memory of 360	3056	Explorer.EXE	winktyl00.exe
PID 360 wrote to memory of 3068	360	winktyl00.exe	winktyl00.exe
PID 360 wrote to memory of 3068	360	winktyl00.exe	winktyl00.exe
PID 360 wrote to memory of 3068	360	winktyl00.exe	winktyl00.exe
PID 360 wrote to memory of 3068	360	winktyl00.exe	winktyl00.exe
PID 360 wrote to memory of 3068	360	winktyl00.exe	winktyl00.exe
PID 360 wrote to memory of 3068	360	winktyl00.exe	winktyl00.exe
PID 4044 wrote to memory of 3560	4044	cmd.exe	cmd.exe
PID 4044 wrote to memory of 3560	4044	cmd.exe	cmd.exe
PID 4044 wrote to memory of 3560	4044	cmd.exe	cmd.exe
PID 4044 wrote to memory of 772	4044	cmd.exe	Firefox.exe
PID 4044 wrote to memory of 772	4044	cmd.exe	Firefox.exe
PID 4044 wrote to memory of 772	4044	cmd.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\payment advice_16000.exe
"C:\Users\Admin\AppData\Local\Temp\payment advice_16000.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\payment advice_16000.exe
"C:\Users\Admin\AppData\Local\Temp\payment advice_16000.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\payment advice_16000.exe"
3⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3560

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:772

C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe
"C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:360

C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe
"C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe
MD5
a1c481bb9474e04781840009a3c10664

SHA1
c432b71a2f493e7c7a120d42d41bf7e4de2053f8

SHA256
68aba64ef9b4e5af747005ea8efdd213a80e86e45e9b4f480a54af016e3c6c95

SHA512
831053501f491e71664ef594394772f18a5197989c4b4dd625572efa5e508a27ef6d3469a94fad64b7c2dee44904400cd9173edaf1fa5049b21e952bf4903f68

Download Submit
C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe
MD5
a1c481bb9474e04781840009a3c10664

SHA1
c432b71a2f493e7c7a120d42d41bf7e4de2053f8

SHA256
68aba64ef9b4e5af747005ea8efdd213a80e86e45e9b4f480a54af016e3c6c95

SHA512
831053501f491e71664ef594394772f18a5197989c4b4dd625572efa5e508a27ef6d3469a94fad64b7c2dee44904400cd9173edaf1fa5049b21e952bf4903f68

Download Submit
C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe
MD5
a1c481bb9474e04781840009a3c10664

SHA1
c432b71a2f493e7c7a120d42d41bf7e4de2053f8

SHA256
68aba64ef9b4e5af747005ea8efdd213a80e86e45e9b4f480a54af016e3c6c95

SHA512
831053501f491e71664ef594394772f18a5197989c4b4dd625572efa5e508a27ef6d3469a94fad64b7c2dee44904400cd9173edaf1fa5049b21e952bf4903f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fz9jymg857rxbe
MD5
39797312794434002a09131e32b5d347

SHA1
dc40573abf285996f4cf2e6087b677152e8a85e3

SHA256
6d514108c7b81f6cade0ccbccffc39d9ea239a59bbb98e6d00b0821f9e0a6f3d

SHA512
736553e17ba74448067396261df3be57ca40f95d4d420114a8ca3e55cea6971d5ab3c8560f05e2ddaec4401b381f202f317e2527b2ec614478902505a7e24086

Download Submit
\Users\Admin\AppData\Local\Temp\nsrEE59.tmp\mdta.dll
MD5
7be3eed97c26a1f2f541fac2be0b7fa9

SHA1
430271b97cebe8ae8fc94b5661dca421469c82cd

SHA256
d67b59fb5f9599649fa1aee124aca1b4db74a20fff182133f6569e95d9dd27d0

SHA512
80fe44fc62eb3c8799cf75c66b542995db529ad694665bef18b6ed89eeb976bd328f9965694934a40d345b1bb4e10de13e52747e40f60ea66fb3f4eafbaa0d38

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC80B.tmp\mdta.dll
MD5
7be3eed97c26a1f2f541fac2be0b7fa9

SHA1
430271b97cebe8ae8fc94b5661dca421469c82cd

SHA256
d67b59fb5f9599649fa1aee124aca1b4db74a20fff182133f6569e95d9dd27d0

SHA512
80fe44fc62eb3c8799cf75c66b542995db529ad694665bef18b6ed89eeb976bd328f9965694934a40d345b1bb4e10de13e52747e40f60ea66fb3f4eafbaa0d38

Download Submit
memory/360-129-0x0000000000000000-mapping.dmp

Download
memory/388-123-0x0000000000000000-mapping.dmp

Download
memory/2684-119-0x0000000000AB0000-0x0000000000DD0000-memory.dmp

Filesize
3.1MB

Download
memory/2684-120-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download
memory/2684-117-0x000000000041D4E0-mapping.dmp

Download
memory/2684-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3056-121-0x0000000006140000-0x00000000062D1000-memory.dmp

Filesize
1.6MB

Download
memory/3056-128-0x00000000068D0000-0x0000000006A2C000-memory.dmp

Filesize
1.4MB

Download
memory/3068-135-0x000000000041D4E0-mapping.dmp

Download
memory/3068-137-0x0000000000A50000-0x0000000000D70000-memory.dmp

Filesize
3.1MB

Download
memory/3560-138-0x0000000000000000-mapping.dmp

Download
memory/4044-127-0x0000000003670000-0x0000000003700000-memory.dmp

Filesize
576KB

Download
memory/4044-126-0x0000000003810000-0x0000000003B30000-memory.dmp

Filesize
3.1MB

Download
memory/4044-125-0x0000000000F10000-0x0000000000F39000-memory.dmp

Filesize
164KB

Download
memory/4044-124-0x0000000000FB0000-0x0000000001009000-memory.dmp

Filesize
356KB

Download
memory/4044-122-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads