formbook | b7349c08d493abba70ca3a84efca28b45777897470ac09f1a4b08e9efcc02958

General

Target

PO Document.exe
Size

323KB
MD5

1ec1e11ac3014b8dd331b3d08972f21b
SHA1

07c546a6a311835c712d9404be182daef56611ab
SHA256

afcf4012f8671a224c6856e0d968b7f7de88d7d96f0caddc97cd0f985694e530
SHA512

62ae0a5018493d84dd9605a71b25a7bc0b01462280655e4faa4918cd1765dd24de42e64aa9c1f48ce021a05a314dfc9e3b9ceccd7222b1c17c663d4ade3b4d42

Score

10^/10

formbook xloader u9xn loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u9xn

C2

http://www.crisisinterventionadvocates.com/u9xn/

Decoy

lifeguardingcoursenearme.com

bolsaspapelcdmx.com

parsleypkllqu.xyz

68134.online

shopthatlookboutique.com

canlibahisportal.com

oligopoly.city

srchwithus.online

151motors.com

17yue.info

auntmarysnj.com

hanansalman.com

heyunshangcheng.info

doorslamersplus.com

sfcn-dng.com

highvizpeople.com

seoexpertinbangladesh.com

christinegagnonjewellery.com

artifactorie.biz

mre3.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1416-56-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1416-57-0x000000000041D4F0-mapping.dmp	xloader
behavioral1/memory/1416-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1152-68-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader
behavioral1/memory/1712-80-0x000000000041D4F0-mapping.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

raserver.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JTH4QLUPW8G = "C:\\Program Files (x86)\\Nsfv\\userrfcx.exe"	raserver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	raserver.exe

Executes dropped EXE 2 IoCs

Processes:

userrfcx.exeuserrfcx.exe

pid process

1232 userrfcx.exe
1712 userrfcx.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1072 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

PO Document.exeuserrfcx.exe

pid process

864 PO Document.exe
1232 userrfcx.exe

pid	process
1232	userrfcx.exe
1712	userrfcx.exe

pid	process
1072	cmd.exe

pid	process
864	PO Document.exe
1232	userrfcx.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

PO Document.exePO Document.exeraserver.exeuserrfcx.exe

description	pid	process	target process
PID 864 set thread context of 1416	864	PO Document.exe	PO Document.exe
PID 1416 set thread context of 1356	1416	PO Document.exe	Explorer.EXE
PID 1416 set thread context of 1356	1416	PO Document.exe	Explorer.EXE
PID 1152 set thread context of 1356	1152	raserver.exe	Explorer.EXE
PID 1232 set thread context of 1712	1232	userrfcx.exe	userrfcx.exe

Drops file in Program Files directory 2 IoCs

Processes:

raserver.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Nsfv\userrfcx.exe	raserver.exe
File created	C:\Program Files (x86)\Nsfv\userrfcx.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Nsfv\userrfcx.exe	nsis_installer_1
C:\Program Files (x86)\Nsfv\userrfcx.exe	nsis_installer_2
C:\Program Files (x86)\Nsfv\userrfcx.exe	nsis_installer_1
C:\Program Files (x86)\Nsfv\userrfcx.exe	nsis_installer_2
C:\Program Files (x86)\Nsfv\userrfcx.exe	nsis_installer_1
C:\Program Files (x86)\Nsfv\userrfcx.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

raserver.exeexplorer.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

PO Document.exeraserver.exeuserrfcx.exe

pid	process
1416	PO Document.exe
1416	PO Document.exe
1416	PO Document.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1712	userrfcx.exe
1152	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

PO Document.exeraserver.exe

pid	process
1416	PO Document.exe
1416	PO Document.exe
1416	PO Document.exe
1416	PO Document.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe
1152	raserver.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

PO Document.exeraserver.exeuserrfcx.exeexplorer.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1416	PO Document.exe
Token: SeDebugPrivilege	1152	raserver.exe
Token: SeDebugPrivilege	1712	userrfcx.exe
Token: SeShutdownPrivilege	1440	explorer.exe
Token: SeShutdownPrivilege	1440	explorer.exe
Token: SeShutdownPrivilege	1440	explorer.exe
Token: SeShutdownPrivilege	1440	explorer.exe
Token: SeShutdownPrivilege	1440	explorer.exe
Token: 33	1420	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1420	AUDIODG.EXE
Token: 33	1420	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1420	AUDIODG.EXE
Token: SeShutdownPrivilege	1440	explorer.exe
Token: SeShutdownPrivilege	1440	explorer.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

Explorer.EXEexplorer.exe

pid	process
1356	Explorer.EXE
1356	Explorer.EXE
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

Explorer.EXEexplorer.exe

pid	process
1356	Explorer.EXE
1356	Explorer.EXE
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe
1440	explorer.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

PO Document.exeExplorer.EXEraserver.exeuserrfcx.exe

description	pid	process	target process
PID 864 wrote to memory of 1416	864	PO Document.exe	PO Document.exe
PID 864 wrote to memory of 1416	864	PO Document.exe	PO Document.exe
PID 864 wrote to memory of 1416	864	PO Document.exe	PO Document.exe
PID 864 wrote to memory of 1416	864	PO Document.exe	PO Document.exe
PID 864 wrote to memory of 1416	864	PO Document.exe	PO Document.exe
PID 864 wrote to memory of 1416	864	PO Document.exe	PO Document.exe
PID 864 wrote to memory of 1416	864	PO Document.exe	PO Document.exe
PID 1356 wrote to memory of 1152	1356	Explorer.EXE	raserver.exe
PID 1356 wrote to memory of 1152	1356	Explorer.EXE	raserver.exe
PID 1356 wrote to memory of 1152	1356	Explorer.EXE	raserver.exe
PID 1356 wrote to memory of 1152	1356	Explorer.EXE	raserver.exe
PID 1152 wrote to memory of 1072	1152	raserver.exe	cmd.exe
PID 1152 wrote to memory of 1072	1152	raserver.exe	cmd.exe
PID 1152 wrote to memory of 1072	1152	raserver.exe	cmd.exe
PID 1152 wrote to memory of 1072	1152	raserver.exe	cmd.exe
PID 1152 wrote to memory of 920	1152	raserver.exe	Firefox.exe
PID 1152 wrote to memory of 920	1152	raserver.exe	Firefox.exe
PID 1152 wrote to memory of 920	1152	raserver.exe	Firefox.exe
PID 1152 wrote to memory of 920	1152	raserver.exe	Firefox.exe
PID 1356 wrote to memory of 1232	1356	Explorer.EXE	userrfcx.exe
PID 1356 wrote to memory of 1232	1356	Explorer.EXE	userrfcx.exe
PID 1356 wrote to memory of 1232	1356	Explorer.EXE	userrfcx.exe
PID 1356 wrote to memory of 1232	1356	Explorer.EXE	userrfcx.exe
PID 1232 wrote to memory of 1712	1232	userrfcx.exe	userrfcx.exe
PID 1232 wrote to memory of 1712	1232	userrfcx.exe	userrfcx.exe
PID 1232 wrote to memory of 1712	1232	userrfcx.exe	userrfcx.exe
PID 1232 wrote to memory of 1712	1232	userrfcx.exe	userrfcx.exe
PID 1232 wrote to memory of 1712	1232	userrfcx.exe	userrfcx.exe
PID 1232 wrote to memory of 1712	1232	userrfcx.exe	userrfcx.exe
PID 1232 wrote to memory of 1712	1232	userrfcx.exe	userrfcx.exe
PID 1152 wrote to memory of 920	1152	raserver.exe	Firefox.exe
PID 1152 wrote to memory of 1440	1152	raserver.exe	explorer.exe
PID 1152 wrote to memory of 1440	1152	raserver.exe	explorer.exe
PID 1152 wrote to memory of 1440	1152	raserver.exe	explorer.exe
PID 1152 wrote to memory of 1440	1152	raserver.exe	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\PO Document.exe
"C:\Users\Admin\AppData\Local\Temp\PO Document.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\PO Document.exe
"C:\Users\Admin\AppData\Local\Temp\PO Document.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO Document.exe"
3⤵
- Deletes itself
PID:1072

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:920

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1440

C:\Program Files (x86)\Nsfv\userrfcx.exe
"C:\Program Files (x86)\Nsfv\userrfcx.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1232

C:\Program Files (x86)\Nsfv\userrfcx.exe
"C:\Program Files (x86)\Nsfv\userrfcx.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2008

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Nsfv\userrfcx.exe
MD5
1ec1e11ac3014b8dd331b3d08972f21b

SHA1
07c546a6a311835c712d9404be182daef56611ab

SHA256
afcf4012f8671a224c6856e0d968b7f7de88d7d96f0caddc97cd0f985694e530

SHA512
62ae0a5018493d84dd9605a71b25a7bc0b01462280655e4faa4918cd1765dd24de42e64aa9c1f48ce021a05a314dfc9e3b9ceccd7222b1c17c663d4ade3b4d42

Download Submit
C:\Program Files (x86)\Nsfv\userrfcx.exe
MD5
1ec1e11ac3014b8dd331b3d08972f21b

SHA1
07c546a6a311835c712d9404be182daef56611ab

SHA256
afcf4012f8671a224c6856e0d968b7f7de88d7d96f0caddc97cd0f985694e530

SHA512
62ae0a5018493d84dd9605a71b25a7bc0b01462280655e4faa4918cd1765dd24de42e64aa9c1f48ce021a05a314dfc9e3b9ceccd7222b1c17c663d4ade3b4d42

Download Submit
C:\Program Files (x86)\Nsfv\userrfcx.exe
MD5
1ec1e11ac3014b8dd331b3d08972f21b

SHA1
07c546a6a311835c712d9404be182daef56611ab

SHA256
afcf4012f8671a224c6856e0d968b7f7de88d7d96f0caddc97cd0f985694e530

SHA512
62ae0a5018493d84dd9605a71b25a7bc0b01462280655e4faa4918cd1765dd24de42e64aa9c1f48ce021a05a314dfc9e3b9ceccd7222b1c17c663d4ade3b4d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\slnb17imo5g4be1
MD5
15fb041a5b680fa7585b2d9d3928777f

SHA1
0e781615b4cbfab8389233c8a9e350462d5f977b

SHA256
9c8d993ef9484d1b4cc778f6bfa97915c125422bde6d0ed768fc63ce9ff89c77

SHA512
8a32960131bdbc8cf1b0d66787329b3756ef53d7b9374fe1e50e5d6d416b687d7e644a7dace8438b68e1353bb8ba526c5bef5ab0984a60d106d6b4f5c93bd24e

Download Submit
\Users\Admin\AppData\Local\Temp\nso29A1.tmp\rwee.dll
MD5
251797ae229b4b54fafe515bd2f39bb8

SHA1
06624552a8fb9e036b1f95db53033b98852237a7

SHA256
4d075b5b925b5a27826ce07996032452cb90d9388fe14e2bd9288de4d0e18e9e

SHA512
c13febe46b13a9999dbef3b337eda17f9e3bad06200ab8efa1dc4b9eef23aac7d9ab5d4465235d8a35c27345c94ac5a26995ec63a63d698caef59b3eeb3bad6f

Download Submit
\Users\Admin\AppData\Local\Temp\nsu361F.tmp\rwee.dll
MD5
251797ae229b4b54fafe515bd2f39bb8

SHA1
06624552a8fb9e036b1f95db53033b98852237a7

SHA256
4d075b5b925b5a27826ce07996032452cb90d9388fe14e2bd9288de4d0e18e9e

SHA512
c13febe46b13a9999dbef3b337eda17f9e3bad06200ab8efa1dc4b9eef23aac7d9ab5d4465235d8a35c27345c94ac5a26995ec63a63d698caef59b3eeb3bad6f

Download Submit
memory/864-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1072-70-0x0000000000000000-mapping.dmp

Download
memory/1152-71-0x00000000003A0000-0x0000000000430000-memory.dmp

Filesize
576KB

Download
memory/1152-65-0x0000000000000000-mapping.dmp

Download
memory/1152-68-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1152-69-0x0000000002270000-0x0000000002573000-memory.dmp

Filesize
3.0MB

Download
memory/1152-67-0x0000000000E50000-0x0000000000E6C000-memory.dmp

Filesize
112KB

Download
memory/1232-73-0x0000000000000000-mapping.dmp

Download
memory/1356-61-0x0000000006AD0000-0x0000000006C5D000-memory.dmp

Filesize
1.6MB

Download
memory/1356-64-0x0000000006640000-0x00000000066F5000-memory.dmp

Filesize
724KB

Download
memory/1356-72-0x0000000008C30000-0x0000000008DB2000-memory.dmp

Filesize
1.5MB

Download
memory/1416-57-0x000000000041D4F0-mapping.dmp

Download
memory/1416-63-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/1416-60-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/1416-59-0x0000000000920000-0x0000000000C23000-memory.dmp

Filesize
3.0MB

Download
memory/1416-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1416-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1440-83-0x0000000000000000-mapping.dmp

Download
memory/1440-84-0x000007FEFC361000-0x000007FEFC363000-memory.dmp

Filesize
8KB

Download
memory/1440-86-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1712-80-0x000000000041D4F0-mapping.dmp

Download
memory/1712-82-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads