formbook | 37eb7f4102cd9f23d8bbfd795f8beee93582770d09bc2875741b67c731a12bfd

General

Target

Invoice request.exe
Size

676KB
MD5

da15b6acf344c43696f03ccd0c9b5662
SHA1

490a2ef542738dfc47dc62663f1f4cd4b52d6c6d
SHA256

c26730ee4480c22df36df08e6386199eac697aef2310b98ec4719fe63f1d70f9
SHA512

403f26713a14eb962791da7abf6fc28d9c31d1a9db9ef2edec87a11153d65ebae31050b223fa904ab97923b3bad2dc0a14adbfc4642e3a1afa2f7f15d89484d5

Score

10^/10

formbook xloader ea0r loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/288-57-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/288-58-0x000000000041D410-mapping.dmp	xloader
behavioral1/memory/1472-65-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader
behavioral1/memory/1720-78-0x000000000041D410-mapping.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

vgayznhb0d.exevgayznhb0d.exe

pid process

1920 vgayznhb0d.exe
1720 vgayznhb0d.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

976 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

Invoice request.exevgayznhb0d.exe

pid process

268 Invoice request.exe
1920 vgayznhb0d.exe

pid	process
1920	vgayznhb0d.exe
1720	vgayznhb0d.exe

pid	process
976	cmd.exe

pid	process
268	Invoice request.exe
1920	vgayznhb0d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	netsh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KRZXSZIXDLH = "C:\\Program Files (x86)\\Uj6tdv418\\vgayznhb0d.exe"	netsh.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Invoice request.exeInvoice request.exenetsh.exevgayznhb0d.exe

description	pid	process	target process
PID 268 set thread context of 288	268	Invoice request.exe	Invoice request.exe
PID 288 set thread context of 1360	288	Invoice request.exe	Explorer.EXE
PID 1472 set thread context of 1360	1472	netsh.exe	Explorer.EXE
PID 1920 set thread context of 1720	1920	vgayznhb0d.exe	vgayznhb0d.exe

Drops file in Program Files directory 2 IoCs

Processes:

netsh.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe	netsh.exe
File created	C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe	nsis_installer_1
C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe	nsis_installer_2
C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe	nsis_installer_1
C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe	nsis_installer_2
C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe	nsis_installer_1
C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2955169046-2371869340-1800780948-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

Processes:

Invoice request.exenetsh.exevgayznhb0d.exe

pid	process
288	Invoice request.exe
288	Invoice request.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1720	vgayznhb0d.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe
1472	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Invoice request.exenetsh.exe

pid process

288 Invoice request.exe
288 Invoice request.exe
288 Invoice request.exe
1472 netsh.exe
1472 netsh.exe
1472 netsh.exe
1472 netsh.exe

pid	process
1360	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Invoice request.exenetsh.exevgayznhb0d.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	288	Invoice request.exe
Token: SeDebugPrivilege	1472	netsh.exe
Token: SeDebugPrivilege	1720	vgayznhb0d.exe
Token: SeShutdownPrivilege	1360	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
1360 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
1360 Explorer.EXE

pid	process
1360	Explorer.EXE
1360	Explorer.EXE

pid	process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

Invoice request.exeExplorer.EXEnetsh.exevgayznhb0d.exe

description	pid	process	target process
PID 268 wrote to memory of 288	268	Invoice request.exe	Invoice request.exe
PID 268 wrote to memory of 288	268	Invoice request.exe	Invoice request.exe
PID 268 wrote to memory of 288	268	Invoice request.exe	Invoice request.exe
PID 268 wrote to memory of 288	268	Invoice request.exe	Invoice request.exe
PID 268 wrote to memory of 288	268	Invoice request.exe	Invoice request.exe
PID 268 wrote to memory of 288	268	Invoice request.exe	Invoice request.exe
PID 268 wrote to memory of 288	268	Invoice request.exe	Invoice request.exe
PID 1360 wrote to memory of 1472	1360	Explorer.EXE	netsh.exe
PID 1360 wrote to memory of 1472	1360	Explorer.EXE	netsh.exe
PID 1360 wrote to memory of 1472	1360	Explorer.EXE	netsh.exe
PID 1360 wrote to memory of 1472	1360	Explorer.EXE	netsh.exe
PID 1472 wrote to memory of 976	1472	netsh.exe	cmd.exe
PID 1472 wrote to memory of 976	1472	netsh.exe	cmd.exe
PID 1472 wrote to memory of 976	1472	netsh.exe	cmd.exe
PID 1472 wrote to memory of 976	1472	netsh.exe	cmd.exe
PID 1472 wrote to memory of 308	1472	netsh.exe	Firefox.exe
PID 1472 wrote to memory of 308	1472	netsh.exe	Firefox.exe
PID 1472 wrote to memory of 308	1472	netsh.exe	Firefox.exe
PID 1472 wrote to memory of 308	1472	netsh.exe	Firefox.exe
PID 1360 wrote to memory of 1920	1360	Explorer.EXE	vgayznhb0d.exe
PID 1360 wrote to memory of 1920	1360	Explorer.EXE	vgayznhb0d.exe
PID 1360 wrote to memory of 1920	1360	Explorer.EXE	vgayznhb0d.exe
PID 1360 wrote to memory of 1920	1360	Explorer.EXE	vgayznhb0d.exe
PID 1920 wrote to memory of 1720	1920	vgayznhb0d.exe	vgayznhb0d.exe
PID 1920 wrote to memory of 1720	1920	vgayznhb0d.exe	vgayznhb0d.exe
PID 1920 wrote to memory of 1720	1920	vgayznhb0d.exe	vgayznhb0d.exe
PID 1920 wrote to memory of 1720	1920	vgayznhb0d.exe	vgayznhb0d.exe
PID 1920 wrote to memory of 1720	1920	vgayznhb0d.exe	vgayznhb0d.exe
PID 1920 wrote to memory of 1720	1920	vgayznhb0d.exe	vgayznhb0d.exe
PID 1920 wrote to memory of 1720	1920	vgayznhb0d.exe	vgayznhb0d.exe
PID 1472 wrote to memory of 308	1472	netsh.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\Invoice request.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice request.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:268

C:\Users\Admin\AppData\Local\Temp\Invoice request.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice request.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Invoice request.exe"
3⤵
- Deletes itself
PID:976

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:308

C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe
"C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1920

C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe
"C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe
MD5
da15b6acf344c43696f03ccd0c9b5662

SHA1
490a2ef542738dfc47dc62663f1f4cd4b52d6c6d

SHA256
c26730ee4480c22df36df08e6386199eac697aef2310b98ec4719fe63f1d70f9

SHA512
403f26713a14eb962791da7abf6fc28d9c31d1a9db9ef2edec87a11153d65ebae31050b223fa904ab97923b3bad2dc0a14adbfc4642e3a1afa2f7f15d89484d5

Download Submit
C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe
MD5
da15b6acf344c43696f03ccd0c9b5662

SHA1
490a2ef542738dfc47dc62663f1f4cd4b52d6c6d

SHA256
c26730ee4480c22df36df08e6386199eac697aef2310b98ec4719fe63f1d70f9

SHA512
403f26713a14eb962791da7abf6fc28d9c31d1a9db9ef2edec87a11153d65ebae31050b223fa904ab97923b3bad2dc0a14adbfc4642e3a1afa2f7f15d89484d5

Download Submit
C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe
MD5
da15b6acf344c43696f03ccd0c9b5662

SHA1
490a2ef542738dfc47dc62663f1f4cd4b52d6c6d

SHA256
c26730ee4480c22df36df08e6386199eac697aef2310b98ec4719fe63f1d70f9

SHA512
403f26713a14eb962791da7abf6fc28d9c31d1a9db9ef2edec87a11153d65ebae31050b223fa904ab97923b3bad2dc0a14adbfc4642e3a1afa2f7f15d89484d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qg36eedlvrwqn6h
MD5
3c2dd9ea5416d4052d87f735a58f82db

SHA1
88d45f16333f7030cc9c12ef181a7cfbafb372fe

SHA256
0d7c2864b39c66c6ab7e0e3a8904956fec9de3d9cca3addcd36bc7154a835494

SHA512
cb29a75ba855ad7f545b65be1925e25ea01f2f5324af2b048ad4f795e023766df997680f47af8a5828284218a72fea2f0135a4f54f10db9c706bba433cf9e273

Download Submit
\Users\Admin\AppData\Local\Temp\nstD3D4.tmp\vnrumu.dll
MD5
9a7d13a3c75e3e9424a652055453f96b

SHA1
535ff98bcf6079a1cd7851882118a9b088dcee37

SHA256
f7875ce82468a23036c9464ae7bd956acc10df8e25fcee457acec0e02967d9aa

SHA512
03c6500643439f5e1badbd0f82b035c42d2dbe921e60981a3d098f368ab7399ea28b7f3bbeb794a643f96d73354e5709f9eb06d5fa785f540cbb756f3ec1f759

Download Submit
\Users\Admin\AppData\Local\Temp\nsuA323.tmp\vnrumu.dll
MD5
9a7d13a3c75e3e9424a652055453f96b

SHA1
535ff98bcf6079a1cd7851882118a9b088dcee37

SHA256
f7875ce82468a23036c9464ae7bd956acc10df8e25fcee457acec0e02967d9aa

SHA512
03c6500643439f5e1badbd0f82b035c42d2dbe921e60981a3d098f368ab7399ea28b7f3bbeb794a643f96d73354e5709f9eb06d5fa785f540cbb756f3ec1f759

Download Submit
memory/268-55-0x0000000075F41000-0x0000000075F43000-memory.dmp

Filesize
8KB

Download
memory/288-61-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/288-60-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/288-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/288-58-0x000000000041D410-mapping.dmp

Download
memory/976-67-0x0000000000000000-mapping.dmp

Download
memory/1360-69-0x0000000007160000-0x00000000072A1000-memory.dmp

Filesize
1.3MB

Download
memory/1360-62-0x0000000007000000-0x000000000715B000-memory.dmp

Filesize
1.4MB

Download
memory/1472-68-0x0000000000A00000-0x0000000000A90000-memory.dmp

Filesize
576KB

Download
memory/1472-63-0x0000000000000000-mapping.dmp

Download
memory/1472-64-0x0000000001720000-0x000000000173B000-memory.dmp

Filesize
108KB

Download
memory/1472-66-0x0000000000B90000-0x0000000000E93000-memory.dmp

Filesize
3.0MB

Download
memory/1472-65-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1720-78-0x000000000041D410-mapping.dmp

Download
memory/1720-80-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/1920-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads