formbook | 7bfabb3e53f70e2ad39155a8af8d7e27a07ec01b0ba8faed52cb569e4f78142f

General

Target

vbc.exe
Size

515KB
MD5

a8538dba14e963ac7894257f7466bc06
SHA1

d5de28b9a2f41519f8ae6fc2be6f9ee75569e192
SHA256

7bfabb3e53f70e2ad39155a8af8d7e27a07ec01b0ba8faed52cb569e4f78142f
SHA512

04da55fb7dcd87538e284a929b79427bf72241fea7a291f3650853442f889cf21de0352f7a381bae316df852f3b0ea87e5eb9ce8e3e509a27ab34da0b78030ba

Score

10^/10

formbook xloader ea0r loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/900-57-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/900-58-0x000000000041D410-mapping.dmp	xloader
behavioral1/memory/528-65-0x0000000000070000-0x0000000000099000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

updatej2kdyn.exeupdatej2kdyn.exe

pid process

1712 updatej2kdyn.exe
1144 updatej2kdyn.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1424 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

vbc.exeupdatej2kdyn.exe

pid process

1316 vbc.exe
1712 updatej2kdyn.exe
1712 updatej2kdyn.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1712	updatej2kdyn.exe
1144	updatej2kdyn.exe

pid	process
1424	cmd.exe

pid	process
1316	vbc.exe
1712	updatej2kdyn.exe
1712	updatej2kdyn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VLR84HJ0 = "C:\\Program Files (x86)\\Tur4tqruh\\updatej2kdyn.exe"	wscript.exe
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	wscript.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

vbc.exevbc.exewscript.exeupdatej2kdyn.exe

description	pid	process	target process
PID 1316 set thread context of 900	1316	vbc.exe	vbc.exe
PID 900 set thread context of 1412	900	vbc.exe	Explorer.EXE
PID 528 set thread context of 1412	528	wscript.exe	Explorer.EXE
PID 1712 set thread context of 1144	1712	updatej2kdyn.exe	updatej2kdyn.exe

Drops file in Program Files directory 2 IoCs

Processes:

wscript.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe	wscript.exe
File created	C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe	nsis_installer_1
C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe	nsis_installer_2
C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe	nsis_installer_1
C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe	nsis_installer_2
\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe	nsis_installer_1
\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe	nsis_installer_2
C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe	nsis_installer_1
C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-103686315-404690609-2047157615-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wscript.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

vbc.exewscript.exe

pid	process
900	vbc.exe
900	vbc.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe
528	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

vbc.exewscript.exe

pid process

900 vbc.exe
900 vbc.exe
900 vbc.exe
528 wscript.exe
528 wscript.exe
528 wscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exewscript.exe

description pid process

Token: SeDebugPrivilege 900 vbc.exe
Token: SeDebugPrivilege 528 wscript.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
1412 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
1412 Explorer.EXE

pid	process
1412	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	900	vbc.exe
Token: SeDebugPrivilege	528	wscript.exe

pid	process
1412	Explorer.EXE
1412	Explorer.EXE

pid	process
1412	Explorer.EXE
1412	Explorer.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

vbc.exeExplorer.EXEwscript.exeupdatej2kdyn.exe

description	pid	process	target process
PID 1316 wrote to memory of 900	1316	vbc.exe	vbc.exe
PID 1316 wrote to memory of 900	1316	vbc.exe	vbc.exe
PID 1316 wrote to memory of 900	1316	vbc.exe	vbc.exe
PID 1316 wrote to memory of 900	1316	vbc.exe	vbc.exe
PID 1316 wrote to memory of 900	1316	vbc.exe	vbc.exe
PID 1316 wrote to memory of 900	1316	vbc.exe	vbc.exe
PID 1316 wrote to memory of 900	1316	vbc.exe	vbc.exe
PID 1412 wrote to memory of 528	1412	Explorer.EXE	wscript.exe
PID 1412 wrote to memory of 528	1412	Explorer.EXE	wscript.exe
PID 1412 wrote to memory of 528	1412	Explorer.EXE	wscript.exe
PID 1412 wrote to memory of 528	1412	Explorer.EXE	wscript.exe
PID 528 wrote to memory of 1424	528	wscript.exe	cmd.exe
PID 528 wrote to memory of 1424	528	wscript.exe	cmd.exe
PID 528 wrote to memory of 1424	528	wscript.exe	cmd.exe
PID 528 wrote to memory of 1424	528	wscript.exe	cmd.exe
PID 1412 wrote to memory of 1712	1412	Explorer.EXE	updatej2kdyn.exe
PID 1412 wrote to memory of 1712	1412	Explorer.EXE	updatej2kdyn.exe
PID 1412 wrote to memory of 1712	1412	Explorer.EXE	updatej2kdyn.exe
PID 1412 wrote to memory of 1712	1412	Explorer.EXE	updatej2kdyn.exe
PID 1412 wrote to memory of 1712	1412	Explorer.EXE	updatej2kdyn.exe
PID 1412 wrote to memory of 1712	1412	Explorer.EXE	updatej2kdyn.exe
PID 1412 wrote to memory of 1712	1412	Explorer.EXE	updatej2kdyn.exe
PID 528 wrote to memory of 1376	528	wscript.exe	Firefox.exe
PID 528 wrote to memory of 1376	528	wscript.exe	Firefox.exe
PID 528 wrote to memory of 1376	528	wscript.exe	Firefox.exe
PID 528 wrote to memory of 1376	528	wscript.exe	Firefox.exe
PID 1712 wrote to memory of 1144	1712	updatej2kdyn.exe	updatej2kdyn.exe
PID 1712 wrote to memory of 1144	1712	updatej2kdyn.exe	updatej2kdyn.exe
PID 1712 wrote to memory of 1144	1712	updatej2kdyn.exe	updatej2kdyn.exe
PID 1712 wrote to memory of 1144	1712	updatej2kdyn.exe	updatej2kdyn.exe
PID 1712 wrote to memory of 1144	1712	updatej2kdyn.exe	updatej2kdyn.exe
PID 1712 wrote to memory of 1144	1712	updatej2kdyn.exe	updatej2kdyn.exe
PID 1712 wrote to memory of 1144	1712	updatej2kdyn.exe	updatej2kdyn.exe
PID 1712 wrote to memory of 1144	1712	updatej2kdyn.exe	updatej2kdyn.exe
PID 1712 wrote to memory of 1144	1712	updatej2kdyn.exe	updatej2kdyn.exe
PID 1712 wrote to memory of 1144	1712	updatej2kdyn.exe	updatej2kdyn.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
3⤵
- Deletes itself
PID:1424

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1376

C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe
"C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1712

C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe
"C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe"
3⤵
- Executes dropped EXE
PID:1144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe
MD5
a8538dba14e963ac7894257f7466bc06

SHA1
d5de28b9a2f41519f8ae6fc2be6f9ee75569e192

SHA256
7bfabb3e53f70e2ad39155a8af8d7e27a07ec01b0ba8faed52cb569e4f78142f

SHA512
04da55fb7dcd87538e284a929b79427bf72241fea7a291f3650853442f889cf21de0352f7a381bae316df852f3b0ea87e5eb9ce8e3e509a27ab34da0b78030ba

Download Submit
C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe
MD5
a8538dba14e963ac7894257f7466bc06

SHA1
d5de28b9a2f41519f8ae6fc2be6f9ee75569e192

SHA256
7bfabb3e53f70e2ad39155a8af8d7e27a07ec01b0ba8faed52cb569e4f78142f

SHA512
04da55fb7dcd87538e284a929b79427bf72241fea7a291f3650853442f889cf21de0352f7a381bae316df852f3b0ea87e5eb9ce8e3e509a27ab34da0b78030ba

Download Submit
C:\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe
MD5
440e3b5b7b386842e277ca4a74bf26c4

SHA1
21d5c452fcff82137c748bbbe7af263eef0f5cf9

SHA256
89b10cd8d80b9cdfd7ed94a910f767e2e3e5ae66e1b16ab55acb5e44eb55af2c

SHA512
fe6ca5cedd40214c53b3521051e26d03612d6092d975613cd7b516d590fd0eeb5ae46ebddd0fbef148515d759a8367ab529104f23efa6d03b05f353dff084dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yp01n9xse19jb9c
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\Tur4tqruh\updatej2kdyn.exe
MD5
a8538dba14e963ac7894257f7466bc06

SHA1
d5de28b9a2f41519f8ae6fc2be6f9ee75569e192

SHA256
7bfabb3e53f70e2ad39155a8af8d7e27a07ec01b0ba8faed52cb569e4f78142f

SHA512
04da55fb7dcd87538e284a929b79427bf72241fea7a291f3650853442f889cf21de0352f7a381bae316df852f3b0ea87e5eb9ce8e3e509a27ab34da0b78030ba

Download Submit
\Users\Admin\AppData\Local\Temp\nstD164.tmp\sodxedmub.dll
MD5
0dce769f700f91a640a0ac88b9f52cc0

SHA1
593939ad9b4c96d84fb8649bd81a670e8036db19

SHA256
8ea5809102a56af3cbe2dead5d07c4a740afac59ae44f908dd73dbd2314a6018

SHA512
b1546a0ec312e6f4cf50b01c15fd37d911a39eea6e465be113c9e38f87af4f5cde649bdf8939496a7aaceec05988de1bc9249fce8ddc0fce3d1c2f94ead33a52

Download Submit
\Users\Admin\AppData\Local\Temp\nsz15F2.tmp\sodxedmub.dll
MD5
0dce769f700f91a640a0ac88b9f52cc0

SHA1
593939ad9b4c96d84fb8649bd81a670e8036db19

SHA256
8ea5809102a56af3cbe2dead5d07c4a740afac59ae44f908dd73dbd2314a6018

SHA512
b1546a0ec312e6f4cf50b01c15fd37d911a39eea6e465be113c9e38f87af4f5cde649bdf8939496a7aaceec05988de1bc9249fce8ddc0fce3d1c2f94ead33a52

Download Submit
memory/528-66-0x0000000002230000-0x0000000002533000-memory.dmp

Filesize
3.0MB

Download
memory/528-64-0x0000000000C70000-0x0000000000C96000-memory.dmp

Filesize
152KB

Download
memory/528-65-0x0000000000070000-0x0000000000099000-memory.dmp

Filesize
164KB

Download
memory/528-68-0x00000000004C0000-0x0000000000550000-memory.dmp

Filesize
576KB

Download
memory/528-63-0x0000000000000000-mapping.dmp

Download
memory/900-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/900-60-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/900-61-0x0000000000450000-0x0000000000461000-memory.dmp

Filesize
68KB

Download
memory/900-58-0x000000000041D410-mapping.dmp

Download
memory/1144-79-0x000000000041D410-mapping.dmp

Download
memory/1316-55-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/1412-69-0x0000000006610000-0x00000000066DF000-memory.dmp

Filesize
828KB

Download
memory/1412-62-0x0000000006230000-0x00000000062FA000-memory.dmp

Filesize
808KB

Download
memory/1424-67-0x0000000000000000-mapping.dmp

Download
memory/1712-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads