formbook | 56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db

General

Target

DEC SOA_09012022.exe
Size

373KB
MD5

6046b2f34b67e06c817f4375c6d26a54
SHA1

2230944a4216a07fde067866af7e81e1a52e8535
SHA256

56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db
SHA512

542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac

Score

10^/10

formbook xloader igwa loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

igwa

Decoy

listingswithalex.com

funtabse.com

aydenwalling.com

prochal.net

superfoodsnederland.com

moldluck.com

dianekgordon.store

regionalhomescommercial.com

mysecuritymadesimple.com

malwaremastery.com

kodaikeiko.com

jrzg996.com

agricurve.net

songlingjiu.com

virginianundahfishingclub.com

friendschance.com

pastelpresents.com

answertitles.com

survival-hunter.com

nxfddl.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1028-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1028-117-0x000000000041D440-mapping.dmp	xloader
behavioral2/memory/3924-124-0x0000000000A70000-0x0000000000A99000-memory.dmp	xloader
behavioral2/memory/688-138-0x000000000041D440-mapping.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

helpxzbxnrbp.exehelpxzbxnrbp.exe

pid process

2648 helpxzbxnrbp.exe
688 helpxzbxnrbp.exe
Loads dropped DLL 2 IoCs

Processes:

DEC SOA_09012022.exehelpxzbxnrbp.exe

pid process

912 DEC SOA_09012022.exe
2648 helpxzbxnrbp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2648	helpxzbxnrbp.exe
688	helpxzbxnrbp.exe

pid	process
912	DEC SOA_09012022.exe
2648	helpxzbxnrbp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	msdt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9R8XRRHX6RG = "C:\\Program Files (x86)\\Qblq\\helpxzbxnrbp.exe"	msdt.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

DEC SOA_09012022.exeDEC SOA_09012022.exemsdt.exehelpxzbxnrbp.exe

description	pid	process	target process
PID 912 set thread context of 1028	912	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 1028 set thread context of 3056	1028	DEC SOA_09012022.exe	Explorer.EXE
PID 3924 set thread context of 3056	3924	msdt.exe	Explorer.EXE
PID 2648 set thread context of 688	2648	helpxzbxnrbp.exe	helpxzbxnrbp.exe

Drops file in Program Files directory 4 IoCs

Processes:

msdt.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe	msdt.exe
File opened for modification	C:\Program Files (x86)\Qblq	Explorer.EXE
File created	C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe	nsis_installer_1
C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe	nsis_installer_2
C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe	nsis_installer_1
C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe	nsis_installer_2
C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe	nsis_installer_1
C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

DEC SOA_09012022.exemsdt.exehelpxzbxnrbp.exe

pid	process
1028	DEC SOA_09012022.exe
1028	DEC SOA_09012022.exe
1028	DEC SOA_09012022.exe
1028	DEC SOA_09012022.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
688	helpxzbxnrbp.exe
688	helpxzbxnrbp.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe
3924	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3056 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

DEC SOA_09012022.exemsdt.exe

pid process

1028 DEC SOA_09012022.exe
1028 DEC SOA_09012022.exe
1028 DEC SOA_09012022.exe
3924 msdt.exe
3924 msdt.exe
3924 msdt.exe
3924 msdt.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

DEC SOA_09012022.exemsdt.exehelpxzbxnrbp.exe

description pid process

Token: SeDebugPrivilege 1028 DEC SOA_09012022.exe
Token: SeDebugPrivilege 3924 msdt.exe
Token: SeDebugPrivilege 688 helpxzbxnrbp.exe

pid	process
3056	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1028	DEC SOA_09012022.exe
Token: SeDebugPrivilege	3924	msdt.exe
Token: SeDebugPrivilege	688	helpxzbxnrbp.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

DEC SOA_09012022.exeExplorer.EXEmsdt.exehelpxzbxnrbp.exe

description	pid	process	target process
PID 912 wrote to memory of 1028	912	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 912 wrote to memory of 1028	912	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 912 wrote to memory of 1028	912	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 912 wrote to memory of 1028	912	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 912 wrote to memory of 1028	912	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 912 wrote to memory of 1028	912	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 3056 wrote to memory of 3924	3056	Explorer.EXE	msdt.exe
PID 3056 wrote to memory of 3924	3056	Explorer.EXE	msdt.exe
PID 3056 wrote to memory of 3924	3056	Explorer.EXE	msdt.exe
PID 3924 wrote to memory of 1824	3924	msdt.exe	cmd.exe
PID 3924 wrote to memory of 1824	3924	msdt.exe	cmd.exe
PID 3924 wrote to memory of 1824	3924	msdt.exe	cmd.exe
PID 3924 wrote to memory of 3620	3924	msdt.exe	cmd.exe
PID 3924 wrote to memory of 3620	3924	msdt.exe	cmd.exe
PID 3924 wrote to memory of 3620	3924	msdt.exe	cmd.exe
PID 3056 wrote to memory of 2648	3056	Explorer.EXE	helpxzbxnrbp.exe
PID 3056 wrote to memory of 2648	3056	Explorer.EXE	helpxzbxnrbp.exe
PID 3056 wrote to memory of 2648	3056	Explorer.EXE	helpxzbxnrbp.exe
PID 3924 wrote to memory of 1184	3924	msdt.exe	Firefox.exe
PID 3924 wrote to memory of 1184	3924	msdt.exe	Firefox.exe
PID 2648 wrote to memory of 688	2648	helpxzbxnrbp.exe	helpxzbxnrbp.exe
PID 2648 wrote to memory of 688	2648	helpxzbxnrbp.exe	helpxzbxnrbp.exe
PID 2648 wrote to memory of 688	2648	helpxzbxnrbp.exe	helpxzbxnrbp.exe
PID 2648 wrote to memory of 688	2648	helpxzbxnrbp.exe	helpxzbxnrbp.exe
PID 2648 wrote to memory of 688	2648	helpxzbxnrbp.exe	helpxzbxnrbp.exe
PID 2648 wrote to memory of 688	2648	helpxzbxnrbp.exe	helpxzbxnrbp.exe
PID 3924 wrote to memory of 1184	3924	msdt.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe
"C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe
"C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"
3⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3620

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1184

C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe
"C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2648

C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe
"C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe
MD5
6046b2f34b67e06c817f4375c6d26a54

SHA1
2230944a4216a07fde067866af7e81e1a52e8535

SHA256
56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db

SHA512
542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac

Download Submit
C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe
MD5
6046b2f34b67e06c817f4375c6d26a54

SHA1
2230944a4216a07fde067866af7e81e1a52e8535

SHA256
56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db

SHA512
542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac

Download Submit
C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe
MD5
6046b2f34b67e06c817f4375c6d26a54

SHA1
2230944a4216a07fde067866af7e81e1a52e8535

SHA256
56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db

SHA512
542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dzj7wydhstvhlw1sy23
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wklfmyml
MD5
50c3351485ffad798f860720ca86c51d

SHA1
0bc92630e09367fc9d874c171c556198add38267

SHA256
73075fdf0c62d3d9a9ea4b57f5dbd6349235be6ed8a848d95f0caf5de2f14448

SHA512
d87494b1bde8c3f7002ff077d190a629d01acf5250ec36a0e00c4864681f83837b5b8599032f9c09c1c832a141ad281123d5d71579528e8dc7107913d2851018

Download Submit
\Users\Admin\AppData\Local\Temp\nsi20D9.tmp\rwxef.dll
MD5
52944a6532acdb2543a8f6076c5b1eeb

SHA1
f01e61cd9d9b724e1d77851440493858c008100b

SHA256
5432fa320cbf8e925f37aae93da2602d41e912dd8141332e38fb49b5c955290e

SHA512
b5510b843f40ef0e4d30ecac150409634cad612701575ca4f022bee266dba9b703cfdbd60c11018001d030ed45f9496815773d9dda3953bfe85af4d99260e22a

Download Submit
\Users\Admin\AppData\Local\Temp\nsiB57.tmp\rwxef.dll
MD5
52944a6532acdb2543a8f6076c5b1eeb

SHA1
f01e61cd9d9b724e1d77851440493858c008100b

SHA256
5432fa320cbf8e925f37aae93da2602d41e912dd8141332e38fb49b5c955290e

SHA512
b5510b843f40ef0e4d30ecac150409634cad612701575ca4f022bee266dba9b703cfdbd60c11018001d030ed45f9496815773d9dda3953bfe85af4d99260e22a

Download Submit
memory/688-138-0x000000000041D440-mapping.dmp

Download
memory/688-140-0x00000000009D0000-0x0000000000CF0000-memory.dmp

Filesize
3.1MB

Download
memory/1028-120-0x00000000006D0000-0x00000000006E1000-memory.dmp

Filesize
68KB

Download
memory/1028-119-0x00000000009C0000-0x0000000000CE0000-memory.dmp

Filesize
3.1MB

Download
memory/1028-117-0x000000000041D440-mapping.dmp

Download
memory/1028-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1824-125-0x0000000000000000-mapping.dmp

Download
memory/2648-131-0x0000000000000000-mapping.dmp

Download
memory/3056-128-0x0000000005C90000-0x0000000005DE4000-memory.dmp

Filesize
1.3MB

Download
memory/3056-121-0x0000000005790000-0x00000000058C8000-memory.dmp

Filesize
1.2MB

Download
memory/3620-129-0x0000000000000000-mapping.dmp

Download
memory/3924-127-0x00000000049F0000-0x0000000004A80000-memory.dmp

Filesize
576KB

Download
memory/3924-126-0x0000000004BA0000-0x0000000004EC0000-memory.dmp

Filesize
3.1MB

Download
memory/3924-124-0x0000000000A70000-0x0000000000A99000-memory.dmp

Filesize
164KB

Download
memory/3924-123-0x00000000010D0000-0x0000000001243000-memory.dmp

Filesize
1.4MB

Download
memory/3924-122-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads