formbook | 16e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c

General

Target

bunker inquiry_020100121.exe
Size

272KB
MD5

d700d80487e10f8b9ea5fb50b9e9109c
SHA1

9177a19d76b09d4cde071a07ffb626c9bd4e3652
SHA256

16e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c
SHA512

e27bf0d76d02b2ccd90d30d94cb94d1549f920fb9fcbf31b0ce13131cd6ff7465a08515469414214d23a26cb7474b7f9a9749c2be88a51458768f8cd429c9a40

Score

10^/10

formbook xloader igwa loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

igwa

Decoy

listingswithalex.com

funtabse.com

aydenwalling.com

prochal.net

superfoodsnederland.com

moldluck.com

dianekgordon.store

regionalhomescommercial.com

mysecuritymadesimple.com

malwaremastery.com

kodaikeiko.com

jrzg996.com

agricurve.net

songlingjiu.com

virginianundahfishingclub.com

friendschance.com

pastelpresents.com

answertitles.com

survival-hunter.com

nxfddl.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2932-132-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/840-140-0x0000000002850000-0x0000000002879000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wlanext.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wlanext.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MJUXXVE0HP = "C:\\Program Files (x86)\\Jjnqp\\pzylb6bzu.exe"	wlanext.exe

Executes dropped EXE 2 IoCs

Processes:

pzylb6bzu.exepzylb6bzu.exe

pid process

1688 pzylb6bzu.exe
2532 pzylb6bzu.exe
Loads dropped DLL 2 IoCs

Processes:

bunker inquiry_020100121.exepzylb6bzu.exe

pid process

1464 bunker inquiry_020100121.exe
1688 pzylb6bzu.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1688	pzylb6bzu.exe
2532	pzylb6bzu.exe

pid	process
1464	bunker inquiry_020100121.exe
1688	pzylb6bzu.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

bunker inquiry_020100121.exebunker inquiry_020100121.exewlanext.exepzylb6bzu.exe

description	pid	process	target process
PID 1464 set thread context of 2932	1464	bunker inquiry_020100121.exe	bunker inquiry_020100121.exe
PID 2932 set thread context of 2412	2932	bunker inquiry_020100121.exe	Explorer.EXE
PID 840 set thread context of 2412	840	wlanext.exe	Explorer.EXE
PID 1688 set thread context of 2532	1688	pzylb6bzu.exe	pzylb6bzu.exe

Drops file in Program Files directory 4 IoCs

Processes:

wlanext.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe	wlanext.exe
File opened for modification	C:\Program Files (x86)\Jjnqp	Explorer.EXE
File created	C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe	nsis_installer_1
C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe	nsis_installer_2
C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe	nsis_installer_1
C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe	nsis_installer_2
C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe	nsis_installer_1
C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotification.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotification.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wlanext.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wlanext.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

bunker inquiry_020100121.exewlanext.exepzylb6bzu.exe

pid	process
2932	bunker inquiry_020100121.exe
2932	bunker inquiry_020100121.exe
2932	bunker inquiry_020100121.exe
2932	bunker inquiry_020100121.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
2532	pzylb6bzu.exe
2532	pzylb6bzu.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2412 Explorer.EXE

pid	process
2412	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

bunker inquiry_020100121.exewlanext.exe

pid	process
2932	bunker inquiry_020100121.exe
2932	bunker inquiry_020100121.exe
2932	bunker inquiry_020100121.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe
840	wlanext.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

bunker inquiry_020100121.exewlanext.exeMusNotification.exeExplorer.EXEpzylb6bzu.exe

description	pid	process
Token: SeDebugPrivilege	2932	bunker inquiry_020100121.exe
Token: SeDebugPrivilege	840	wlanext.exe
Token: SeShutdownPrivilege	1644	MusNotification.exe
Token: SeCreatePagefilePrivilege	1644	MusNotification.exe
Token: SeShutdownPrivilege	2412	Explorer.EXE
Token: SeCreatePagefilePrivilege	2412	Explorer.EXE
Token: SeDebugPrivilege	2532	pzylb6bzu.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

bunker inquiry_020100121.exeExplorer.EXEwlanext.exepzylb6bzu.exe

description	pid	process	target process
PID 1464 wrote to memory of 2932	1464	bunker inquiry_020100121.exe	bunker inquiry_020100121.exe
PID 1464 wrote to memory of 2932	1464	bunker inquiry_020100121.exe	bunker inquiry_020100121.exe
PID 1464 wrote to memory of 2932	1464	bunker inquiry_020100121.exe	bunker inquiry_020100121.exe
PID 1464 wrote to memory of 2932	1464	bunker inquiry_020100121.exe	bunker inquiry_020100121.exe
PID 1464 wrote to memory of 2932	1464	bunker inquiry_020100121.exe	bunker inquiry_020100121.exe
PID 1464 wrote to memory of 2932	1464	bunker inquiry_020100121.exe	bunker inquiry_020100121.exe
PID 2412 wrote to memory of 840	2412	Explorer.EXE	wlanext.exe
PID 2412 wrote to memory of 840	2412	Explorer.EXE	wlanext.exe
PID 2412 wrote to memory of 840	2412	Explorer.EXE	wlanext.exe
PID 840 wrote to memory of 3520	840	wlanext.exe	cmd.exe
PID 840 wrote to memory of 3520	840	wlanext.exe	cmd.exe
PID 840 wrote to memory of 3520	840	wlanext.exe	cmd.exe
PID 840 wrote to memory of 2080	840	wlanext.exe	cmd.exe
PID 840 wrote to memory of 2080	840	wlanext.exe	cmd.exe
PID 840 wrote to memory of 2080	840	wlanext.exe	cmd.exe
PID 840 wrote to memory of 3236	840	wlanext.exe	Firefox.exe
PID 840 wrote to memory of 3236	840	wlanext.exe	Firefox.exe
PID 2412 wrote to memory of 1688	2412	Explorer.EXE	pzylb6bzu.exe
PID 2412 wrote to memory of 1688	2412	Explorer.EXE	pzylb6bzu.exe
PID 2412 wrote to memory of 1688	2412	Explorer.EXE	pzylb6bzu.exe
PID 1688 wrote to memory of 2532	1688	pzylb6bzu.exe	pzylb6bzu.exe
PID 1688 wrote to memory of 2532	1688	pzylb6bzu.exe	pzylb6bzu.exe
PID 1688 wrote to memory of 2532	1688	pzylb6bzu.exe	pzylb6bzu.exe
PID 1688 wrote to memory of 2532	1688	pzylb6bzu.exe	pzylb6bzu.exe
PID 1688 wrote to memory of 2532	1688	pzylb6bzu.exe	pzylb6bzu.exe
PID 1688 wrote to memory of 2532	1688	pzylb6bzu.exe	pzylb6bzu.exe
PID 840 wrote to memory of 3236	840	wlanext.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe
"C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe
"C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\bunker inquiry_020100121.exe"
3⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:2080

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3236

C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe
"C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1688

C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe
"C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe
MD5
d700d80487e10f8b9ea5fb50b9e9109c

SHA1
9177a19d76b09d4cde071a07ffb626c9bd4e3652

SHA256
16e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c

SHA512
e27bf0d76d02b2ccd90d30d94cb94d1549f920fb9fcbf31b0ce13131cd6ff7465a08515469414214d23a26cb7474b7f9a9749c2be88a51458768f8cd429c9a40

Download Submit
C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe
MD5
d700d80487e10f8b9ea5fb50b9e9109c

SHA1
9177a19d76b09d4cde071a07ffb626c9bd4e3652

SHA256
16e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c

SHA512
e27bf0d76d02b2ccd90d30d94cb94d1549f920fb9fcbf31b0ce13131cd6ff7465a08515469414214d23a26cb7474b7f9a9749c2be88a51458768f8cd429c9a40

Download Submit
C:\Program Files (x86)\Jjnqp\pzylb6bzu.exe
MD5
d700d80487e10f8b9ea5fb50b9e9109c

SHA1
9177a19d76b09d4cde071a07ffb626c9bd4e3652

SHA256
16e137fca9b2bc45254218e2c5f19c2c3b74ec6e4454706bcfd4454a6472c33c

SHA512
e27bf0d76d02b2ccd90d30d94cb94d1549f920fb9fcbf31b0ce13131cd6ff7465a08515469414214d23a26cb7474b7f9a9749c2be88a51458768f8cd429c9a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaA3E0.tmp\eekmeeht.dll
MD5
cac14ac261a8e2911027bbcced7466b3

SHA1
0d104ba98bbd11533b7999b434eb819a0bb61045

SHA256
521bc905075db8ff9cd4bc35d66f1530819fd4122014517e74eb2945451fc7a4

SHA512
61c917f17ed7588a2d94b83504c92309f376a19f4c297c327c3b2c7c9fc87576e2bd1c55210c2aef4be7842cf7c85efc2263de9f59e75bed45ff60ee32dad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw8FC6.tmp\eekmeeht.dll
MD5
cac14ac261a8e2911027bbcced7466b3

SHA1
0d104ba98bbd11533b7999b434eb819a0bb61045

SHA256
521bc905075db8ff9cd4bc35d66f1530819fd4122014517e74eb2945451fc7a4

SHA512
61c917f17ed7588a2d94b83504c92309f376a19f4c297c327c3b2c7c9fc87576e2bd1c55210c2aef4be7842cf7c85efc2263de9f59e75bed45ff60ee32dad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\o1kjtsbsl9wgqa6sl4x0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\txuxn
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/840-137-0x0000000000000000-mapping.dmp

Download
memory/840-141-0x0000000002ED0000-0x000000000321A000-memory.dmp

Filesize
3.3MB

Download
memory/840-142-0x0000000002D80000-0x0000000002E10000-memory.dmp

Filesize
576KB

Download
memory/840-140-0x0000000002850000-0x0000000002879000-memory.dmp

Filesize
164KB

Download
memory/840-139-0x0000000000160000-0x0000000000177000-memory.dmp

Filesize
92KB

Download
memory/1688-146-0x0000000000000000-mapping.dmp

Download
memory/2080-144-0x0000000000000000-mapping.dmp

Download
memory/2412-143-0x0000000008420000-0x000000000852F000-memory.dmp

Filesize
1.1MB

Download
memory/2412-136-0x0000000007AF0000-0x0000000007C64000-memory.dmp

Filesize
1.5MB

Download
memory/2532-152-0x0000000000000000-mapping.dmp

Download
memory/2532-155-0x00000000009D0000-0x0000000000D1A000-memory.dmp

Filesize
3.3MB

Download
memory/2932-134-0x0000000000A50000-0x0000000000D9A000-memory.dmp

Filesize
3.3MB

Download
memory/2932-132-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2932-135-0x00000000008F0000-0x0000000000901000-memory.dmp

Filesize
68KB

Download
memory/2932-131-0x0000000000000000-mapping.dmp

Download
memory/3520-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads