formbook | e745235386d1908e2bf40be43cf982932ce8b1604fe59ed2195aee341becb7c3

General

Target

payment advice_008900112.exe
Size

246KB
MD5

0783312f7caf72f1ac2a9951145bdda4
SHA1

c3da5594f78880bd4fc1d496efca357e6c19f65a
SHA256

e745235386d1908e2bf40be43cf982932ce8b1604fe59ed2195aee341becb7c3
SHA512

1270782a3aa83186265d8253781d0af5aa5769ccff033672c4f42d27f1be73e7cd2dbe9adbd448a3c09841285c54523fd682721724564794ce152ffbde38d0e1

Score

10^/10

formbook xloader cxep loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cxep

Decoy

estateglobal.info

loransstore.com

loginofy.com

fjallravenz.online

cefseguranca-app.com

safontadiestramiento.com

bubbleteapro.com

morethanmummies.com

serviciopersonalizadoweb.com

headerbidder.info

skworkforce.com

heightsorthodontics.com

chulavistapd.com

southjerseyautobody.net

chargedbygratitude.com

meltingpotspot.com

gdjiachen.com

luckdrawprogram.com

vintagepaseo.com

bequestslojyh.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/920-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/920-120-0x0000000000500000-0x0000000000E40000-memory.dmp	xloader
behavioral2/memory/1388-122-0x00000000035F0000-0x0000000003619000-memory.dmp	xloader
behavioral2/memory/1388-124-0x00000000052B0000-0x0000000005444000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mstsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	mstsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZJZP4PXHQZ = "C:\\Program Files (x86)\\Gb0hxyhm\\llbxnvtvro.exe"	mstsc.exe

Executes dropped EXE 2 IoCs

Processes:

llbxnvtvro.exellbxnvtvro.exe

pid process

676 llbxnvtvro.exe
840 llbxnvtvro.exe
Loads dropped DLL 2 IoCs

Processes:

payment advice_008900112.exellbxnvtvro.exe

pid process

432 payment advice_008900112.exe
676 llbxnvtvro.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
676	llbxnvtvro.exe
840	llbxnvtvro.exe

pid	process
432	payment advice_008900112.exe
676	llbxnvtvro.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

payment advice_008900112.exepayment advice_008900112.exemstsc.exellbxnvtvro.exe

description	pid	process	target process
PID 432 set thread context of 920	432	payment advice_008900112.exe	payment advice_008900112.exe
PID 920 set thread context of 2072	920	payment advice_008900112.exe	Explorer.EXE
PID 1388 set thread context of 2072	1388	mstsc.exe	Explorer.EXE
PID 676 set thread context of 840	676	llbxnvtvro.exe	llbxnvtvro.exe

Drops file in Program Files directory 4 IoCs

Processes:

mstsc.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe	mstsc.exe
File opened for modification	C:\Program Files (x86)\Gb0hxyhm	Explorer.EXE
File created	C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe	nsis_installer_1
C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe	nsis_installer_2
C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe	nsis_installer_1
C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe	nsis_installer_2
C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe	nsis_installer_1
C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mstsc.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

payment advice_008900112.exemstsc.exellbxnvtvro.exe

pid	process
920	payment advice_008900112.exe
920	payment advice_008900112.exe
920	payment advice_008900112.exe
920	payment advice_008900112.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
840	llbxnvtvro.exe
840	llbxnvtvro.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2072 Explorer.EXE

pid	process
2072	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

payment advice_008900112.exemstsc.exe

pid	process
920	payment advice_008900112.exe
920	payment advice_008900112.exe
920	payment advice_008900112.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe
1388	mstsc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

payment advice_008900112.exemstsc.exellbxnvtvro.exe

description	pid	process
Token: SeDebugPrivilege	920	payment advice_008900112.exe
Token: SeDebugPrivilege	1388	mstsc.exe
Token: SeDebugPrivilege	840	llbxnvtvro.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

payment advice_008900112.exeExplorer.EXEmstsc.exellbxnvtvro.exe

description	pid	process	target process
PID 432 wrote to memory of 920	432	payment advice_008900112.exe	payment advice_008900112.exe
PID 432 wrote to memory of 920	432	payment advice_008900112.exe	payment advice_008900112.exe
PID 432 wrote to memory of 920	432	payment advice_008900112.exe	payment advice_008900112.exe
PID 432 wrote to memory of 920	432	payment advice_008900112.exe	payment advice_008900112.exe
PID 432 wrote to memory of 920	432	payment advice_008900112.exe	payment advice_008900112.exe
PID 432 wrote to memory of 920	432	payment advice_008900112.exe	payment advice_008900112.exe
PID 2072 wrote to memory of 1388	2072	Explorer.EXE	mstsc.exe
PID 2072 wrote to memory of 1388	2072	Explorer.EXE	mstsc.exe
PID 2072 wrote to memory of 1388	2072	Explorer.EXE	mstsc.exe
PID 1388 wrote to memory of 3060	1388	mstsc.exe	cmd.exe
PID 1388 wrote to memory of 3060	1388	mstsc.exe	cmd.exe
PID 1388 wrote to memory of 3060	1388	mstsc.exe	cmd.exe
PID 1388 wrote to memory of 404	1388	mstsc.exe	cmd.exe
PID 1388 wrote to memory of 404	1388	mstsc.exe	cmd.exe
PID 1388 wrote to memory of 404	1388	mstsc.exe	cmd.exe
PID 1388 wrote to memory of 2712	1388	mstsc.exe	Firefox.exe
PID 1388 wrote to memory of 2712	1388	mstsc.exe	Firefox.exe
PID 2072 wrote to memory of 676	2072	Explorer.EXE	llbxnvtvro.exe
PID 2072 wrote to memory of 676	2072	Explorer.EXE	llbxnvtvro.exe
PID 2072 wrote to memory of 676	2072	Explorer.EXE	llbxnvtvro.exe
PID 676 wrote to memory of 840	676	llbxnvtvro.exe	llbxnvtvro.exe
PID 676 wrote to memory of 840	676	llbxnvtvro.exe	llbxnvtvro.exe
PID 676 wrote to memory of 840	676	llbxnvtvro.exe	llbxnvtvro.exe
PID 676 wrote to memory of 840	676	llbxnvtvro.exe	llbxnvtvro.exe
PID 676 wrote to memory of 840	676	llbxnvtvro.exe	llbxnvtvro.exe
PID 676 wrote to memory of 840	676	llbxnvtvro.exe	llbxnvtvro.exe
PID 1388 wrote to memory of 2712	1388	mstsc.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2072

C:\Users\Admin\AppData\Local\Temp\payment advice_008900112.exe
"C:\Users\Admin\AppData\Local\Temp\payment advice_008900112.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\payment advice_008900112.exe
"C:\Users\Admin\AppData\Local\Temp\payment advice_008900112.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\payment advice_008900112.exe"
3⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:404

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2712

C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe
"C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:676

C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe
"C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe
MD5
0783312f7caf72f1ac2a9951145bdda4

SHA1
c3da5594f78880bd4fc1d496efca357e6c19f65a

SHA256
e745235386d1908e2bf40be43cf982932ce8b1604fe59ed2195aee341becb7c3

SHA512
1270782a3aa83186265d8253781d0af5aa5769ccff033672c4f42d27f1be73e7cd2dbe9adbd448a3c09841285c54523fd682721724564794ce152ffbde38d0e1

Download Submit
C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe
MD5
0783312f7caf72f1ac2a9951145bdda4

SHA1
c3da5594f78880bd4fc1d496efca357e6c19f65a

SHA256
e745235386d1908e2bf40be43cf982932ce8b1604fe59ed2195aee341becb7c3

SHA512
1270782a3aa83186265d8253781d0af5aa5769ccff033672c4f42d27f1be73e7cd2dbe9adbd448a3c09841285c54523fd682721724564794ce152ffbde38d0e1

Download Submit
C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe
MD5
0783312f7caf72f1ac2a9951145bdda4

SHA1
c3da5594f78880bd4fc1d496efca357e6c19f65a

SHA256
e745235386d1908e2bf40be43cf982932ce8b1604fe59ed2195aee341becb7c3

SHA512
1270782a3aa83186265d8253781d0af5aa5769ccff033672c4f42d27f1be73e7cd2dbe9adbd448a3c09841285c54523fd682721724564794ce152ffbde38d0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kehf8ycu2b9frn
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvevjpvkd
MD5
16e9578e89075c3a629d875e9b469ae9

SHA1
5dd4c7094fcbc16141a927e2e26ca09fd52841f4

SHA256
749a06c39bc2583e348c5ddccfcef5972305e309ce5a0c9d6a0433ab7ba209bb

SHA512
965da7bfef9d2bbc0ad91ebca7f35f8d2a5d2f242f2cc9b7cb2eae91ead961fcf4ee3858bcf4af7e7bacc8a3076131424f3c340cf975cb6cad58d800ecffbf31

Download Submit
\Users\Admin\AppData\Local\Temp\nsf3165.tmp\wzqevt.dll
MD5
a776ec55ad876c58677a7fcd8d196f2c

SHA1
108a7314775f38ecc724ed1b01488ee4504f797b

SHA256
072b6796585536a21e8d1815adf43a3047509468ef4b60d55eee335a7136ef04

SHA512
1c1e3a0875c98011fade09a3577b92c7d56ea5497f5b2dcabe736a5ae44512523874129d63a1547fe808741322ae4c29de72b0ecb276fb201e2d75274fffedfb

Download Submit
\Users\Admin\AppData\Local\Temp\nsj66A7.tmp\wzqevt.dll
MD5
a776ec55ad876c58677a7fcd8d196f2c

SHA1
108a7314775f38ecc724ed1b01488ee4504f797b

SHA256
072b6796585536a21e8d1815adf43a3047509468ef4b60d55eee335a7136ef04

SHA512
1c1e3a0875c98011fade09a3577b92c7d56ea5497f5b2dcabe736a5ae44512523874129d63a1547fe808741322ae4c29de72b0ecb276fb201e2d75274fffedfb

Download Submit
memory/840-134-0x00000000009C0000-0x0000000000CE0000-memory.dmp

Filesize
3.1MB

Download
memory/920-120-0x0000000000500000-0x0000000000E40000-memory.dmp

Filesize
9.2MB

Download
memory/920-118-0x0000000000A00000-0x0000000000D20000-memory.dmp

Filesize
3.1MB

Download
memory/920-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1388-124-0x00000000052B0000-0x0000000005444000-memory.dmp

Filesize
1.6MB

Download
memory/1388-123-0x00000000055F0000-0x0000000005910000-memory.dmp

Filesize
3.1MB

Download
memory/1388-122-0x00000000035F0000-0x0000000003619000-memory.dmp

Filesize
164KB

Download
memory/1388-121-0x0000000001220000-0x000000000151C000-memory.dmp

Filesize
3.0MB

Download
memory/2072-125-0x0000000006120000-0x00000000061BB000-memory.dmp

Filesize
620KB

Download
memory/2072-119-0x0000000002AD0000-0x0000000002B9F000-memory.dmp

Filesize
828KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads