formbook | 3353fe4567105c292bdae27525448f7d7a5d0b174e097355ff04e75057dd63f3

General

Target

RECEIPT REF NO 002627262.exe
Size

302KB
MD5

5d333987aafbd8bf8df57e9b9e56b4ac
SHA1

c7bc50b60c4b20e1bf40eed679def38e46c0fb13
SHA256

3353fe4567105c292bdae27525448f7d7a5d0b174e097355ff04e75057dd63f3
SHA512

38eccdd1bd52da95835c8305257aa0b548a7582d04a87f2c06e82365cf00fdd699cb6ecc46b40146a658b9f4efae562141d809ad7b05ddfebc5d694b6417e517

Score

10^/10

formbook xloader rmfg loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rmfg

Decoy

prospectcompounding.com

grand-prix.voyage

solvingpklogc.xyz

eliamhome.com

gamevip88.club

arsels.info

dswlt.com

dchehe.com

lawyerjerusalem.com

pbnseo.xyz

apuryifuid.com

kiukiupoker88.net

leannonimpact.com

kare-furniture.com

mississaugaremax.online

zpyh198.com

dueplay.store

naimi.ltd

greenstepspodiatry.com

cewirtanen.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 536 created 3840 536 WerFault.exe bdll_ryptrh_r.exe
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

description	pid	process	target process
PID 536 created 3840	536	WerFault.exe	bdll_ryptrh_r.exe

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3228-134-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3228-138-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1596-147-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RPXLG6JPLXID = "C:\\Program Files (x86)\\Mmdwx\\bdll_ryptrh_r.exe"	rundll32.exe

Executes dropped EXE 3 IoCs

Processes:

wpxizwm.exewpxizwm.exebdll_ryptrh_r.exe

pid process

460 wpxizwm.exe
3228 wpxizwm.exe
3840 bdll_ryptrh_r.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
460	wpxizwm.exe
3228	wpxizwm.exe
3840	bdll_ryptrh_r.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

wpxizwm.exewpxizwm.exerundll32.exe

description	pid	process	target process
PID 460 set thread context of 3228	460	wpxizwm.exe	wpxizwm.exe
PID 3228 set thread context of 2324	3228	wpxizwm.exe	Explorer.EXE
PID 3228 set thread context of 2324	3228	wpxizwm.exe	Explorer.EXE
PID 1596 set thread context of 2324	1596	rundll32.exe	Explorer.EXE

Drops file in Program Files directory 4 IoCs

Processes:

rundll32.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Mmdwx\bdll_ryptrh_r.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Mmdwx	Explorer.EXE
File created	C:\Program Files (x86)\Mmdwx\bdll_ryptrh_r.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Mmdwx\bdll_ryptrh_r.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1252 3840 WerFault.exe bdll_ryptrh_r.exe

pid	pid_target	process	target process
1252	3840	WerFault.exe	bdll_ryptrh_r.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	rundll32.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

wpxizwm.exerundll32.exe

pid	process
3228	wpxizwm.exe
3228	wpxizwm.exe
3228	wpxizwm.exe
3228	wpxizwm.exe
3228	wpxizwm.exe
3228	wpxizwm.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2324 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

wpxizwm.exerundll32.exe

pid process

3228 wpxizwm.exe
3228 wpxizwm.exe
3228 wpxizwm.exe
3228 wpxizwm.exe
1596 rundll32.exe
1596 rundll32.exe
1596 rundll32.exe

pid	process
2324	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

wpxizwm.exerundll32.exeExplorer.EXEWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3228	wpxizwm.exe
Token: SeDebugPrivilege	1596	rundll32.exe
Token: SeShutdownPrivilege	2324	Explorer.EXE
Token: SeCreatePagefilePrivilege	2324	Explorer.EXE
Token: SeShutdownPrivilege	2324	Explorer.EXE
Token: SeCreatePagefilePrivilege	2324	Explorer.EXE
Token: SeShutdownPrivilege	2324	Explorer.EXE
Token: SeCreatePagefilePrivilege	2324	Explorer.EXE
Token: SeShutdownPrivilege	2324	Explorer.EXE
Token: SeCreatePagefilePrivilege	2324	Explorer.EXE
Token: SeRestorePrivilege	1252	WerFault.exe
Token: SeBackupPrivilege	1252	WerFault.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

RECEIPT REF NO 002627262.exewpxizwm.exeExplorer.EXErundll32.exeWerFault.exe

description	pid	process	target process
PID 3780 wrote to memory of 460	3780	RECEIPT REF NO 002627262.exe	wpxizwm.exe
PID 3780 wrote to memory of 460	3780	RECEIPT REF NO 002627262.exe	wpxizwm.exe
PID 3780 wrote to memory of 460	3780	RECEIPT REF NO 002627262.exe	wpxizwm.exe
PID 460 wrote to memory of 3228	460	wpxizwm.exe	wpxizwm.exe
PID 460 wrote to memory of 3228	460	wpxizwm.exe	wpxizwm.exe
PID 460 wrote to memory of 3228	460	wpxizwm.exe	wpxizwm.exe
PID 460 wrote to memory of 3228	460	wpxizwm.exe	wpxizwm.exe
PID 460 wrote to memory of 3228	460	wpxizwm.exe	wpxizwm.exe
PID 460 wrote to memory of 3228	460	wpxizwm.exe	wpxizwm.exe
PID 2324 wrote to memory of 1596	2324	Explorer.EXE	rundll32.exe
PID 2324 wrote to memory of 1596	2324	Explorer.EXE	rundll32.exe
PID 2324 wrote to memory of 1596	2324	Explorer.EXE	rundll32.exe
PID 1596 wrote to memory of 2724	1596	rundll32.exe	cmd.exe
PID 1596 wrote to memory of 2724	1596	rundll32.exe	cmd.exe
PID 1596 wrote to memory of 2724	1596	rundll32.exe	cmd.exe
PID 1596 wrote to memory of 3628	1596	rundll32.exe	cmd.exe
PID 1596 wrote to memory of 3628	1596	rundll32.exe	cmd.exe
PID 1596 wrote to memory of 3628	1596	rundll32.exe	cmd.exe
PID 1596 wrote to memory of 2056	1596	rundll32.exe	Firefox.exe
PID 1596 wrote to memory of 2056	1596	rundll32.exe	Firefox.exe
PID 2324 wrote to memory of 3840	2324	Explorer.EXE	bdll_ryptrh_r.exe
PID 2324 wrote to memory of 3840	2324	Explorer.EXE	bdll_ryptrh_r.exe
PID 2324 wrote to memory of 3840	2324	Explorer.EXE	bdll_ryptrh_r.exe
PID 536 wrote to memory of 3840	536	WerFault.exe	bdll_ryptrh_r.exe
PID 536 wrote to memory of 3840	536	WerFault.exe	bdll_ryptrh_r.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	rundll32.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\RECEIPT REF NO 002627262.exe
"C:\Users\Admin\AppData\Local\Temp\RECEIPT REF NO 002627262.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3780

C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe
C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe C:\Users\Admin\AppData\Local\Temp\vdean
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:460

C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe
C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe C:\Users\Admin\AppData\Local\Temp\vdean
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1596

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe"
3⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3628

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2056

C:\Program Files (x86)\Mmdwx\bdll_ryptrh_r.exe
"C:\Program Files (x86)\Mmdwx\bdll_ryptrh_r.exe"
2⤵
- Executes dropped EXE
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 552
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3840 -ip 3840
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mmdwx\bdll_ryptrh_r.exe
MD5
05f07e533e418df0521a64d9af400daf

SHA1
43408653ea6d815bc7acb11a1328982c5e61aff8

SHA256
9371dfe491756a047f8617103536db01dfcf8a4dfac1530f598b0a6cb5981abd

SHA512
54ed026848c0b96a5c6a62629990bf0a6661502bf12e8b3a5fdd68a8678d956bb49bbccc5abc47a722043ff79d7db15844236e28d7a5ad2b150fb479eb4e974f

Download Submit
C:\Program Files (x86)\Mmdwx\bdll_ryptrh_r.exe
MD5
05f07e533e418df0521a64d9af400daf

SHA1
43408653ea6d815bc7acb11a1328982c5e61aff8

SHA256
9371dfe491756a047f8617103536db01dfcf8a4dfac1530f598b0a6cb5981abd

SHA512
54ed026848c0b96a5c6a62629990bf0a6661502bf12e8b3a5fdd68a8678d956bb49bbccc5abc47a722043ff79d7db15844236e28d7a5ad2b150fb479eb4e974f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdean
MD5
a04faf63da2fbfb5679e41d04140939e

SHA1
b8d6dbb0f2fafdeeead79c0cd62326cda95a8785

SHA256
c6144a6b0af2eaaa5b1226448b012740bcad08bc401a4f697d755b571c066a7c

SHA512
cd98d5fc8708992769cd7d792c3bd09624983e548e949a9844677f58ddf51c5f2cd479b2e05ae734054d8633f6cddf0127165c54903fec897a86bdef1ce7a866

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe
MD5
05f07e533e418df0521a64d9af400daf

SHA1
43408653ea6d815bc7acb11a1328982c5e61aff8

SHA256
9371dfe491756a047f8617103536db01dfcf8a4dfac1530f598b0a6cb5981abd

SHA512
54ed026848c0b96a5c6a62629990bf0a6661502bf12e8b3a5fdd68a8678d956bb49bbccc5abc47a722043ff79d7db15844236e28d7a5ad2b150fb479eb4e974f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe
MD5
05f07e533e418df0521a64d9af400daf

SHA1
43408653ea6d815bc7acb11a1328982c5e61aff8

SHA256
9371dfe491756a047f8617103536db01dfcf8a4dfac1530f598b0a6cb5981abd

SHA512
54ed026848c0b96a5c6a62629990bf0a6661502bf12e8b3a5fdd68a8678d956bb49bbccc5abc47a722043ff79d7db15844236e28d7a5ad2b150fb479eb4e974f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe
MD5
05f07e533e418df0521a64d9af400daf

SHA1
43408653ea6d815bc7acb11a1328982c5e61aff8

SHA256
9371dfe491756a047f8617103536db01dfcf8a4dfac1530f598b0a6cb5981abd

SHA512
54ed026848c0b96a5c6a62629990bf0a6661502bf12e8b3a5fdd68a8678d956bb49bbccc5abc47a722043ff79d7db15844236e28d7a5ad2b150fb479eb4e974f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsyco49pmc4l
MD5
945121f49321875af38fe7f12dd2343e

SHA1
f2cf4c6a504815e362a18cce671b6c0b371629e1

SHA256
ff66241def80707fe029fefa54441de9eb88028c5cc33f20ef080cf2e04254e5

SHA512
1ca2a7f9c3e1c535514ebc9a5861c4f632a39354351e63a074081b864cd9592636781fe5714dad8472148ba1b5f0f41b104075556960aec73b3510f6ff3d6634

Download Submit
memory/1596-147-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-148-0x00000000043B0000-0x00000000046FA000-memory.dmp

Filesize
3.3MB

Download
memory/1596-149-0x00000000040E0000-0x0000000004170000-memory.dmp

Filesize
576KB

Download
memory/1596-146-0x0000000000A20000-0x0000000000A34000-memory.dmp

Filesize
80KB

Download
memory/2324-141-0x0000000007D80000-0x0000000007EDC000-memory.dmp

Filesize
1.4MB

Download
memory/2324-150-0x0000000008280000-0x00000000083BA000-memory.dmp

Filesize
1.2MB

Download
memory/2324-145-0x00000000071E0000-0x000000000728D000-memory.dmp

Filesize
692KB

Download
memory/3228-144-0x0000000000940000-0x0000000000951000-memory.dmp

Filesize
68KB

Download
memory/3228-139-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/3228-140-0x00000000005E0000-0x00000000005F1000-memory.dmp

Filesize
68KB

Download
memory/3228-143-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/3228-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3228-137-0x0000000000A70000-0x0000000000DBA000-memory.dmp

Filesize
3.3MB

Download
memory/3228-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads