formbook | 145f840479b9baa3431886abf20b30820f2cc5fe427c0d14390818c7e38ad3cd

Analysis

max time kernel
4294211s
max time network
152s
platform
windows7_x64
resource
win7-20220311-en
submitted
22-03-2022 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

274KB
MD5

16c4a16f7bd751b068e65d81ba2f64cd
SHA1

3cc2679cb6af197f177481f7708bed0eed93f458
SHA256

145f840479b9baa3431886abf20b30820f2cc5fe427c0d14390818c7e38ad3cd
SHA512

8675970aa4fc84e3fc6e9b84b7189e8077a372e15b01be22bfd52877e2e6c94d439e213271d2554f242182fc9052b9b98148876e31096467c778cc508cad006f

Score

10^/10

formbook xloader ahc8 loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/468-64-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/468-67-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1304-72-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 3 IoCs

Processes:

hsssany.exehsssany.exeigfxqlu.exe

pid process

308 hsssany.exe
468 hsssany.exe
1116 igfxqlu.exe
Loads dropped DLL 3 IoCs

Processes:

tmp.exehsssany.exe

pid process

1832 tmp.exe
1832 tmp.exe
308 hsssany.exe

pid	process
308	hsssany.exe
468	hsssany.exe
1116	igfxqlu.exe

pid	process
1832	tmp.exe
1832	tmp.exe
308	hsssany.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmmon32.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	cmmon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LTXD9TK0WF5 = "C:\\Program Files (x86)\\K7nh8xz\\igfxqlu.exe"	cmmon32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

hsssany.exehsssany.execmmon32.exe

description	pid	process	target process
PID 308 set thread context of 468	308	hsssany.exe	hsssany.exe
PID 468 set thread context of 1420	468	hsssany.exe	Explorer.EXE
PID 1304 set thread context of 1420	1304	cmmon32.exe	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

cmmon32.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\K7nh8xz\igfxqlu.exe	cmmon32.exe
File created	C:\Program Files (x86)\K7nh8xz\igfxqlu.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmmon32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2199625441-3471261906-229485034-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmmon32.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

hsssany.execmmon32.exe

pid	process
468	hsssany.exe
468	hsssany.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe
1304	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

hsssany.execmmon32.exe

pid process

468 hsssany.exe
468 hsssany.exe
468 hsssany.exe
1304 cmmon32.exe
1304 cmmon32.exe
1304 cmmon32.exe
1304 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hsssany.execmmon32.exe

description pid process

Token: SeDebugPrivilege 468 hsssany.exe
Token: SeDebugPrivilege 1304 cmmon32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE
1420 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE
1420 Explorer.EXE

pid	process
1420	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	468	hsssany.exe
Token: SeDebugPrivilege	1304	cmmon32.exe

pid	process
1420	Explorer.EXE
1420	Explorer.EXE

pid	process
1420	Explorer.EXE
1420	Explorer.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

tmp.exehsssany.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 1832 wrote to memory of 308	1832	tmp.exe	hsssany.exe
PID 1832 wrote to memory of 308	1832	tmp.exe	hsssany.exe
PID 1832 wrote to memory of 308	1832	tmp.exe	hsssany.exe
PID 1832 wrote to memory of 308	1832	tmp.exe	hsssany.exe
PID 308 wrote to memory of 468	308	hsssany.exe	hsssany.exe
PID 308 wrote to memory of 468	308	hsssany.exe	hsssany.exe
PID 308 wrote to memory of 468	308	hsssany.exe	hsssany.exe
PID 308 wrote to memory of 468	308	hsssany.exe	hsssany.exe
PID 308 wrote to memory of 468	308	hsssany.exe	hsssany.exe
PID 308 wrote to memory of 468	308	hsssany.exe	hsssany.exe
PID 308 wrote to memory of 468	308	hsssany.exe	hsssany.exe
PID 1420 wrote to memory of 1304	1420	Explorer.EXE	cmmon32.exe
PID 1420 wrote to memory of 1304	1420	Explorer.EXE	cmmon32.exe
PID 1420 wrote to memory of 1304	1420	Explorer.EXE	cmmon32.exe
PID 1420 wrote to memory of 1304	1420	Explorer.EXE	cmmon32.exe
PID 1304 wrote to memory of 1296	1304	cmmon32.exe	cmd.exe
PID 1304 wrote to memory of 1296	1304	cmmon32.exe	cmd.exe
PID 1304 wrote to memory of 1296	1304	cmmon32.exe	cmd.exe
PID 1304 wrote to memory of 1296	1304	cmmon32.exe	cmd.exe
PID 1304 wrote to memory of 1084	1304	cmmon32.exe	Firefox.exe
PID 1304 wrote to memory of 1084	1304	cmmon32.exe	Firefox.exe
PID 1304 wrote to memory of 1084	1304	cmmon32.exe	Firefox.exe
PID 1304 wrote to memory of 1084	1304	cmmon32.exe	Firefox.exe
PID 1420 wrote to memory of 1116	1420	Explorer.EXE	igfxqlu.exe
PID 1420 wrote to memory of 1116	1420	Explorer.EXE	igfxqlu.exe
PID 1420 wrote to memory of 1116	1420	Explorer.EXE	igfxqlu.exe
PID 1420 wrote to memory of 1116	1420	Explorer.EXE	igfxqlu.exe
PID 1304 wrote to memory of 1084	1304	cmmon32.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\hsssany.exe
C:\Users\Admin\AppData\Local\Temp\hsssany.exe C:\Users\Admin\AppData\Local\Temp\igjxkq
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:308

C:\Users\Admin\AppData\Local\Temp\hsssany.exe
C:\Users\Admin\AppData\Local\Temp\hsssany.exe C:\Users\Admin\AppData\Local\Temp\igjxkq
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\hsssany.exe"
3⤵
PID:1296

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1084

C:\Program Files (x86)\K7nh8xz\igfxqlu.exe
"C:\Program Files (x86)\K7nh8xz\igfxqlu.exe"
2⤵
- Executes dropped EXE
PID:1116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\K7nh8xz\igfxqlu.exe
MD5
a25a388c0f8ab3779421f0747163c39b

SHA1
22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

SHA256
f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

SHA512
807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

Download Submit
C:\Program Files (x86)\K7nh8xz\igfxqlu.exe
MD5
a25a388c0f8ab3779421f0747163c39b

SHA1
22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

SHA256
f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

SHA512
807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fki5xdwbhcbhpy
MD5
7fb21510f14fd999145c37cb54d191de

SHA1
7ce318c80c798dfcc6a601d531f49ed95134e9ce

SHA256
a20f4cce92d9bd4eb9c9e943514de908ea2ca9f666623c04de319dd7a7a67367

SHA512
483b8cbab3e6bd316b290a7cc8f9ae5316d5f8d843e37a26ec628172a038454c557569729eb5cf1ca7731c8781580109a0c9c0f7d2a4c12012d716e2aa0d8e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsssany.exe
MD5
a25a388c0f8ab3779421f0747163c39b

SHA1
22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

SHA256
f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

SHA512
807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsssany.exe
MD5
a25a388c0f8ab3779421f0747163c39b

SHA1
22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

SHA256
f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

SHA512
807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsssany.exe
MD5
a25a388c0f8ab3779421f0747163c39b

SHA1
22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

SHA256
f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

SHA512
807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

Download Submit
C:\Users\Admin\AppData\Local\Temp\igjxkq
MD5
1169886f2881955b7e4af98a4d4251d6

SHA1
ab0a023754e13727d7e76c7821da43667519c1aa

SHA256
f0c6b182474ca01313269fb8f3a1e8aa82c2389ae1b0ee919ff710a34519f320

SHA512
80a7794c370cee1babd3dde9e412cfdc4ab850a1654623e3a4fe5657e7ab88d4ae77efcbd15fa9560d405ff01a422a41d9e6569a508a9f8a8987c36fc479f314

Download Submit
\Users\Admin\AppData\Local\Temp\hsssany.exe
MD5
a25a388c0f8ab3779421f0747163c39b

SHA1
22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

SHA256
f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

SHA512
807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

Download Submit
\Users\Admin\AppData\Local\Temp\hsssany.exe
MD5
a25a388c0f8ab3779421f0747163c39b

SHA1
22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

SHA256
f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

SHA512
807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

Download Submit
\Users\Admin\AppData\Local\Temp\hsssany.exe
MD5
a25a388c0f8ab3779421f0747163c39b

SHA1
22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

SHA256
f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

SHA512
807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

Download Submit
memory/308-61-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/468-68-0x0000000000820000-0x0000000000B23000-memory.dmp

Filesize
3.0MB

Download
memory/468-67-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/468-69-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download
memory/468-64-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1304-71-0x00000000008A0000-0x00000000008AD000-memory.dmp

Filesize
52KB

Download
memory/1304-72-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1304-73-0x0000000001E40000-0x0000000002143000-memory.dmp

Filesize
3.0MB

Download
memory/1304-74-0x0000000001CB0000-0x0000000001D40000-memory.dmp

Filesize
576KB

Download
memory/1420-70-0x00000000068E0000-0x0000000006A68000-memory.dmp

Filesize
1.5MB

Download
memory/1420-75-0x0000000004D50000-0x0000000004E87000-memory.dmp

Filesize
1.2MB

Download
memory/1832-54-0x00000000759B1000-0x00000000759B3000-memory.dmp

Filesize
8KB

Download