formbook | dbdd02d3fc196dd03b6f970e8bb08d82896d35b72878c09daa0ab36efcb19cf0

General

Target

tmp.exe
Size

1.1MB
MD5

f2b83c2075be8c51ada1ac1b2366095e
SHA1

f1dbf47b7e225bd92bd8d1a14ea832117f7c1037
SHA256

dbdd02d3fc196dd03b6f970e8bb08d82896d35b72878c09daa0ab36efcb19cf0
SHA512

7fdaf5cb281658bd7a8e4088ec8609a3bdd0b07bd029cb8390c9ff3823c854d2d51462bfc4bca8cf2af709e1986ee9eaec33c0be4ca68c759e631e31d85470fe

Score

10^/10

formbook xloader arh2 evasion loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

arh2

Decoy

hstorc.com

blackountry.com

dhrbakery.com

dezhouofit.com

defipayout.xyz

ginas4t.com

byzbh63.xyz

qrcrashview.com

mialibaby.com

enhaut.net

samainnova.com

yashveerresort.com

delfos.online

dungcumay.com

lj-counseling.net

fliptheswitch.pro

padogbitelawyer.com

aticarev.com

sederino.site

bestplansforpets-japan3.life

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4996-136-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/2288-144-0x0000000001450000-0x000000000147B000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WWAHost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WWAHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SFIPY8LPB4 = "C:\\Program Files (x86)\\M8pn\\ofalox44.exe"	WWAHost.exe

Executes dropped EXE 1 IoCs

Processes:

ofalox44.exe

pid process

4184 ofalox44.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

pid	process
4184	ofalox44.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	tmp.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	tmp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp.exehdwwiz.exeWWAHost.exe

description	pid	process	target process
PID 1732 set thread context of 4996	1732	tmp.exe	hdwwiz.exe
PID 4996 set thread context of 3032	4996	hdwwiz.exe	Explorer.EXE
PID 2288 set thread context of 3032	2288	WWAHost.exe	Explorer.EXE

Drops file in Program Files directory 4 IoCs

Processes:

Explorer.EXEWWAHost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\M8pn\ofalox44.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\M8pn\ofalox44.exe	WWAHost.exe
File opened for modification	C:\Program Files (x86)\M8pn	Explorer.EXE
File created	C:\Program Files (x86)\M8pn\ofalox44.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

WWAHost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	WWAHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tmp.exehdwwiz.exeWWAHost.exe

pid	process
1732	tmp.exe
1732	tmp.exe
1732	tmp.exe
1732	tmp.exe
1732	tmp.exe
1732	tmp.exe
1732	tmp.exe
1732	tmp.exe
1732	tmp.exe
1732	tmp.exe
1732	tmp.exe
1732	tmp.exe
4996	hdwwiz.exe
4996	hdwwiz.exe
4996	hdwwiz.exe
4996	hdwwiz.exe
1732	tmp.exe
1732	tmp.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3032 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

hdwwiz.exeWWAHost.exe

pid process

4996 hdwwiz.exe
4996 hdwwiz.exe
4996 hdwwiz.exe
2288 WWAHost.exe
2288 WWAHost.exe
2288 WWAHost.exe
2288 WWAHost.exe

pid	process
3032	Explorer.EXE

pid	process
4996	hdwwiz.exe
4996	hdwwiz.exe
4996	hdwwiz.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe
2288	WWAHost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

tmp.exehdwwiz.exeWWAHost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1732	tmp.exe
Token: SeDebugPrivilege	4996	hdwwiz.exe
Token: SeDebugPrivilege	2288	WWAHost.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

tmp.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 1732 wrote to memory of 3624	1732	tmp.exe	esentutl.exe
PID 1732 wrote to memory of 3624	1732	tmp.exe	esentutl.exe
PID 1732 wrote to memory of 3624	1732	tmp.exe	esentutl.exe
PID 1732 wrote to memory of 4996	1732	tmp.exe	hdwwiz.exe
PID 1732 wrote to memory of 4996	1732	tmp.exe	hdwwiz.exe
PID 1732 wrote to memory of 4996	1732	tmp.exe	hdwwiz.exe
PID 1732 wrote to memory of 4996	1732	tmp.exe	hdwwiz.exe
PID 1732 wrote to memory of 4996	1732	tmp.exe	hdwwiz.exe
PID 1732 wrote to memory of 4996	1732	tmp.exe	hdwwiz.exe
PID 1732 wrote to memory of 4996	1732	tmp.exe	hdwwiz.exe
PID 3032 wrote to memory of 2288	3032	Explorer.EXE	WWAHost.exe
PID 3032 wrote to memory of 2288	3032	Explorer.EXE	WWAHost.exe
PID 3032 wrote to memory of 2288	3032	Explorer.EXE	WWAHost.exe
PID 2288 wrote to memory of 2088	2288	WWAHost.exe	cmd.exe
PID 2288 wrote to memory of 2088	2288	WWAHost.exe	cmd.exe
PID 2288 wrote to memory of 2088	2288	WWAHost.exe	cmd.exe
PID 2288 wrote to memory of 1588	2288	WWAHost.exe	cmd.exe
PID 2288 wrote to memory of 1588	2288	WWAHost.exe	cmd.exe
PID 2288 wrote to memory of 1588	2288	WWAHost.exe	cmd.exe
PID 2288 wrote to memory of 3020	2288	WWAHost.exe	cmd.exe
PID 2288 wrote to memory of 3020	2288	WWAHost.exe	cmd.exe
PID 2288 wrote to memory of 3020	2288	WWAHost.exe	cmd.exe
PID 2288 wrote to memory of 3164	2288	WWAHost.exe	Firefox.exe
PID 2288 wrote to memory of 3164	2288	WWAHost.exe	Firefox.exe
PID 2288 wrote to memory of 3164	2288	WWAHost.exe	Firefox.exe
PID 3032 wrote to memory of 4184	3032	Explorer.EXE	ofalox44.exe
PID 3032 wrote to memory of 4184	3032	Explorer.EXE	ofalox44.exe
PID 3032 wrote to memory of 4184	3032	Explorer.EXE	ofalox44.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\esentutl.exe
"C:\Windows\SysWOW64\esentutl.exe"
3⤵
PID:3624

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
3⤵
PID:4980

C:\Windows\SysWOW64\hdwwiz.exe
"C:\Windows\SysWOW64\hdwwiz.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\hdwwiz.exe"
3⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3020

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3164

C:\Program Files (x86)\M8pn\ofalox44.exe
"C:\Program Files (x86)\M8pn\ofalox44.exe"
2⤵
- Executes dropped EXE
PID:4184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\M8pn\ofalox44.exe
Filesize
64KB

MD5
ad95d55ffcea88f38021920924e4c971

SHA1
d49793c7f6359ef3519d6972efa8a6ad8151940d

SHA256
81d43ad111bd8b8dad77e0c36e0d420332889fb9b473857dba779ea0c070442c

SHA512
1b7464dbd3dba7aecbc898211838c28f8a0dcf630e382673a3daf94583fe9c0f809e143fd10435d3fc8794336c0d83032dbc7b30094e251408d7566d2df5b7b0

Download Submit
C:\Program Files (x86)\M8pn\ofalox44.exe
Filesize
64KB

MD5
ad95d55ffcea88f38021920924e4c971

SHA1
d49793c7f6359ef3519d6972efa8a6ad8151940d

SHA256
81d43ad111bd8b8dad77e0c36e0d420332889fb9b473857dba779ea0c070442c

SHA512
1b7464dbd3dba7aecbc898211838c28f8a0dcf630e382673a3daf94583fe9c0f809e143fd10435d3fc8794336c0d83032dbc7b30094e251408d7566d2df5b7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
memory/1588-148-0x0000000000000000-mapping.dmp

Download
memory/1732-131-0x0000000005220000-0x00000000052BC000-memory.dmp

Filesize
624KB

Download
memory/1732-132-0x0000000006D00000-0x00000000072A4000-memory.dmp

Filesize
5.6MB

Download
memory/1732-133-0x0000000006810000-0x0000000006876000-memory.dmp

Filesize
408KB

Download
memory/1732-130-0x00000000007A0000-0x00000000008CA000-memory.dmp

Filesize
1.2MB

Download
memory/2088-142-0x0000000000000000-mapping.dmp

Download
memory/2288-143-0x0000000000170000-0x000000000024C000-memory.dmp

Filesize
880KB

Download
memory/2288-144-0x0000000001450000-0x000000000147B000-memory.dmp

Filesize
172KB

Download
memory/2288-145-0x00000000020B0000-0x00000000023FA000-memory.dmp

Filesize
3.3MB

Download
memory/2288-146-0x0000000001F50000-0x0000000001FE0000-memory.dmp

Filesize
576KB

Download
memory/2288-141-0x0000000000000000-mapping.dmp

Download
memory/3020-150-0x0000000000000000-mapping.dmp

Download
memory/3032-140-0x0000000002A30000-0x0000000002AFA000-memory.dmp

Filesize
808KB

Download
memory/3032-147-0x0000000007C60000-0x0000000007D16000-memory.dmp

Filesize
728KB

Download
memory/3624-134-0x0000000000000000-mapping.dmp

Download
memory/4184-152-0x0000000000000000-mapping.dmp

Download
memory/4996-139-0x0000000000DA0000-0x0000000000DB1000-memory.dmp

Filesize
68KB

Download
memory/4996-136-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4996-135-0x0000000000000000-mapping.dmp

Download
memory/4996-138-0x0000000001100000-0x000000000144A000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads