formbook | a5e127b40d8ee4de136544f90b47723aee93def5d9e292d9976ff792052f717d

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

630377.xls .scr
Size

535KB
MD5

596b08cab4dec9f4c91112410b811c22
SHA1

c5aa419d8d5e9ff5b7bab305d59c044e3c49a47b
SHA256

2cccc56f00e67c1f5a329b4d4815f736f7c866cc2b50e590341ac2e5cd0a85be
SHA512

f7fc7248ffbcd6cadf5ba869d6b622bf70a081687f3434f2e681c2ce89457eef07c8b0eac00dd87c04a0a641be2a69cf7b9e0c015e55865783168ba1695c71f8

Score

10^/10

formbook xloader rcgc agilenet loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.0

Campaign

rcgc

Decoy

allwinpressing.com

topographix.net

theraymondng.com

massvp.com

evchn.com

victorialouiseimagery.com

gallerysouthlosaltos.com

rackspaceupdate.com

genesprofile.com

vyscoxa.net

lishaobing.com

knottherapymassage.com

grappletoytether.net

thetastevegan.com

actionpaintservices.com

perdidoveteransdayparty.com

hotteo.com

tanngogia.com

xn--oy2b11lymexwcbzy.com

ap-lrco.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/976-77-0x0000000000400000-0x0000000000427000-memory.dmp	xloader
behavioral1/memory/976-78-0x000000000041C220-mapping.dmp	xloader
behavioral1/memory/976-81-0x0000000000400000-0x0000000000427000-memory.dmp	xloader
behavioral1/memory/840-87-0x0000000000080000-0x00000000000A7000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

mbdx.exeAddInProcess32.exe

pid process

280 mbdx.exe
976 AddInProcess32.exe

pid	process
280	mbdx.exe
976	AddInProcess32.exe

Loads dropped DLL 4 IoCs

Processes:

630377.xls .scrmbdx.exe

pid	process
1800	630377.xls .scr
1800	630377.xls .scr
280	mbdx.exe
280	mbdx.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1800-56-0x00000000005B0000-0x00000000005D2000-memory.dmp	agile_net
behavioral1/memory/280-67-0x00000000004C0000-0x00000000004E2000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\smybv = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\mbdx.exe"	reg.exe
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VNU84HJ0 = "C:\\Program Files (x86)\\Ngjo\\ms0l58.exe"	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

mbdx.exeAddInProcess32.exesvchost.exe

description	pid	process	target process
PID 280 set thread context of 976	280	mbdx.exe	AddInProcess32.exe
PID 976 set thread context of 1288	976	AddInProcess32.exe	Explorer.EXE
PID 840 set thread context of 1288	840	svchost.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Program Files (x86)\Ngjo\ms0l58.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ngjo\ms0l58.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

630377.xls .scrmbdx.exeAddInProcess32.exesvchost.exe

pid	process
1800	630377.xls .scr
1800	630377.xls .scr
280	mbdx.exe
280	mbdx.exe
280	mbdx.exe
976	AddInProcess32.exe
976	AddInProcess32.exe
840	svchost.exe
840	svchost.exe
840	svchost.exe
840	svchost.exe
840	svchost.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

AddInProcess32.exesvchost.exe

pid process

976 AddInProcess32.exe
976 AddInProcess32.exe
976 AddInProcess32.exe
840 svchost.exe
840 svchost.exe
840 svchost.exe
840 svchost.exe

pid	process
976	AddInProcess32.exe
976	AddInProcess32.exe
976	AddInProcess32.exe
840	svchost.exe
840	svchost.exe
840	svchost.exe
840	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

630377.xls .scrmbdx.exeAddInProcess32.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1800	630377.xls .scr
Token: SeDebugPrivilege	280	mbdx.exe
Token: SeDebugPrivilege	976	AddInProcess32.exe
Token: SeDebugPrivilege	840	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE

pid	process
1288	Explorer.EXE
1288	Explorer.EXE

pid	process
1288	Explorer.EXE
1288	Explorer.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

630377.xls .scrcmd.exembdx.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 1800 wrote to memory of 1576	1800	630377.xls .scr	cmd.exe
PID 1800 wrote to memory of 1576	1800	630377.xls .scr	cmd.exe
PID 1800 wrote to memory of 1576	1800	630377.xls .scr	cmd.exe
PID 1800 wrote to memory of 1576	1800	630377.xls .scr	cmd.exe
PID 1576 wrote to memory of 1400	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 1400	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 1400	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 1400	1576	cmd.exe	reg.exe
PID 1800 wrote to memory of 280	1800	630377.xls .scr	mbdx.exe
PID 1800 wrote to memory of 280	1800	630377.xls .scr	mbdx.exe
PID 1800 wrote to memory of 280	1800	630377.xls .scr	mbdx.exe
PID 1800 wrote to memory of 280	1800	630377.xls .scr	mbdx.exe
PID 280 wrote to memory of 976	280	mbdx.exe	AddInProcess32.exe
PID 280 wrote to memory of 976	280	mbdx.exe	AddInProcess32.exe
PID 280 wrote to memory of 976	280	mbdx.exe	AddInProcess32.exe
PID 280 wrote to memory of 976	280	mbdx.exe	AddInProcess32.exe
PID 280 wrote to memory of 976	280	mbdx.exe	AddInProcess32.exe
PID 280 wrote to memory of 976	280	mbdx.exe	AddInProcess32.exe
PID 280 wrote to memory of 976	280	mbdx.exe	AddInProcess32.exe
PID 1288 wrote to memory of 840	1288	Explorer.EXE	svchost.exe
PID 1288 wrote to memory of 840	1288	Explorer.EXE	svchost.exe
PID 1288 wrote to memory of 840	1288	Explorer.EXE	svchost.exe
PID 1288 wrote to memory of 840	1288	Explorer.EXE	svchost.exe
PID 840 wrote to memory of 636	840	svchost.exe	cmd.exe
PID 840 wrote to memory of 636	840	svchost.exe	cmd.exe
PID 840 wrote to memory of 636	840	svchost.exe	cmd.exe
PID 840 wrote to memory of 636	840	svchost.exe	cmd.exe
PID 840 wrote to memory of 1480	840	svchost.exe	Firefox.exe
PID 840 wrote to memory of 1480	840	svchost.exe	Firefox.exe
PID 840 wrote to memory of 1480	840	svchost.exe	Firefox.exe
PID 840 wrote to memory of 1480	840	svchost.exe	Firefox.exe
PID 840 wrote to memory of 1480	840	svchost.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\630377.xls .scr
"C:\Users\Admin\AppData\Local\Temp\630377.xls .scr" /S
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v smybv /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\mbdx.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v smybv /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\mbdx.exe"
4⤵
- Adds Run key to start application
PID:1400

C:\Users\Admin\mbdx.exe
"C:\Users\Admin\mbdx.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:280

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
PID:636

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\mbdx.exe
Filesize
535KB

MD5
596b08cab4dec9f4c91112410b811c22

SHA1
c5aa419d8d5e9ff5b7bab305d59c044e3c49a47b

SHA256
2cccc56f00e67c1f5a329b4d4815f736f7c866cc2b50e590341ac2e5cd0a85be

SHA512
f7fc7248ffbcd6cadf5ba869d6b622bf70a081687f3434f2e681c2ce89457eef07c8b0eac00dd87c04a0a641be2a69cf7b9e0c015e55865783168ba1695c71f8

Download Submit
C:\Users\Admin\mbdx.exe
Filesize
535KB

MD5
596b08cab4dec9f4c91112410b811c22

SHA1
c5aa419d8d5e9ff5b7bab305d59c044e3c49a47b

SHA256
2cccc56f00e67c1f5a329b4d4815f736f7c866cc2b50e590341ac2e5cd0a85be

SHA512
f7fc7248ffbcd6cadf5ba869d6b622bf70a081687f3434f2e681c2ce89457eef07c8b0eac00dd87c04a0a641be2a69cf7b9e0c015e55865783168ba1695c71f8

Download Submit
\Users\Admin\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
\Users\Admin\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\mbdx.exe
Filesize
535KB

MD5
596b08cab4dec9f4c91112410b811c22

SHA1
c5aa419d8d5e9ff5b7bab305d59c044e3c49a47b

SHA256
2cccc56f00e67c1f5a329b4d4815f736f7c866cc2b50e590341ac2e5cd0a85be

SHA512
f7fc7248ffbcd6cadf5ba869d6b622bf70a081687f3434f2e681c2ce89457eef07c8b0eac00dd87c04a0a641be2a69cf7b9e0c015e55865783168ba1695c71f8

Download Submit
memory/280-62-0x0000000000000000-mapping.dmp

Download
memory/280-65-0x0000000000B00000-0x0000000000B8C000-memory.dmp

Filesize
560KB

Download
memory/280-67-0x00000000004C0000-0x00000000004E2000-memory.dmp

Filesize
136KB

Download
memory/280-70-0x0000000074270000-0x00000000742F0000-memory.dmp

Filesize
512KB

Download
memory/280-71-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/636-88-0x0000000000000000-mapping.dmp

Download
memory/840-90-0x00000000005C0000-0x000000000064F000-memory.dmp

Filesize
572KB

Download
memory/840-89-0x0000000000750000-0x0000000000A53000-memory.dmp

Filesize
3.0MB

Download
memory/840-87-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/840-86-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/840-85-0x0000000000000000-mapping.dmp

Download
memory/976-77-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/976-75-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/976-74-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/976-81-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/976-82-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/976-83-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/976-78-0x000000000041C220-mapping.dmp

Download
memory/1288-84-0x0000000004F40000-0x0000000005023000-memory.dmp

Filesize
908KB

Download
memory/1288-91-0x00000000068F0000-0x0000000006A1D000-memory.dmp

Filesize
1.2MB

Download
memory/1400-60-0x0000000000000000-mapping.dmp

Download
memory/1576-59-0x0000000000000000-mapping.dmp

Download
memory/1800-55-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download
memory/1800-56-0x00000000005B0000-0x00000000005D2000-memory.dmp

Filesize
136KB

Download
memory/1800-54-0x0000000001100000-0x000000000118C000-memory.dmp

Filesize
560KB

Download