formbook | 288af22386d598b4f132cdd48af047726697d5be16b5e7757eab935e54605c44

General

Target

PO894749745.exe
Size

720KB
MD5

c705b518d1ca69c0443f2f5eb0e655a2
SHA1

aab7fb45b724954b382f93a3aebc5109f7fb4138
SHA256

371a78d5f848b70de0d716586851eec55e92fc1e4e5898943c62c67a99c9e07a
SHA512

fe206b5f73624134eecf339d134384a66d44fc8a890f67e4b2fa1867caa10106b5e715343885f945d4f145b52c944caec9abe4e04126904944d9735766fc8501

Score

10^/10

formbook xloader b6fg loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.0

Campaign

b6fg

Decoy

multlockmt5.com

mohajrannoor.com

robynhoodofretail.info

belinv.com

hotellasab.com

kibrismosad.com

xn--fxwm39aeb590h.xn--io0a7i

resetbrasil.com

tcsonhvac.com

theresav.net

bohoqi.info

machinafuturae.com

mambavault.com

xn--980am9a.top

yumiang.com

evntmonitor.com

83003kk.com

triterm.com

8800pe.com

silvanstudio.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4580-136-0x0000000000400000-0x0000000000427000-memory.dmp	xloader
behavioral2/memory/4580-138-0x0000000000400000-0x0000000000427000-memory.dmp	xloader
behavioral2/memory/4168-144-0x0000000001050000-0x0000000001077000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	NETSTAT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\8P08FTBPF = "C:\\Program Files (x86)\\Nqztpdxxh\\s4vhljox.exe"	NETSTAT.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO894749745.exevbc.exeNETSTAT.EXE

description	pid	process	target process
PID 3016 set thread context of 4580	3016	PO894749745.exe	vbc.exe
PID 4580 set thread context of 2480	4580	vbc.exe	Explorer.EXE
PID 4168 set thread context of 2480	4168	NETSTAT.EXE	Explorer.EXE

Drops file in Program Files directory 4 IoCs

Processes:

NETSTAT.EXEExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Nqztpdxxh\s4vhljox.exe	NETSTAT.EXE
File opened for modification	C:\Program Files (x86)\Nqztpdxxh	Explorer.EXE
File created	C:\Program Files (x86)\Nqztpdxxh\s4vhljox.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Nqztpdxxh\s4vhljox.exe	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

4168 NETSTAT.EXE

pid	process
4168	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

vbc.exeNETSTAT.EXE

pid	process
4580	vbc.exe
4580	vbc.exe
4580	vbc.exe
4580	vbc.exe
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE
4168	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2480 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

vbc.exeNETSTAT.EXE

pid process

4580 vbc.exe
4580 vbc.exe
4580 vbc.exe
4168 NETSTAT.EXE
4168 NETSTAT.EXE
4168 NETSTAT.EXE
4168 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 4580 vbc.exe
Token: SeDebugPrivilege 4168 NETSTAT.EXE

pid	process
2480	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4580	vbc.exe
Token: SeDebugPrivilege	4168	NETSTAT.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

PO894749745.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 3016 wrote to memory of 4580	3016	PO894749745.exe	vbc.exe
PID 3016 wrote to memory of 4580	3016	PO894749745.exe	vbc.exe
PID 3016 wrote to memory of 4580	3016	PO894749745.exe	vbc.exe
PID 3016 wrote to memory of 4580	3016	PO894749745.exe	vbc.exe
PID 3016 wrote to memory of 4580	3016	PO894749745.exe	vbc.exe
PID 3016 wrote to memory of 4580	3016	PO894749745.exe	vbc.exe
PID 2480 wrote to memory of 4168	2480	Explorer.EXE	NETSTAT.EXE
PID 2480 wrote to memory of 4168	2480	Explorer.EXE	NETSTAT.EXE
PID 2480 wrote to memory of 4168	2480	Explorer.EXE	NETSTAT.EXE
PID 4168 wrote to memory of 1304	4168	NETSTAT.EXE	cmd.exe
PID 4168 wrote to memory of 1304	4168	NETSTAT.EXE	cmd.exe
PID 4168 wrote to memory of 1304	4168	NETSTAT.EXE	cmd.exe
PID 4168 wrote to memory of 5100	4168	NETSTAT.EXE	cmd.exe
PID 4168 wrote to memory of 5100	4168	NETSTAT.EXE	cmd.exe
PID 4168 wrote to memory of 5100	4168	NETSTAT.EXE	cmd.exe
PID 4168 wrote to memory of 3420	4168	NETSTAT.EXE	Firefox.exe
PID 4168 wrote to memory of 3420	4168	NETSTAT.EXE	Firefox.exe
PID 4168 wrote to memory of 3420	4168	NETSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\PO894749745.exe
"C:\Users\Admin\AppData\Local\Temp\PO894749745.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:5100

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Nqztpdxxh\s4vhljox.exe
Filesize
2.5MB

MD5
0a7608db01cae07792cea95e792aa866

SHA1
71dff876e4d5edb6cea78fee7aa15845d4950e24

SHA256
c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e

SHA512
990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
memory/1304-145-0x0000000000000000-mapping.dmp

Download
memory/2480-141-0x00000000026E0000-0x00000000027CE000-memory.dmp

Filesize
952KB

Download
memory/2480-148-0x0000000007E30000-0x0000000007F06000-memory.dmp

Filesize
856KB

Download
memory/3016-131-0x0000000004F60000-0x0000000005504000-memory.dmp

Filesize
5.6MB

Download
memory/3016-132-0x0000000004A50000-0x0000000004AE2000-memory.dmp

Filesize
584KB

Download
memory/3016-133-0x0000000004A10000-0x0000000004A1A000-memory.dmp

Filesize
40KB

Download
memory/3016-134-0x00000000073C0000-0x000000000745C000-memory.dmp

Filesize
624KB

Download
memory/3016-130-0x00000000000D0000-0x000000000018A000-memory.dmp

Filesize
744KB

Download
memory/4168-146-0x0000000001890000-0x0000000001BDA000-memory.dmp

Filesize
3.3MB

Download
memory/4168-142-0x0000000000000000-mapping.dmp

Download
memory/4168-143-0x0000000000470000-0x000000000047B000-memory.dmp

Filesize
44KB

Download
memory/4168-144-0x0000000001050000-0x0000000001077000-memory.dmp

Filesize
156KB

Download
memory/4168-147-0x00000000016C0000-0x000000000174F000-memory.dmp

Filesize
572KB

Download
memory/4580-140-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/4580-139-0x0000000001500000-0x000000000184A000-memory.dmp

Filesize
3.3MB

Download
memory/4580-138-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4580-136-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4580-135-0x0000000000000000-mapping.dmp

Download
memory/5100-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads