formbook | f2ac93d21112c60a3f5a2e0b2f86ca1b9ae688680754140d031b15752e2df6ba

General

Target

FINAL DOCS HBL & MBL.exe
Size

341KB
MD5

ed7a8355e96497207cbe18a9054419b0
SHA1

3e3fd5958bfcca507a8bf9c228db086206f49bf2
SHA256

f2ac93d21112c60a3f5a2e0b2f86ca1b9ae688680754140d031b15752e2df6ba
SHA512

2f9074f17d35ba1c383608803c0d62d3e669507045015f98a74d223fc38a444a102119d12b6c2b4bb3fa757215689a6b23fa1b5754dca5ccae76126ffb19523d

Score

10^/10

formbook xloader ygkp loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

ygkp

Decoy

cbdlively.com

1nfo-post.com

janejohnsonlmt.com

autotradecryptoswithjack.com

mustang-international.net

dreamthorp.com

alexandratanner.net

exilings.com

gzjdgjg.com

51minzhu.com

wgv.info

raymondjamesconsult.com

omariblair.com

vaalerahealth.com

outdoorvoiceshop.com

spbo.info

blasiandating.online

c01-cdn48-oxble.xyz

mrmycology.com

installturbooax.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1524-64-0x000000000041F350-mapping.dmp	xloader
behavioral1/memory/1524-63-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/1524-67-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/1376-74-0x0000000000080000-0x00000000000AB000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msdt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YNBT9Z_H1NY8 = "C:\\Program Files (x86)\\Bkt_tnhq8\\systray2d9l_r.exe"	msdt.exe

Executes dropped EXE 2 IoCs

Processes:

gggedibw.exegggedibw.exe

pid process

700 gggedibw.exe
1524 gggedibw.exe
Loads dropped DLL 2 IoCs

Processes:

FINAL DOCS HBL & MBL.exegggedibw.exe

pid process

1972 FINAL DOCS HBL & MBL.exe
700 gggedibw.exe

pid	process
700	gggedibw.exe
1524	gggedibw.exe

pid	process
1972	FINAL DOCS HBL & MBL.exe
700	gggedibw.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

gggedibw.exegggedibw.exemsdt.exe

description	pid	process	target process
PID 700 set thread context of 1524	700	gggedibw.exe	gggedibw.exe
PID 1524 set thread context of 1292	1524	gggedibw.exe	Explorer.EXE
PID 1376 set thread context of 1292	1376	msdt.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

msdt.exe

description ioc process

File opened for modification C:\Program Files (x86)\Bkt_tnhq8\systray2d9l_r.exe msdt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files (x86)\Bkt_tnhq8\systray2d9l_r.exe	msdt.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

gggedibw.exemsdt.exe

pid	process
1524	gggedibw.exe
1524	gggedibw.exe
1376	msdt.exe
1376	msdt.exe
1376	msdt.exe
1376	msdt.exe
1376	msdt.exe
1376	msdt.exe
1376	msdt.exe
1376	msdt.exe
1376	msdt.exe
1376	msdt.exe
1376	msdt.exe
1376	msdt.exe
1376	msdt.exe
1376	msdt.exe
1376	msdt.exe
1376	msdt.exe
1376	msdt.exe
1376	msdt.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

gggedibw.exemsdt.exe

pid process

1524 gggedibw.exe
1524 gggedibw.exe
1524 gggedibw.exe
1376 msdt.exe
1376 msdt.exe
1376 msdt.exe
1376 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

gggedibw.exemsdt.exe

description pid process

Token: SeDebugPrivilege 1524 gggedibw.exe
Token: SeDebugPrivilege 1376 msdt.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1292 Explorer.EXE
1292 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1292 Explorer.EXE
1292 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1524	gggedibw.exe
Token: SeDebugPrivilege	1376	msdt.exe

pid	process
1292	Explorer.EXE
1292	Explorer.EXE

pid	process
1292	Explorer.EXE
1292	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

FINAL DOCS HBL & MBL.exegggedibw.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 1972 wrote to memory of 700	1972	FINAL DOCS HBL & MBL.exe	gggedibw.exe
PID 1972 wrote to memory of 700	1972	FINAL DOCS HBL & MBL.exe	gggedibw.exe
PID 1972 wrote to memory of 700	1972	FINAL DOCS HBL & MBL.exe	gggedibw.exe
PID 1972 wrote to memory of 700	1972	FINAL DOCS HBL & MBL.exe	gggedibw.exe
PID 700 wrote to memory of 1524	700	gggedibw.exe	gggedibw.exe
PID 700 wrote to memory of 1524	700	gggedibw.exe	gggedibw.exe
PID 700 wrote to memory of 1524	700	gggedibw.exe	gggedibw.exe
PID 700 wrote to memory of 1524	700	gggedibw.exe	gggedibw.exe
PID 700 wrote to memory of 1524	700	gggedibw.exe	gggedibw.exe
PID 700 wrote to memory of 1524	700	gggedibw.exe	gggedibw.exe
PID 700 wrote to memory of 1524	700	gggedibw.exe	gggedibw.exe
PID 1292 wrote to memory of 1376	1292	Explorer.EXE	msdt.exe
PID 1292 wrote to memory of 1376	1292	Explorer.EXE	msdt.exe
PID 1292 wrote to memory of 1376	1292	Explorer.EXE	msdt.exe
PID 1292 wrote to memory of 1376	1292	Explorer.EXE	msdt.exe
PID 1376 wrote to memory of 1728	1376	msdt.exe	cmd.exe
PID 1376 wrote to memory of 1728	1376	msdt.exe	cmd.exe
PID 1376 wrote to memory of 1728	1376	msdt.exe	cmd.exe
PID 1376 wrote to memory of 1728	1376	msdt.exe	cmd.exe
PID 1376 wrote to memory of 828	1376	msdt.exe	Firefox.exe
PID 1376 wrote to memory of 828	1376	msdt.exe	Firefox.exe
PID 1376 wrote to memory of 828	1376	msdt.exe	Firefox.exe
PID 1376 wrote to memory of 828	1376	msdt.exe	Firefox.exe
PID 1376 wrote to memory of 828	1376	msdt.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\FINAL DOCS HBL & MBL.exe
"C:\Users\Admin\AppData\Local\Temp\FINAL DOCS HBL & MBL.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\gggedibw.exe
C:\Users\Admin\AppData\Local\Temp\gggedibw.exe C:\Users\Admin\AppData\Local\Temp\mjfsqpy
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:700

C:\Users\Admin\AppData\Local\Temp\gggedibw.exe
C:\Users\Admin\AppData\Local\Temp\gggedibw.exe C:\Users\Admin\AppData\Local\Temp\mjfsqpy
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\gggedibw.exe"
3⤵
PID:1728

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gggedibw.exe
Filesize
184KB

MD5
aae9f5343cef252e1c7b4a1a3028b83d

SHA1
5d33892c4c69018e75ab7918e857998b53078466

SHA256
5735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e

SHA512
1e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659

Download Submit
C:\Users\Admin\AppData\Local\Temp\gggedibw.exe
Filesize
184KB

MD5
aae9f5343cef252e1c7b4a1a3028b83d

SHA1
5d33892c4c69018e75ab7918e857998b53078466

SHA256
5735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e

SHA512
1e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659

Download Submit
C:\Users\Admin\AppData\Local\Temp\gggedibw.exe
Filesize
184KB

MD5
aae9f5343cef252e1c7b4a1a3028b83d

SHA1
5d33892c4c69018e75ab7918e857998b53078466

SHA256
5735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e

SHA512
1e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqiv3bn3ymt6ac8jm7
Filesize
171KB

MD5
1148683cca7b93d4a8c4bae984e56f25

SHA1
69a040267d63e9f4df5a30e70eceaddbd97c063a

SHA256
283f659c8ebb71ad404509a287945444d5e02c335ba02b86ba185199d9d37b46

SHA512
d559f25048a302c6b6b45e7f4f0ea10b0925160c99c904daff151426606de83dc5199298a871c3ba4777475e761f4e812c1a7ab747c76eba68d5c4d000cae007

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjfsqpy
Filesize
5KB

MD5
42d16384fa40f41309ee20f10da5838a

SHA1
8c94a48b1cf661f67c39ff649f306d6ec3809dce

SHA256
b435dbb39f235eefdd4b1fc8f54156376914d2cd19ab63f7a0efbf8ba4a41a94

SHA512
868a0f3e18005010bd79493b28c7e32b1c8c4d225db92aa7dfece7762ce08981db74746291d57619f12c7a5386ad4dfb2d43984873376a8b7792741e24a67b6d

Download Submit
\Users\Admin\AppData\Local\Temp\gggedibw.exe
Filesize
184KB

MD5
aae9f5343cef252e1c7b4a1a3028b83d

SHA1
5d33892c4c69018e75ab7918e857998b53078466

SHA256
5735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e

SHA512
1e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659

Download Submit
\Users\Admin\AppData\Local\Temp\gggedibw.exe
Filesize
184KB

MD5
aae9f5343cef252e1c7b4a1a3028b83d

SHA1
5d33892c4c69018e75ab7918e857998b53078466

SHA256
5735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e

SHA512
1e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659

Download Submit
memory/700-56-0x0000000000000000-mapping.dmp

Download
memory/1292-70-0x0000000006990000-0x0000000006AEA000-memory.dmp

Filesize
1.4MB

Download
memory/1292-78-0x0000000006E40000-0x0000000006F74000-memory.dmp

Filesize
1.2MB

Download
memory/1376-75-0x00000000021E0000-0x00000000024E3000-memory.dmp

Filesize
3.0MB

Download
memory/1376-71-0x0000000000000000-mapping.dmp

Download
memory/1376-74-0x0000000000080000-0x00000000000AB000-memory.dmp

Filesize
172KB

Download
memory/1376-73-0x0000000000B50000-0x0000000000C44000-memory.dmp

Filesize
976KB

Download
memory/1376-77-0x0000000000A00000-0x0000000000A90000-memory.dmp

Filesize
576KB

Download
memory/1524-67-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1524-69-0x0000000000190000-0x00000000001A1000-memory.dmp

Filesize
68KB

Download
memory/1524-68-0x0000000000D90000-0x0000000001093000-memory.dmp

Filesize
3.0MB

Download
memory/1524-63-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1524-64-0x000000000041F350-mapping.dmp

Download
memory/1728-76-0x0000000000000000-mapping.dmp

Download
memory/1972-54-0x0000000076721000-0x0000000076723000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads