formbook | f2ac93d21112c60a3f5a2e0b2f86ca1b9ae688680754140d031b15752e2df6ba

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-05-2022 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FINAL DOCS HBL & MBL.exe
Size

341KB
MD5

ed7a8355e96497207cbe18a9054419b0
SHA1

3e3fd5958bfcca507a8bf9c228db086206f49bf2
SHA256

f2ac93d21112c60a3f5a2e0b2f86ca1b9ae688680754140d031b15752e2df6ba
SHA512

2f9074f17d35ba1c383608803c0d62d3e669507045015f98a74d223fc38a444a102119d12b6c2b4bb3fa757215689a6b23fa1b5754dca5ccae76126ffb19523d

Score

10^/10

formbook xloader ygkp loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

ygkp

Decoy

cbdlively.com

1nfo-post.com

janejohnsonlmt.com

autotradecryptoswithjack.com

mustang-international.net

dreamthorp.com

alexandratanner.net

exilings.com

gzjdgjg.com

51minzhu.com

wgv.info

raymondjamesconsult.com

omariblair.com

vaalerahealth.com

outdoorvoiceshop.com

spbo.info

blasiandating.online

c01-cdn48-oxble.xyz

mrmycology.com

installturbooax.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4604-136-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral2/memory/4132-145-0x0000000000E60000-0x0000000000E8B000-memory.dmp	xloader

Executes dropped EXE 3 IoCs

Processes:

gggedibw.exegggedibw.exegdjp7onuhz.exe

pid process

4396 gggedibw.exe
4604 gggedibw.exe
3924 gdjp7onuhz.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4396	gggedibw.exe
4604	gggedibw.exe
3924	gdjp7onuhz.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	msdt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CPLDWP-X-2 = "C:\\Program Files (x86)\\C2dbxnz\\gdjp7onuhz.exe"	msdt.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

gggedibw.exegggedibw.exemsdt.exe

description	pid	process	target process
PID 4396 set thread context of 4604	4396	gggedibw.exe	gggedibw.exe
PID 4604 set thread context of 1504	4604	gggedibw.exe	Explorer.EXE
PID 4132 set thread context of 1504	4132	msdt.exe	Explorer.EXE

Drops file in Program Files directory 4 IoCs

Processes:

msdt.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\C2dbxnz\gdjp7onuhz.exe	msdt.exe
File opened for modification	C:\Program Files (x86)\C2dbxnz	Explorer.EXE
File created	C:\Program Files (x86)\C2dbxnz\gdjp7onuhz.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\C2dbxnz\gdjp7onuhz.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4520 3924 WerFault.exe gdjp7onuhz.exe

pid	pid_target	process	target process
4520	3924	WerFault.exe	gdjp7onuhz.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

gggedibw.exemsdt.exe

pid	process
4604	gggedibw.exe
4604	gggedibw.exe
4604	gggedibw.exe
4604	gggedibw.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe
4132	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1504 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

gggedibw.exemsdt.exe

pid process

4604 gggedibw.exe
4604 gggedibw.exe
4604 gggedibw.exe
4132 msdt.exe
4132 msdt.exe
4132 msdt.exe
4132 msdt.exe

pid	process
1504	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

gggedibw.exemsdt.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4604	gggedibw.exe
Token: SeDebugPrivilege	4132	msdt.exe
Token: SeShutdownPrivilege	1504	Explorer.EXE
Token: SeCreatePagefilePrivilege	1504	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

FINAL DOCS HBL & MBL.exegggedibw.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 4588 wrote to memory of 4396	4588	FINAL DOCS HBL & MBL.exe	gggedibw.exe
PID 4588 wrote to memory of 4396	4588	FINAL DOCS HBL & MBL.exe	gggedibw.exe
PID 4588 wrote to memory of 4396	4588	FINAL DOCS HBL & MBL.exe	gggedibw.exe
PID 4396 wrote to memory of 4604	4396	gggedibw.exe	gggedibw.exe
PID 4396 wrote to memory of 4604	4396	gggedibw.exe	gggedibw.exe
PID 4396 wrote to memory of 4604	4396	gggedibw.exe	gggedibw.exe
PID 4396 wrote to memory of 4604	4396	gggedibw.exe	gggedibw.exe
PID 4396 wrote to memory of 4604	4396	gggedibw.exe	gggedibw.exe
PID 4396 wrote to memory of 4604	4396	gggedibw.exe	gggedibw.exe
PID 1504 wrote to memory of 4132	1504	Explorer.EXE	msdt.exe
PID 1504 wrote to memory of 4132	1504	Explorer.EXE	msdt.exe
PID 1504 wrote to memory of 4132	1504	Explorer.EXE	msdt.exe
PID 4132 wrote to memory of 4852	4132	msdt.exe	cmd.exe
PID 4132 wrote to memory of 4852	4132	msdt.exe	cmd.exe
PID 4132 wrote to memory of 4852	4132	msdt.exe	cmd.exe
PID 4132 wrote to memory of 4676	4132	msdt.exe	cmd.exe
PID 4132 wrote to memory of 4676	4132	msdt.exe	cmd.exe
PID 4132 wrote to memory of 4676	4132	msdt.exe	cmd.exe
PID 4132 wrote to memory of 3988	4132	msdt.exe	cmd.exe
PID 4132 wrote to memory of 3988	4132	msdt.exe	cmd.exe
PID 4132 wrote to memory of 3988	4132	msdt.exe	cmd.exe
PID 4132 wrote to memory of 2324	4132	msdt.exe	Firefox.exe
PID 4132 wrote to memory of 2324	4132	msdt.exe	Firefox.exe
PID 4132 wrote to memory of 2324	4132	msdt.exe	Firefox.exe
PID 1504 wrote to memory of 3924	1504	Explorer.EXE	gdjp7onuhz.exe
PID 1504 wrote to memory of 3924	1504	Explorer.EXE	gdjp7onuhz.exe
PID 1504 wrote to memory of 3924	1504	Explorer.EXE	gdjp7onuhz.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\FINAL DOCS HBL & MBL.exe
"C:\Users\Admin\AppData\Local\Temp\FINAL DOCS HBL & MBL.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4588

C:\Users\Admin\AppData\Local\Temp\gggedibw.exe
C:\Users\Admin\AppData\Local\Temp\gggedibw.exe C:\Users\Admin\AppData\Local\Temp\mjfsqpy
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4396

C:\Users\Admin\AppData\Local\Temp\gggedibw.exe
C:\Users\Admin\AppData\Local\Temp\gggedibw.exe C:\Users\Admin\AppData\Local\Temp\mjfsqpy
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\gggedibw.exe"
3⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3988

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2324

C:\Program Files (x86)\C2dbxnz\gdjp7onuhz.exe
"C:\Program Files (x86)\C2dbxnz\gdjp7onuhz.exe"
2⤵
- Executes dropped EXE
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 216
3⤵
- Program crash
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3924 -ip 3924
1⤵
PID:3284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\C2dbxnz\gdjp7onuhz.exe
Filesize
184KB

MD5
aae9f5343cef252e1c7b4a1a3028b83d

SHA1
5d33892c4c69018e75ab7918e857998b53078466

SHA256
5735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e

SHA512
1e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659

Download Submit
C:\Program Files (x86)\C2dbxnz\gdjp7onuhz.exe
Filesize
184KB

MD5
aae9f5343cef252e1c7b4a1a3028b83d

SHA1
5d33892c4c69018e75ab7918e857998b53078466

SHA256
5735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e

SHA512
1e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\gggedibw.exe
Filesize
184KB

MD5
aae9f5343cef252e1c7b4a1a3028b83d

SHA1
5d33892c4c69018e75ab7918e857998b53078466

SHA256
5735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e

SHA512
1e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659

Download Submit
C:\Users\Admin\AppData\Local\Temp\gggedibw.exe
Filesize
184KB

MD5
aae9f5343cef252e1c7b4a1a3028b83d

SHA1
5d33892c4c69018e75ab7918e857998b53078466

SHA256
5735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e

SHA512
1e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659

Download Submit
C:\Users\Admin\AppData\Local\Temp\gggedibw.exe
Filesize
184KB

MD5
aae9f5343cef252e1c7b4a1a3028b83d

SHA1
5d33892c4c69018e75ab7918e857998b53078466

SHA256
5735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e

SHA512
1e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqiv3bn3ymt6ac8jm7
Filesize
171KB

MD5
1148683cca7b93d4a8c4bae984e56f25

SHA1
69a040267d63e9f4df5a30e70eceaddbd97c063a

SHA256
283f659c8ebb71ad404509a287945444d5e02c335ba02b86ba185199d9d37b46

SHA512
d559f25048a302c6b6b45e7f4f0ea10b0925160c99c904daff151426606de83dc5199298a871c3ba4777475e761f4e812c1a7ab747c76eba68d5c4d000cae007

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjfsqpy
Filesize
5KB

MD5
42d16384fa40f41309ee20f10da5838a

SHA1
8c94a48b1cf661f67c39ff649f306d6ec3809dce

SHA256
b435dbb39f235eefdd4b1fc8f54156376914d2cd19ab63f7a0efbf8ba4a41a94

SHA512
868a0f3e18005010bd79493b28c7e32b1c8c4d225db92aa7dfece7762ce08981db74746291d57619f12c7a5386ad4dfb2d43984873376a8b7792741e24a67b6d

Download Submit
memory/1504-148-0x0000000002580000-0x0000000002632000-memory.dmp

Filesize
712KB

Download
memory/1504-141-0x0000000007C90000-0x0000000007DCF000-memory.dmp

Filesize
1.2MB

Download
memory/3924-153-0x0000000000000000-mapping.dmp

Download
memory/3988-151-0x0000000000000000-mapping.dmp

Download
memory/4132-146-0x0000000002FD0000-0x000000000331A000-memory.dmp

Filesize
3.3MB

Download
memory/4132-145-0x0000000000E60000-0x0000000000E8B000-memory.dmp

Filesize
172KB

Download
memory/4132-142-0x0000000000000000-mapping.dmp

Download
memory/4132-147-0x0000000002CD0000-0x0000000002D60000-memory.dmp

Filesize
576KB

Download
memory/4132-144-0x00000000006B0000-0x0000000000707000-memory.dmp

Filesize
348KB

Download
memory/4396-130-0x0000000000000000-mapping.dmp

Download
memory/4604-138-0x0000000001960000-0x0000000001CAA000-memory.dmp

Filesize
3.3MB

Download
memory/4604-136-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4604-135-0x0000000000000000-mapping.dmp

Download
memory/4604-140-0x0000000001CB0000-0x0000000001CC1000-memory.dmp

Filesize
68KB

Download
memory/4676-149-0x0000000000000000-mapping.dmp

Download
memory/4852-143-0x0000000000000000-mapping.dmp

Download