formbook | 45e8352d78b438ccf83d36f8679b58110a7296d65619f92e1f06c5da5d349ff9

General

Target

Quotation 301086.exe
Size

342KB
MD5

770a74fcec9906c0e0cb99272fa59497
SHA1

844122ceb786ce1ee94b65626f1d76ce05cb201f
SHA256

45e8352d78b438ccf83d36f8679b58110a7296d65619f92e1f06c5da5d349ff9
SHA512

73f0899cbb8b3080f770af9248fcd1c5ddd8722c9d3c09131bdadea4ca4183a92c1af390bbe3f950d337f9ba205ce847b12c421301277fa1bed655cabec419dd

Score

10^/10

formbook xloader ygkp loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

ygkp

Decoy

cbdlively.com

1nfo-post.com

janejohnsonlmt.com

autotradecryptoswithjack.com

mustang-international.net

dreamthorp.com

alexandratanner.net

exilings.com

gzjdgjg.com

51minzhu.com

wgv.info

raymondjamesconsult.com

omariblair.com

vaalerahealth.com

outdoorvoiceshop.com

spbo.info

blasiandating.online

c01-cdn48-oxble.xyz

mrmycology.com

installturbooax.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/896-63-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/896-64-0x000000000041F350-mapping.dmp	xloader
behavioral1/memory/896-67-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/536-74-0x0000000000080000-0x00000000000AB000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NAPSTAT.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	NAPSTAT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HTLHUR5XGVH = "C:\\Program Files (x86)\\Jyt80\\colorcplzvg4h4n8.exe"	NAPSTAT.EXE

Executes dropped EXE 2 IoCs

Processes:

iklxnv.exeiklxnv.exe

pid process

1868 iklxnv.exe
896 iklxnv.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 2 IoCs

Processes:

Quotation 301086.exeiklxnv.exe

pid process

1324 Quotation 301086.exe
1868 iklxnv.exe

pid	process
1868	iklxnv.exe
896	iklxnv.exe

pid	process
1324	Quotation 301086.exe
1868	iklxnv.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

iklxnv.exeiklxnv.exeNAPSTAT.EXE

description	pid	process	target process
PID 1868 set thread context of 896	1868	iklxnv.exe	iklxnv.exe
PID 896 set thread context of 1232	896	iklxnv.exe	Explorer.EXE
PID 536 set thread context of 1232	536	NAPSTAT.EXE	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

NAPSTAT.EXE

description ioc process

File opened for modification C:\Program Files (x86)\Jyt80\colorcplzvg4h4n8.exe NAPSTAT.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files (x86)\Jyt80\colorcplzvg4h4n8.exe	NAPSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

NAPSTAT.EXEexplorer.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NAPSTAT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

iklxnv.exeNAPSTAT.EXE

pid process

896 iklxnv.exe
896 iklxnv.exe
536 NAPSTAT.EXE
536 NAPSTAT.EXE
536 NAPSTAT.EXE
536 NAPSTAT.EXE
536 NAPSTAT.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

iklxnv.exeNAPSTAT.EXE

pid process

896 iklxnv.exe
896 iklxnv.exe
896 iklxnv.exe
536 NAPSTAT.EXE
536 NAPSTAT.EXE
536 NAPSTAT.EXE
536 NAPSTAT.EXE

pid	process
896	iklxnv.exe
896	iklxnv.exe
536	NAPSTAT.EXE
536	NAPSTAT.EXE
536	NAPSTAT.EXE
536	NAPSTAT.EXE
536	NAPSTAT.EXE

pid	process
896	iklxnv.exe
896	iklxnv.exe
896	iklxnv.exe
536	NAPSTAT.EXE
536	NAPSTAT.EXE
536	NAPSTAT.EXE
536	NAPSTAT.EXE

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

iklxnv.exeNAPSTAT.EXEexplorer.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	896	iklxnv.exe
Token: SeDebugPrivilege	536	NAPSTAT.EXE
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: 33	588	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	588	AUDIODG.EXE
Token: 33	588	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	588	AUDIODG.EXE
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe
Token: SeShutdownPrivilege	1680	explorer.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

Explorer.EXEexplorer.exe

pid	process
1232	Explorer.EXE
1232	Explorer.EXE
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe

Suspicious use of SendNotifyMessage 19 IoCs

Processes:

Explorer.EXEexplorer.exe

pid	process
1232	Explorer.EXE
1232	Explorer.EXE
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe
1680	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Quotation 301086.exeiklxnv.exeExplorer.EXENAPSTAT.EXE

description	pid	process	target process
PID 1324 wrote to memory of 1868	1324	Quotation 301086.exe	iklxnv.exe
PID 1324 wrote to memory of 1868	1324	Quotation 301086.exe	iklxnv.exe
PID 1324 wrote to memory of 1868	1324	Quotation 301086.exe	iklxnv.exe
PID 1324 wrote to memory of 1868	1324	Quotation 301086.exe	iklxnv.exe
PID 1868 wrote to memory of 896	1868	iklxnv.exe	iklxnv.exe
PID 1868 wrote to memory of 896	1868	iklxnv.exe	iklxnv.exe
PID 1868 wrote to memory of 896	1868	iklxnv.exe	iklxnv.exe
PID 1868 wrote to memory of 896	1868	iklxnv.exe	iklxnv.exe
PID 1868 wrote to memory of 896	1868	iklxnv.exe	iklxnv.exe
PID 1868 wrote to memory of 896	1868	iklxnv.exe	iklxnv.exe
PID 1868 wrote to memory of 896	1868	iklxnv.exe	iklxnv.exe
PID 1232 wrote to memory of 536	1232	Explorer.EXE	NAPSTAT.EXE
PID 1232 wrote to memory of 536	1232	Explorer.EXE	NAPSTAT.EXE
PID 1232 wrote to memory of 536	1232	Explorer.EXE	NAPSTAT.EXE
PID 1232 wrote to memory of 536	1232	Explorer.EXE	NAPSTAT.EXE
PID 536 wrote to memory of 1628	536	NAPSTAT.EXE	cmd.exe
PID 536 wrote to memory of 1628	536	NAPSTAT.EXE	cmd.exe
PID 536 wrote to memory of 1628	536	NAPSTAT.EXE	cmd.exe
PID 536 wrote to memory of 1628	536	NAPSTAT.EXE	cmd.exe
PID 536 wrote to memory of 864	536	NAPSTAT.EXE	Firefox.exe
PID 536 wrote to memory of 864	536	NAPSTAT.EXE	Firefox.exe
PID 536 wrote to memory of 864	536	NAPSTAT.EXE	Firefox.exe
PID 536 wrote to memory of 864	536	NAPSTAT.EXE	Firefox.exe
PID 536 wrote to memory of 864	536	NAPSTAT.EXE	Firefox.exe
PID 536 wrote to memory of 1676	536	NAPSTAT.EXE	explorer.exe
PID 536 wrote to memory of 1676	536	NAPSTAT.EXE	explorer.exe
PID 536 wrote to memory of 1676	536	NAPSTAT.EXE	explorer.exe
PID 536 wrote to memory of 1676	536	NAPSTAT.EXE	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\Quotation 301086.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation 301086.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\iklxnv.exe
C:\Users\Admin\AppData\Local\Temp\iklxnv.exe C:\Users\Admin\AppData\Local\Temp\vkbiykyy
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\iklxnv.exe
C:\Users\Admin\AppData\Local\Temp\iklxnv.exe C:\Users\Admin\AppData\Local\Temp\vkbiykyy
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\iklxnv.exe"
3⤵
PID:1628

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:864

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:1676

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1680

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d55z6aw3a97sxb697
Filesize
171KB

MD5
cc1c6353e5da67fa0bde02ccb2e4fe13

SHA1
723618954b69f3e8799d8342143a6550b9eefbda

SHA256
65a0b24dd02c6d636f143f7a4d4a492e04812b1462f42b5f3155a2f1f0f0e725

SHA512
2abb2fb78e34863a6445d341fe3fecf7cadaa3bfb1877bc31bbb33bd87995e44c327bc58562fb17b3ab71a54de1f7ad27f65e68ed4fe8d7f2083c92b1c4b4d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\iklxnv.exe
Filesize
187KB

MD5
dc3b25215baca266c185f2bad746e8df

SHA1
3a8e09485d86a00f32619f845f044dff29f0d1e6

SHA256
ffda6eaa7ea9b404b396d473467c92ec05c710ec7ac3a323c1f037d008ba54f9

SHA512
e4435b80f375856bdc7a31af1e6886ffabafebe6927aec03b36f99bc42f361650f823595caa46b93f05c5f7036cf2745344befdaf0d6d13c470f620293eb4faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\iklxnv.exe
Filesize
187KB

MD5
dc3b25215baca266c185f2bad746e8df

SHA1
3a8e09485d86a00f32619f845f044dff29f0d1e6

SHA256
ffda6eaa7ea9b404b396d473467c92ec05c710ec7ac3a323c1f037d008ba54f9

SHA512
e4435b80f375856bdc7a31af1e6886ffabafebe6927aec03b36f99bc42f361650f823595caa46b93f05c5f7036cf2745344befdaf0d6d13c470f620293eb4faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\iklxnv.exe
Filesize
187KB

MD5
dc3b25215baca266c185f2bad746e8df

SHA1
3a8e09485d86a00f32619f845f044dff29f0d1e6

SHA256
ffda6eaa7ea9b404b396d473467c92ec05c710ec7ac3a323c1f037d008ba54f9

SHA512
e4435b80f375856bdc7a31af1e6886ffabafebe6927aec03b36f99bc42f361650f823595caa46b93f05c5f7036cf2745344befdaf0d6d13c470f620293eb4faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkbiykyy
Filesize
5KB

MD5
6ec4ee592fafd384a7a2382c4c97b6e5

SHA1
1acf339db76153a26d24c647671d1b4b5f6c7b4c

SHA256
45bdd4a262d4bc14e6e032521d11e73429a98faa3ad52daa4dbbe7d395460c7a

SHA512
dc494b4b032721e5578422898deb95fb9608777b70f4f3ff9c079f869540e07ce207d73fcad0e4e84565186029ee0be0f8c3edd728d39aef1d71ed0789f0e4ba

Download Submit
\Users\Admin\AppData\Local\Temp\iklxnv.exe
Filesize
187KB

MD5
dc3b25215baca266c185f2bad746e8df

SHA1
3a8e09485d86a00f32619f845f044dff29f0d1e6

SHA256
ffda6eaa7ea9b404b396d473467c92ec05c710ec7ac3a323c1f037d008ba54f9

SHA512
e4435b80f375856bdc7a31af1e6886ffabafebe6927aec03b36f99bc42f361650f823595caa46b93f05c5f7036cf2745344befdaf0d6d13c470f620293eb4faa

Download Submit
\Users\Admin\AppData\Local\Temp\iklxnv.exe
Filesize
187KB

MD5
dc3b25215baca266c185f2bad746e8df

SHA1
3a8e09485d86a00f32619f845f044dff29f0d1e6

SHA256
ffda6eaa7ea9b404b396d473467c92ec05c710ec7ac3a323c1f037d008ba54f9

SHA512
e4435b80f375856bdc7a31af1e6886ffabafebe6927aec03b36f99bc42f361650f823595caa46b93f05c5f7036cf2745344befdaf0d6d13c470f620293eb4faa

Download Submit
memory/536-74-0x0000000000080000-0x00000000000AB000-memory.dmp

Filesize
172KB

Download
memory/536-71-0x0000000000000000-mapping.dmp

Download
memory/536-76-0x0000000001CB0000-0x0000000001D40000-memory.dmp

Filesize
576KB

Download
memory/536-75-0x0000000001E60000-0x0000000002163000-memory.dmp

Filesize
3.0MB

Download
memory/536-73-0x0000000000140000-0x0000000000186000-memory.dmp

Filesize
280KB

Download
memory/896-68-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/896-69-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/896-63-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/896-67-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/896-64-0x000000000041F350-mapping.dmp

Download
memory/1232-70-0x0000000002B30000-0x0000000002C38000-memory.dmp

Filesize
1.0MB

Download
memory/1232-77-0x0000000004B30000-0x0000000004BE5000-memory.dmp

Filesize
724KB

Download
memory/1324-54-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download
memory/1628-72-0x0000000000000000-mapping.dmp

Download
memory/1676-79-0x0000000000000000-mapping.dmp

Download
memory/1680-80-0x000007FEFC431000-0x000007FEFC433000-memory.dmp

Filesize
8KB

Download
memory/1680-82-0x0000000004760000-0x0000000004770000-memory.dmp

Filesize
64KB

Download
memory/1868-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads