formbook | c0682fddc02723c5c9caf15217176fe2fad5e6fa50c6882c2dac45973639538b

General

Target

Yeni siparis eklendi.exe
Size

856KB
MD5

ef18be7a8a68e50aca6d38f09f27e85a
SHA1

3fafd20f322f0b979d7f063b4fcc050e6c31f9dc
SHA256

6e995aee360d55b347727e8ffc0c61df76cbf467f4380840d63ec80181e2d5bf
SHA512

cf53775a14e4cd407f70ed978985163e0c60c6394a954b918b989036d51d4a9bcae9028831925f62831503d1b8d5f1b35e4d5b5815564dc201c159be3531486e

Score

10^/10

formbook modiloader xloader uj3c loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

ModiLoader Second Stage 38 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1008-65-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-66-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-68-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-67-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-71-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-72-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-70-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-69-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-76-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-75-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-90-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-89-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-88-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-87-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-86-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-85-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-84-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-83-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-82-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-81-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-80-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-79-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-78-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-77-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-74-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-73-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-98-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-100-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-99-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-97-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-96-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-114-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-113-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-112-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-111-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-109-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-108-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2
behavioral1/memory/1008-107-0x0000000004940000-0x0000000004992000-memory.dmp	modiloader_stage2

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1008-92-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral1/memory/1628-95-0x0000000000000000-mapping.dmp	xloader
behavioral1/memory/1628-116-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral1/memory/1504-124-0x0000000000080000-0x00000000000AB000-memory.dmp	xloader
behavioral1/memory/1504-127-0x0000000000080000-0x00000000000AB000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wlanext.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wlanext.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UP-T5HTHUJS = "C:\\Program Files (x86)\\Lyzmpyxt8\\igfxz6axv4a8.exe"	wlanext.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Yeni siparis eklendi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uhfywyzucc = "C:\\Users\\Public\\Libraries\\ccuzywyfhU.url"	Yeni siparis eklendi.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

logagent.exewlanext.exe

description	pid	process	target process
PID 1628 set thread context of 1280	1628	logagent.exe	Explorer.EXE
PID 1504 set thread context of 1280	1504	wlanext.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

wlanext.exe

description ioc process

File opened for modification C:\Program Files (x86)\Lyzmpyxt8\igfxz6axv4a8.exe wlanext.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Lyzmpyxt8\igfxz6axv4a8.exe	wlanext.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wlanext.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wlanext.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Yeni siparis eklendi.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Yeni siparis eklendi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Yeni siparis eklendi.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

logagent.exewlanext.exe

pid	process
1628	logagent.exe
1628	logagent.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe
1504	wlanext.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

logagent.exewlanext.exe

pid process

1628 logagent.exe
1628 logagent.exe
1628 logagent.exe
1504 wlanext.exe
1504 wlanext.exe
1504 wlanext.exe
1504 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

logagent.exewlanext.exe

description pid process

Token: SeDebugPrivilege 1628 logagent.exe
Token: SeDebugPrivilege 1504 wlanext.exe

description	pid	process
Token: SeDebugPrivilege	1628	logagent.exe
Token: SeDebugPrivilege	1504	wlanext.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Yeni siparis eklendi.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 1008 wrote to memory of 1628	1008	Yeni siparis eklendi.exe	logagent.exe
PID 1008 wrote to memory of 1628	1008	Yeni siparis eklendi.exe	logagent.exe
PID 1008 wrote to memory of 1628	1008	Yeni siparis eklendi.exe	logagent.exe
PID 1008 wrote to memory of 1628	1008	Yeni siparis eklendi.exe	logagent.exe
PID 1008 wrote to memory of 1628	1008	Yeni siparis eklendi.exe	logagent.exe
PID 1008 wrote to memory of 1628	1008	Yeni siparis eklendi.exe	logagent.exe
PID 1008 wrote to memory of 1628	1008	Yeni siparis eklendi.exe	logagent.exe
PID 1280 wrote to memory of 1504	1280	Explorer.EXE	wlanext.exe
PID 1280 wrote to memory of 1504	1280	Explorer.EXE	wlanext.exe
PID 1280 wrote to memory of 1504	1280	Explorer.EXE	wlanext.exe
PID 1280 wrote to memory of 1504	1280	Explorer.EXE	wlanext.exe
PID 1504 wrote to memory of 1632	1504	wlanext.exe	cmd.exe
PID 1504 wrote to memory of 1632	1504	wlanext.exe	cmd.exe
PID 1504 wrote to memory of 1632	1504	wlanext.exe	cmd.exe
PID 1504 wrote to memory of 1632	1504	wlanext.exe	cmd.exe
PID 1504 wrote to memory of 592	1504	wlanext.exe	Firefox.exe
PID 1504 wrote to memory of 592	1504	wlanext.exe	Firefox.exe
PID 1504 wrote to memory of 592	1504	wlanext.exe	Firefox.exe
PID 1504 wrote to memory of 592	1504	wlanext.exe	Firefox.exe
PID 1504 wrote to memory of 592	1504	wlanext.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\Yeni siparis eklendi.exe
"C:\Users\Admin\AppData\Local\Temp\Yeni siparis eklendi.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\logagent.exe"
3⤵
PID:1632

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1008-73-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-109-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-66-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-68-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-67-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-71-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-72-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-70-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-69-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-76-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-75-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-90-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-89-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-88-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-87-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-86-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-85-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-84-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-83-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-82-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-81-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-80-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1008-78-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-77-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-74-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-79-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-92-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/1008-65-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-100-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-99-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-97-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-96-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-114-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-113-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-112-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-111-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-98-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-108-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1008-107-0x0000000004940000-0x0000000004992000-memory.dmp

Filesize
328KB

Download
memory/1280-128-0x0000000006AE0000-0x0000000006C6E000-memory.dmp

Filesize
1.6MB

Download
memory/1280-119-0x0000000004920000-0x00000000049E8000-memory.dmp

Filesize
800KB

Download
memory/1280-126-0x0000000006AE0000-0x0000000006C6E000-memory.dmp

Filesize
1.6MB

Download
memory/1504-125-0x0000000000940000-0x00000000009D0000-memory.dmp

Filesize
576KB

Download
memory/1504-120-0x0000000000000000-mapping.dmp

Download
memory/1504-122-0x0000000002190000-0x0000000002493000-memory.dmp

Filesize
3.0MB

Download
memory/1504-127-0x0000000000080000-0x00000000000AB000-memory.dmp

Filesize
172KB

Download
memory/1504-123-0x0000000000D70000-0x0000000000D86000-memory.dmp

Filesize
88KB

Download
memory/1504-124-0x0000000000080000-0x00000000000AB000-memory.dmp

Filesize
172KB

Download
memory/1628-118-0x0000000000200000-0x0000000000211000-memory.dmp

Filesize
68KB

Download
memory/1628-95-0x0000000000000000-mapping.dmp

Download
memory/1628-93-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/1628-116-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/1628-117-0x0000000002130000-0x0000000002433000-memory.dmp

Filesize
3.0MB

Download
memory/1632-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads