formbook | a12973c256e6565a0635fb0febaed5ed56f613d23b864df409f32f832a3af19f

General

Target

shipping documents.exe
Size

545KB
MD5

9c51dcdcbb9a4cab887c3036bf8acea5
SHA1

7f0a99049ce06b600a89516d77adf3649593be21
SHA256

a12973c256e6565a0635fb0febaed5ed56f613d23b864df409f32f832a3af19f
SHA512

3022ec309b092bb79990ffead9240b27b1973b27c73b6f31a74cabcf854be72b4d67c504ed4c9f4218e4dae37b1825a29185ff55a566d582b1d3a316d3332f58

Score

10^/10

formbook xloader gfv7 loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

gfv7

Decoy

hd4AZDZ3XeSkZ9w0NRn2+JU=

6iAxmGKdumxFEgwp

jM6QcxNUSeCKaUdvvh3g9mffhosQ

d4CC0LS0DjTJS8FdXqd3soM=

S1LPlXEIJY52Og==

doeO7AimsF0NEvFgnIV5

W2TlzH/byHtUU3B7tw==

Y2RAbyZjex2qj6GQv4Q=

ftoOsCpZdfmALQ==

4kqL8v/6rDj8Ohs/wAjkb0gD5Gfiww==

8mVs/AkvwLnIWp4=

yfqAazgHioT8b9yHSKpLDtgY

EyWD5F+Wu3L0xq/VJXgdlnFvBDdUz5WM

jn9ty+pdRNdtcDhJ5k8nwZofm4EJ

s9XVNv4/aRDBUx4w

+vHFE7Fw1rnIWp4=

wC395Yvi6G/3yoWRGW1USxzshi3Dyw==

jcbufIN91gHAUK1RYUMYIdyqpDlUz5WM

iIyoIvZNXwPNmBlBxGk6+A==

C/hTD8h/KWLiMW4Mt/joXyz23Q==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1376-62-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/1376-63-0x000000000041F810-mapping.dmp	xloader
behavioral1/memory/1376-69-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/1736-73-0x0000000000090000-0x00000000000BC000-memory.dmp	xloader
behavioral1/memory/1736-77-0x0000000000090000-0x00000000000BC000-memory.dmp	xloader

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

13 1736 msiexec.exe
14 1736 msiexec.exe

flow	pid	process
13	1736	msiexec.exe
14	1736	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

shipping documents.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	shipping documents.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

940 cmd.exe

pid	process
940	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LNU4L = "C:\\Program Files (x86)\\Myjlhb6b\\wind4d8qfwh.exe"	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

shipping documents.exeshipping documents.exemsiexec.exe

description	pid	process	target process
PID 1948 set thread context of 1376	1948	shipping documents.exe	shipping documents.exe
PID 1376 set thread context of 1304	1376	shipping documents.exe	Explorer.EXE
PID 1736 set thread context of 1304	1736	msiexec.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File opened for modification C:\Program Files (x86)\Myjlhb6b\wind4d8qfwh.exe msiexec.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Myjlhb6b\wind4d8qfwh.exe	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msiexec.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

shipping documents.exemsiexec.exe

pid	process
1376	shipping documents.exe
1376	shipping documents.exe
1736	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe
1736	msiexec.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

shipping documents.exemsiexec.exe

pid process

1376 shipping documents.exe
1376 shipping documents.exe
1376 shipping documents.exe
1736 msiexec.exe
1736 msiexec.exe
1736 msiexec.exe
1736 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shipping documents.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 1376 shipping documents.exe
Token: SeDebugPrivilege 1736 msiexec.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1304 Explorer.EXE
1304 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1304 Explorer.EXE
1304 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1376	shipping documents.exe
Token: SeDebugPrivilege	1736	msiexec.exe

pid	process
1304	Explorer.EXE
1304	Explorer.EXE

pid	process
1304	Explorer.EXE
1304	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

shipping documents.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 1948 wrote to memory of 1376	1948	shipping documents.exe	shipping documents.exe
PID 1948 wrote to memory of 1376	1948	shipping documents.exe	shipping documents.exe
PID 1948 wrote to memory of 1376	1948	shipping documents.exe	shipping documents.exe
PID 1948 wrote to memory of 1376	1948	shipping documents.exe	shipping documents.exe
PID 1948 wrote to memory of 1376	1948	shipping documents.exe	shipping documents.exe
PID 1948 wrote to memory of 1376	1948	shipping documents.exe	shipping documents.exe
PID 1948 wrote to memory of 1376	1948	shipping documents.exe	shipping documents.exe
PID 1304 wrote to memory of 1736	1304	Explorer.EXE	msiexec.exe
PID 1304 wrote to memory of 1736	1304	Explorer.EXE	msiexec.exe
PID 1304 wrote to memory of 1736	1304	Explorer.EXE	msiexec.exe
PID 1304 wrote to memory of 1736	1304	Explorer.EXE	msiexec.exe
PID 1304 wrote to memory of 1736	1304	Explorer.EXE	msiexec.exe
PID 1304 wrote to memory of 1736	1304	Explorer.EXE	msiexec.exe
PID 1304 wrote to memory of 1736	1304	Explorer.EXE	msiexec.exe
PID 1736 wrote to memory of 940	1736	msiexec.exe	cmd.exe
PID 1736 wrote to memory of 940	1736	msiexec.exe	cmd.exe
PID 1736 wrote to memory of 940	1736	msiexec.exe	cmd.exe
PID 1736 wrote to memory of 940	1736	msiexec.exe	cmd.exe
PID 1736 wrote to memory of 800	1736	msiexec.exe	Firefox.exe
PID 1736 wrote to memory of 800	1736	msiexec.exe	Firefox.exe
PID 1736 wrote to memory of 800	1736	msiexec.exe	Firefox.exe
PID 1736 wrote to memory of 800	1736	msiexec.exe	Firefox.exe
PID 1736 wrote to memory of 800	1736	msiexec.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\shipping documents.exe
"C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\shipping documents.exe
"{path}"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"
3⤵
- Deletes itself
PID:940

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/940-71-0x0000000000000000-mapping.dmp

Download
memory/1304-67-0x0000000006ED0000-0x0000000007031000-memory.dmp

Filesize
1.4MB

Download
memory/1304-78-0x0000000007040000-0x000000000718C000-memory.dmp

Filesize
1.3MB

Download
memory/1304-76-0x0000000007040000-0x000000000718C000-memory.dmp

Filesize
1.3MB

Download
memory/1376-66-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/1376-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1376-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1376-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1376-63-0x000000000041F810-mapping.dmp

Download
memory/1376-65-0x0000000000810000-0x0000000000B13000-memory.dmp

Filesize
3.0MB

Download
memory/1376-59-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1736-68-0x0000000000000000-mapping.dmp

Download
memory/1736-72-0x0000000000810000-0x0000000000824000-memory.dmp

Filesize
80KB

Download
memory/1736-73-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/1736-74-0x0000000002390000-0x0000000002693000-memory.dmp

Filesize
3.0MB

Download
memory/1736-75-0x0000000000B50000-0x0000000000BE0000-memory.dmp

Filesize
576KB

Download
memory/1736-77-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/1948-58-0x0000000000A40000-0x0000000000A72000-memory.dmp

Filesize
200KB

Download
memory/1948-54-0x0000000001300000-0x000000000138E000-memory.dmp

Filesize
568KB

Download
memory/1948-57-0x00000000056F0000-0x0000000005776000-memory.dmp

Filesize
536KB

Download
memory/1948-56-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/1948-55-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads