formbook | dd343e8e8564f63c03e29e51e23e4181817e37f8203f4ec5a8abb9f6ca21a7bf

General

Target

PAYMENT SWIFT.exe
Size

945KB
MD5

58a2b57d6fed01004f9a3836daf788aa
SHA1

c3f3d392937fc4b9603a802808c72276a2070484
SHA256

dd343e8e8564f63c03e29e51e23e4181817e37f8203f4ec5a8abb9f6ca21a7bf
SHA512

0cdb854bff03250a52126e987112a53a44d55c5b8d3b7e79f2a01001edeb7b89375082b1891faded95e507b48f7130665a50842e535c6c6b4ecb8970ccf7fef0

Score

10^/10

formbook xloader be3s loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

be3s

Decoy

aoxaswa.info

souplab-graphic.com

churchontheisland.com

spclassic-cars.com

stanford-edu.club

heydowm.online

chattanooga-electricians.com

sectsk.com

cxg98.com

buildafricaonline.net

buydogcoin.com

vsst247.com

lodgelastrancas.com

ainonaho.com

griousndwarehsftyfs.xyz

voltagestabilizersupply.com

xn--79q565dzfex9hg81b.com

isrvr-ccrforum.info

chitiandi.com

criticaldisco.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1312-63-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/1312-64-0x000000000041F320-mapping.dmp	xloader
behavioral1/memory/1312-69-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/1312-73-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/2008-76-0x0000000000080000-0x00000000000AB000-memory.dmp	xloader
behavioral1/memory/2008-80-0x0000000000080000-0x00000000000AB000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1968 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1968	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YLRDORP8FZX = "C:\\Program Files (x86)\\Wjjzxu\\audiodg3fz.exe"	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

PAYMENT SWIFT.exePAYMENT SWIFT.execmd.exe

description	pid	process	target process
PID 1320 set thread context of 1312	1320	PAYMENT SWIFT.exe	PAYMENT SWIFT.exe
PID 1312 set thread context of 1280	1312	PAYMENT SWIFT.exe	Explorer.EXE
PID 1312 set thread context of 1280	1312	PAYMENT SWIFT.exe	Explorer.EXE
PID 2008 set thread context of 1280	2008	cmd.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Program Files (x86)\Wjjzxu\audiodg3fz.exe cmd.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Wjjzxu\audiodg3fz.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmd.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

PAYMENT SWIFT.execmd.exe

pid	process
1312	PAYMENT SWIFT.exe
1312	PAYMENT SWIFT.exe
1312	PAYMENT SWIFT.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe
2008	cmd.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

PAYMENT SWIFT.execmd.exe

pid process

1312 PAYMENT SWIFT.exe
1312 PAYMENT SWIFT.exe
1312 PAYMENT SWIFT.exe
1312 PAYMENT SWIFT.exe
2008 cmd.exe
2008 cmd.exe
2008 cmd.exe
2008 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PAYMENT SWIFT.execmd.exe

description pid process

Token: SeDebugPrivilege 1312 PAYMENT SWIFT.exe
Token: SeDebugPrivilege 2008 cmd.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
1280 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
1280 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1312	PAYMENT SWIFT.exe
Token: SeDebugPrivilege	2008	cmd.exe

pid	process
1280	Explorer.EXE
1280	Explorer.EXE

pid	process
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

PAYMENT SWIFT.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1320 wrote to memory of 1312	1320	PAYMENT SWIFT.exe	PAYMENT SWIFT.exe
PID 1320 wrote to memory of 1312	1320	PAYMENT SWIFT.exe	PAYMENT SWIFT.exe
PID 1320 wrote to memory of 1312	1320	PAYMENT SWIFT.exe	PAYMENT SWIFT.exe
PID 1320 wrote to memory of 1312	1320	PAYMENT SWIFT.exe	PAYMENT SWIFT.exe
PID 1320 wrote to memory of 1312	1320	PAYMENT SWIFT.exe	PAYMENT SWIFT.exe
PID 1320 wrote to memory of 1312	1320	PAYMENT SWIFT.exe	PAYMENT SWIFT.exe
PID 1320 wrote to memory of 1312	1320	PAYMENT SWIFT.exe	PAYMENT SWIFT.exe
PID 1280 wrote to memory of 2008	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 2008	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 2008	1280	Explorer.EXE	cmd.exe
PID 1280 wrote to memory of 2008	1280	Explorer.EXE	cmd.exe
PID 2008 wrote to memory of 1968	2008	cmd.exe	cmd.exe
PID 2008 wrote to memory of 1968	2008	cmd.exe	cmd.exe
PID 2008 wrote to memory of 1968	2008	cmd.exe	cmd.exe
PID 2008 wrote to memory of 1968	2008	cmd.exe	cmd.exe
PID 2008 wrote to memory of 468	2008	cmd.exe	Firefox.exe
PID 2008 wrote to memory of 468	2008	cmd.exe	Firefox.exe
PID 2008 wrote to memory of 468	2008	cmd.exe	Firefox.exe
PID 2008 wrote to memory of 468	2008	cmd.exe	Firefox.exe
PID 2008 wrote to memory of 468	2008	cmd.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PAYMENT SWIFT.exe"
3⤵
- Deletes itself
PID:1968

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1280-68-0x0000000006A20000-0x0000000006B81000-memory.dmp

Filesize
1.4MB

Download
memory/1280-81-0x0000000006D70000-0x0000000006EBF000-memory.dmp

Filesize
1.3MB

Download
memory/1280-79-0x0000000006D70000-0x0000000006EBF000-memory.dmp

Filesize
1.3MB

Download
memory/1280-71-0x0000000004810000-0x00000000048DE000-memory.dmp

Filesize
824KB

Download
memory/1312-60-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1312-69-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1312-73-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1312-61-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1312-63-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1312-64-0x000000000041F320-mapping.dmp

Download
memory/1312-66-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download
memory/1312-67-0x0000000000190000-0x00000000001A1000-memory.dmp

Filesize
68KB

Download
memory/1312-70-0x00000000003C0000-0x00000000003D1000-memory.dmp

Filesize
68KB

Download
memory/1320-57-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/1320-58-0x0000000004E10000-0x0000000004E7A000-memory.dmp

Filesize
424KB

Download
memory/1320-59-0x0000000002090000-0x00000000020C2000-memory.dmp

Filesize
200KB

Download
memory/1320-54-0x00000000002B0000-0x00000000003A0000-memory.dmp

Filesize
960KB

Download
memory/1320-56-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/1320-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/1968-74-0x0000000000000000-mapping.dmp

Download
memory/2008-72-0x0000000000000000-mapping.dmp

Download
memory/2008-76-0x0000000000080000-0x00000000000AB000-memory.dmp

Filesize
172KB

Download
memory/2008-75-0x000000004A260000-0x000000004A2AC000-memory.dmp

Filesize
304KB

Download
memory/2008-77-0x0000000001EA0000-0x00000000021A3000-memory.dmp

Filesize
3.0MB

Download
memory/2008-78-0x0000000001E00000-0x0000000001E90000-memory.dmp

Filesize
576KB

Download
memory/2008-80-0x0000000000080000-0x00000000000AB000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads