formbook | 5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc

Analysis

max time kernel
209s
max time network
216s
platform
windows10_x64
resource
win10-20220414-en
submitted
22-06-2022 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe
Size

1.6MB
MD5

52da53b1c61bf409b32f845f3806479a
SHA1

4e4120c159b2ff506c8719332dc38298ac092659
SHA256

5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc
SHA512

3a1ffa7db0f5b90deccbf9f84033e19ed43f9d28006f40c2c8d1cbe7c337f6fd458c966bef0b29c8f1cde725d1e1abfecb65c00b5ae6f908dcb33ecb83c7dbca

Score

10^/10

formbook xloader mt88 loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

mt88

Decoy

syzbf32.xyz

pertlines.com

vybaveniprocyklostezky.com

elianmsalas.tech

a-snag-tokei-kaitori.com

tuvistaing.com

whoyoucall.net

l8e9gr.xyz

sophrologuemontevrain77.com

ciclean.com

the-roel.com

campgreencove.com

foremostbookkeeping.com

zamanscorner.com

efeturozemniyet.com

penelope.team

murata.life

solfuls.com

tradefitinvesting.com

skinbid.pro

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4076-172-0x000000000041F2C0-mapping.dmp	xloader
behavioral1/memory/4076-171-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/4076-202-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/1848-220-0x0000000002590000-0x00000000025BB000-memory.dmp	xloader
behavioral1/memory/1848-239-0x0000000002590000-0x00000000025BB000-memory.dmp	xloader

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ipconfig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OHVHTXC0UB4 = "C:\\Program Files (x86)\\Sgtw0ddv\\s289ra4.exe"	ipconfig.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exesetup16.exeipconfig.exe

description	pid	process	target process
PID 3464 set thread context of 4076	3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe	setup16.exe
PID 4076 set thread context of 1276	4076	setup16.exe	Explorer.EXE
PID 1848 set thread context of 1276	1848	ipconfig.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

ipconfig.exe

description ioc process

File opened for modification C:\Program Files (x86)\Sgtw0ddv\s289ra4.exe ipconfig.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1848 ipconfig.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Sgtw0ddv\s289ra4.exe	ipconfig.exe

pid	process
1848	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3578829114-180201921-3281645608-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exesetup16.exeipconfig.exe

pid	process
3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe
3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe
3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe
3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe
3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe
3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe
3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe
3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe
4076	setup16.exe
4076	setup16.exe
4076	setup16.exe
4076	setup16.exe
3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe
3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

setup16.exeipconfig.exe

pid process

4076 setup16.exe
4076 setup16.exe
4076 setup16.exe
1848 ipconfig.exe
1848 ipconfig.exe
1848 ipconfig.exe
1848 ipconfig.exe

pid	process
1276	Explorer.EXE

pid	process
4076	setup16.exe
4076	setup16.exe
4076	setup16.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe
1848	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exesetup16.exeipconfig.exe

description	pid	process
Token: SeDebugPrivilege	3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe
Token: SeDebugPrivilege	4076	setup16.exe
Token: SeDebugPrivilege	1848	ipconfig.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 3464 wrote to memory of 4076	3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe	setup16.exe
PID 3464 wrote to memory of 4076	3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe	setup16.exe
PID 3464 wrote to memory of 4076	3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe	setup16.exe
PID 3464 wrote to memory of 4076	3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe	setup16.exe
PID 3464 wrote to memory of 4076	3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe	setup16.exe
PID 3464 wrote to memory of 4076	3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe	setup16.exe
PID 3464 wrote to memory of 4076	3464	5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe	setup16.exe
PID 1276 wrote to memory of 1848	1276	Explorer.EXE	ipconfig.exe
PID 1276 wrote to memory of 1848	1276	Explorer.EXE	ipconfig.exe
PID 1276 wrote to memory of 1848	1276	Explorer.EXE	ipconfig.exe
PID 1848 wrote to memory of 3724	1848	ipconfig.exe	cmd.exe
PID 1848 wrote to memory of 3724	1848	ipconfig.exe	cmd.exe
PID 1848 wrote to memory of 3724	1848	ipconfig.exe	cmd.exe
PID 1848 wrote to memory of 2928	1848	ipconfig.exe	cmd.exe
PID 1848 wrote to memory of 2928	1848	ipconfig.exe	cmd.exe
PID 1848 wrote to memory of 2928	1848	ipconfig.exe	cmd.exe
PID 1848 wrote to memory of 3876	1848	ipconfig.exe	Firefox.exe
PID 1848 wrote to memory of 3876	1848	ipconfig.exe	Firefox.exe
PID 1848 wrote to memory of 3876	1848	ipconfig.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe
"C:\Users\Admin\AppData\Local\Temp\5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\setup16.exe
"C:\Windows\SysWOW64\setup16.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\setup16.exe"
3⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:2928

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1

Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
memory/1276-199-0x0000000005F80000-0x000000000611B000-memory.dmp

Filesize
1.6MB

Download
memory/1276-242-0x0000000002580000-0x00000000026B3000-memory.dmp

Filesize
1.2MB

Download
memory/1276-240-0x0000000002580000-0x00000000026B3000-memory.dmp

Filesize
1.2MB

Download
memory/1848-201-0x0000000000000000-mapping.dmp

Download
memory/1848-219-0x00000000000B0000-0x00000000000BB000-memory.dmp

Filesize
44KB

Download
memory/1848-220-0x0000000002590000-0x00000000025BB000-memory.dmp

Filesize
172KB

Download
memory/1848-241-0x00000000028CB000-0x0000000002A5A000-memory.dmp

Filesize
1.6MB

Download
memory/1848-239-0x0000000002590000-0x00000000025BB000-memory.dmp

Filesize
172KB

Download
memory/1848-238-0x00000000028CB000-0x0000000002A5A000-memory.dmp

Filesize
1.6MB

Download
memory/1848-228-0x0000000002A80000-0x0000000002DA0000-memory.dmp

Filesize
3.1MB

Download
memory/2928-277-0x0000000000000000-mapping.dmp

Download
memory/3464-154-0x0000000005300000-0x000000000539C000-memory.dmp

Filesize
624KB

Download
memory/3464-161-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-126-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-128-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-129-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-130-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-127-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-131-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-133-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-135-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-136-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-138-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-139-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-137-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-134-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-140-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-132-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-141-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-142-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-143-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-144-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-145-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-146-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-147-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-148-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-149-0x00000000007C0000-0x0000000000962000-memory.dmp

Filesize
1.6MB

Download
memory/3464-150-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-151-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-152-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-153-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-124-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-155-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-156-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-157-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-158-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-125-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-162-0x00000000053A0000-0x000000000541C000-memory.dmp

Filesize
496KB

Download
memory/3464-160-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-159-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-163-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-164-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-167-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-168-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-170-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-169-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-166-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-165-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-116-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-117-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-118-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-119-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-120-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-121-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-122-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-123-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/3724-222-0x0000000000000000-mapping.dmp

Download
memory/4076-183-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-176-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-185-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-171-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4076-179-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-173-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-184-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-178-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-174-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-175-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-172-0x000000000041F2C0-mapping.dmp

Download
memory/4076-182-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-181-0x00000000776A0000-0x000000007782E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-197-0x00000000036A0000-0x00000000039C0000-memory.dmp

Filesize
3.1MB

Download
memory/4076-198-0x0000000003210000-0x0000000003221000-memory.dmp

Filesize
68KB

Download
memory/4076-202-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download