formbook | 86e4d5f6e971a493c6d56fbdb71a4a6c6deaf7eca8c30f086bafba45159f8e22

General

Target

shipping document.exe
Size

521KB
MD5

557350a46a849eb9ae8bc28a629bf3d5
SHA1

8a773187553730b62bc9ba58457b8a97523f953e
SHA256

576d080b4cab07bd5c3ef3e5d6a222b91744368ed837a3e56eb89772c1b5a1de
SHA512

aee4d4881f1d20b7837f690291702c7ead7c6900f0a68fa29f6c5fbd06fc91d7d13f893b70543c172d3a3732d47262aeca3209af81cc396eddc3dd3412ccad64

Score

10^/10

formbook xloader pdrq evasion loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

pdrq

Decoy

welchsunstar.com

mppservicesllc.com

wiresofteflon.com

brabov.xyz

compnonoch.site

yourbuilderworks.com

iamsamirahman.com

eriqoes.com

eastudio.design

skyearth-est.com

teethfitness.com

razaancreates.com

shfbfs.com

joyfulbrokekids.com

kjbolden.com

howirep.com

deedeesmainecoons.website

e-powair.com

aheatea.com

shalfey0009.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

shipping document.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions shipping document.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	shipping document.exe

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3148-145-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral2/memory/3148-154-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral2/memory/2020-160-0x0000000000DA0000-0x0000000000DCB000-memory.dmp	xloader
behavioral2/memory/2020-171-0x0000000000DA0000-0x0000000000DCB000-memory.dmp	xloader

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

shipping document.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools shipping document.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	shipping document.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

shipping document.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	shipping document.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	shipping document.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

shipping document.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	shipping document.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	NETSTAT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VBFDTXEPWR = "C:\\Program Files (x86)\\D2d9\\zb-hdxsrmp.exe"	NETSTAT.EXE

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

shipping document.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	shipping document.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	shipping document.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

shipping document.exeRegSvcs.exeNETSTAT.EXE

description	pid	process	target process
PID 4660 set thread context of 3148	4660	shipping document.exe	RegSvcs.exe
PID 3148 set thread context of 2832	3148	RegSvcs.exe	Explorer.EXE
PID 2020 set thread context of 2832	2020	NETSTAT.EXE	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

NETSTAT.EXE

description ioc process

File opened for modification C:\Program Files (x86)\D2d9\zb-hdxsrmp.exe NETSTAT.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4404 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

2020 NETSTAT.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\D2d9\zb-hdxsrmp.exe	NETSTAT.EXE

pid	process
4404	schtasks.exe

pid	process
2020	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

shipping document.exepowershell.exeRegSvcs.exeNETSTAT.EXE

pid	process
4660	shipping document.exe
4660	shipping document.exe
4660	shipping document.exe
4660	shipping document.exe
4660	shipping document.exe
4660	shipping document.exe
4660	shipping document.exe
4660	shipping document.exe
4660	shipping document.exe
1600	powershell.exe
3148	RegSvcs.exe
3148	RegSvcs.exe
3148	RegSvcs.exe
3148	RegSvcs.exe
1600	powershell.exe
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2832 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.exeNETSTAT.EXE

pid process

3148 RegSvcs.exe
3148 RegSvcs.exe
3148 RegSvcs.exe
2020 NETSTAT.EXE
2020 NETSTAT.EXE
2020 NETSTAT.EXE

pid	process
2832	Explorer.EXE

pid	process
3148	RegSvcs.exe
3148	RegSvcs.exe
3148	RegSvcs.exe
2020	NETSTAT.EXE
2020	NETSTAT.EXE
2020	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

shipping document.exepowershell.exeRegSvcs.exeNETSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4660	shipping document.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	3148	RegSvcs.exe
Token: SeDebugPrivilege	2020	NETSTAT.EXE
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

shipping document.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 4660 wrote to memory of 1600	4660	shipping document.exe	powershell.exe
PID 4660 wrote to memory of 1600	4660	shipping document.exe	powershell.exe
PID 4660 wrote to memory of 1600	4660	shipping document.exe	powershell.exe
PID 4660 wrote to memory of 4404	4660	shipping document.exe	schtasks.exe
PID 4660 wrote to memory of 4404	4660	shipping document.exe	schtasks.exe
PID 4660 wrote to memory of 4404	4660	shipping document.exe	schtasks.exe
PID 4660 wrote to memory of 3204	4660	shipping document.exe	RegSvcs.exe
PID 4660 wrote to memory of 3204	4660	shipping document.exe	RegSvcs.exe
PID 4660 wrote to memory of 3204	4660	shipping document.exe	RegSvcs.exe
PID 4660 wrote to memory of 4696	4660	shipping document.exe	RegSvcs.exe
PID 4660 wrote to memory of 4696	4660	shipping document.exe	RegSvcs.exe
PID 4660 wrote to memory of 4696	4660	shipping document.exe	RegSvcs.exe
PID 4660 wrote to memory of 1876	4660	shipping document.exe	RegSvcs.exe
PID 4660 wrote to memory of 1876	4660	shipping document.exe	RegSvcs.exe
PID 4660 wrote to memory of 1876	4660	shipping document.exe	RegSvcs.exe
PID 4660 wrote to memory of 3148	4660	shipping document.exe	RegSvcs.exe
PID 4660 wrote to memory of 3148	4660	shipping document.exe	RegSvcs.exe
PID 4660 wrote to memory of 3148	4660	shipping document.exe	RegSvcs.exe
PID 4660 wrote to memory of 3148	4660	shipping document.exe	RegSvcs.exe
PID 4660 wrote to memory of 3148	4660	shipping document.exe	RegSvcs.exe
PID 4660 wrote to memory of 3148	4660	shipping document.exe	RegSvcs.exe
PID 2832 wrote to memory of 2020	2832	Explorer.EXE	NETSTAT.EXE
PID 2832 wrote to memory of 2020	2832	Explorer.EXE	NETSTAT.EXE
PID 2832 wrote to memory of 2020	2832	Explorer.EXE	NETSTAT.EXE
PID 2020 wrote to memory of 4428	2020	NETSTAT.EXE	cmd.exe
PID 2020 wrote to memory of 4428	2020	NETSTAT.EXE	cmd.exe
PID 2020 wrote to memory of 4428	2020	NETSTAT.EXE	cmd.exe
PID 2020 wrote to memory of 3056	2020	NETSTAT.EXE	cmd.exe
PID 2020 wrote to memory of 3056	2020	NETSTAT.EXE	cmd.exe
PID 2020 wrote to memory of 3056	2020	NETSTAT.EXE	cmd.exe
PID 2020 wrote to memory of 4420	2020	NETSTAT.EXE	cmd.exe
PID 2020 wrote to memory of 4420	2020	NETSTAT.EXE	cmd.exe
PID 2020 wrote to memory of 4420	2020	NETSTAT.EXE	cmd.exe
PID 2020 wrote to memory of 1060	2020	NETSTAT.EXE	Firefox.exe
PID 2020 wrote to memory of 1060	2020	NETSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\shipping document.exe
"C:\Users\Admin\AppData\Local\Temp\shipping document.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ylJHrC.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ylJHrC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2625.tmp"
3⤵
- Creates scheduled task(s)
PID:4404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:3204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:4420

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

5

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2625.tmp
Filesize
1KB

MD5
0883eb6b8c9055717ea6b65ed8e30253

SHA1
983b49da6b704eeb8f089800b3eb49cf5ec1117e

SHA256
ce26020ab20abf5038ba3c2d772e856d00b4a139445fd11e5d7775470ebcc88f

SHA512
0b13851d4b4d93f36f2b048aa69f5495d0fbadd05eea337645b7247cf66b0c71f402967b8e84fdae0c3b37252a8d2f80f7f32e9a01e71e8c897968f883206572

Download Submit
memory/1600-140-0x0000000005680000-0x0000000005CA8000-memory.dmp

Filesize
6.2MB

Download
memory/1600-163-0x00000000075C0000-0x00000000075DA000-memory.dmp

Filesize
104KB

Download
memory/1600-166-0x0000000007800000-0x000000000780E000-memory.dmp

Filesize
56KB

Download
memory/1600-136-0x0000000000000000-mapping.dmp

Download
memory/1600-165-0x0000000007850000-0x00000000078E6000-memory.dmp

Filesize
600KB

Download
memory/1600-138-0x00000000029C0000-0x00000000029F6000-memory.dmp

Filesize
216KB

Download
memory/1600-168-0x00000000078F0000-0x00000000078F8000-memory.dmp

Filesize
32KB

Download
memory/1600-155-0x0000000006880000-0x00000000068B2000-memory.dmp

Filesize
200KB

Download
memory/1600-164-0x0000000007640000-0x000000000764A000-memory.dmp

Filesize
40KB

Download
memory/1600-167-0x0000000007910000-0x000000000792A000-memory.dmp

Filesize
104KB

Download
memory/1600-150-0x00000000062C0000-0x00000000062DE000-memory.dmp

Filesize
120KB

Download
memory/1600-161-0x0000000007C10000-0x000000000828A000-memory.dmp

Filesize
6.5MB

Download
memory/1600-157-0x0000000006860000-0x000000000687E000-memory.dmp

Filesize
120KB

Download
memory/1600-146-0x00000000051E0000-0x0000000005202000-memory.dmp

Filesize
136KB

Download
memory/1600-147-0x0000000005500000-0x0000000005566000-memory.dmp

Filesize
408KB

Download
memory/1600-156-0x0000000071620000-0x000000007166C000-memory.dmp

Filesize
304KB

Download
memory/1876-143-0x0000000000000000-mapping.dmp

Download
memory/2020-153-0x0000000000000000-mapping.dmp

Download
memory/2020-169-0x00000000015B0000-0x0000000001640000-memory.dmp

Filesize
576KB

Download
memory/2020-171-0x0000000000DA0000-0x0000000000DCB000-memory.dmp

Filesize
172KB

Download
memory/2020-162-0x0000000001770000-0x0000000001ABA000-memory.dmp

Filesize
3.3MB

Download
memory/2020-160-0x0000000000DA0000-0x0000000000DCB000-memory.dmp

Filesize
172KB

Download
memory/2020-159-0x0000000000890000-0x000000000089B000-memory.dmp

Filesize
44KB

Download
memory/2832-172-0x0000000008170000-0x0000000008208000-memory.dmp

Filesize
608KB

Download
memory/2832-152-0x00000000084B0000-0x00000000085B7000-memory.dmp

Filesize
1.0MB

Download
memory/2832-170-0x0000000008170000-0x0000000008208000-memory.dmp

Filesize
608KB

Download
memory/3056-173-0x0000000000000000-mapping.dmp

Download
memory/3148-144-0x0000000000000000-mapping.dmp

Download
memory/3148-148-0x00000000018F0000-0x0000000001C3A000-memory.dmp

Filesize
3.3MB

Download
memory/3148-151-0x00000000015F0000-0x0000000001601000-memory.dmp

Filesize
68KB

Download
memory/3148-154-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3148-145-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3204-141-0x0000000000000000-mapping.dmp

Download
memory/4404-137-0x0000000000000000-mapping.dmp

Download
memory/4420-175-0x0000000000000000-mapping.dmp

Download
memory/4428-158-0x0000000000000000-mapping.dmp

Download
memory/4660-134-0x00000000086B0000-0x000000000874C000-memory.dmp

Filesize
624KB

Download
memory/4660-133-0x0000000004A80000-0x0000000004A8A000-memory.dmp

Filesize
40KB

Download
memory/4660-135-0x00000000089E0000-0x0000000008A46000-memory.dmp

Filesize
408KB

Download
memory/4660-130-0x0000000000050000-0x00000000000D8000-memory.dmp

Filesize
544KB

Download
memory/4660-132-0x0000000004AB0000-0x0000000004B42000-memory.dmp

Filesize
584KB

Download
memory/4660-131-0x0000000004FC0000-0x0000000005564000-memory.dmp

Filesize
5.6MB

Download
memory/4696-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads