formbook | c30967d284c42ba987421cbadd7983f63c5d4def4599612c865241fbc343ee97

General

Target

content.10801.13899.19312.exe
Size

990KB
MD5

9fa7a956044487d2d21ff508eb8eee7a
SHA1

69360d4cabb7c9b59a0411a8a50dbf4141b28102
SHA256

c30967d284c42ba987421cbadd7983f63c5d4def4599612c865241fbc343ee97
SHA512

b7a65619ebd951ab154f8f142b74dccbc030d467d9006e8da7afbe0d5e0b5bf892a12031769b5a4387c082e047208c73e989915530f6406ddf3bf867d1646dac

Score

10^/10

formbook modiloader xloader loader persistence rat spyware stealer suricata trojan

Malware Config

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata

ModiLoader Second Stage 38 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4712-141-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-142-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-143-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-144-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-145-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-146-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-147-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-148-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-149-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-150-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-151-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-153-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-154-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-152-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-155-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-156-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-158-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-165-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-164-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-163-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-162-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-161-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-160-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-159-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-157-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-171-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-172-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-173-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-170-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-181-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-185-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-184-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-183-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-182-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-180-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-169-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-187-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2
behavioral2/memory/4712-186-0x0000000004EC0000-0x0000000004F13000-memory.dmp	modiloader_stage2

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1572-168-0x0000000000000000-mapping.dmp	xloader
behavioral2/memory/4712-167-0x0000000010410000-0x000000001043C000-memory.dmp	xloader
behavioral2/memory/1572-189-0x0000000010410000-0x000000001043C000-memory.dmp	xloader
behavioral2/memory/3712-196-0x0000000001290000-0x00000000012BC000-memory.dmp	xloader
behavioral2/memory/3712-199-0x0000000001290000-0x00000000012BC000-memory.dmp	xloader

Executes dropped EXE 1 IoCs

Processes:

chkdskjzlt.exe

pid process

764 chkdskjzlt.exe

pid	process
764	chkdskjzlt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	control.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KTAPGZ906L = "C:\\Program Files (x86)\\Ukpgd\\chkdskjzlt.exe"	control.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

logagent.execontrol.exe

description	pid	process	target process
PID 1572 set thread context of 2576	1572	logagent.exe	Explorer.EXE
PID 3712 set thread context of 2576	3712	control.exe	Explorer.EXE

Drops file in Program Files directory 4 IoCs

Processes:

Explorer.EXEcontrol.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ukpgd	Explorer.EXE
File created	C:\Program Files (x86)\Ukpgd\chkdskjzlt.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Ukpgd\chkdskjzlt.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Ukpgd\chkdskjzlt.exe	control.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

logagent.execontrol.exe

pid	process
1572	logagent.exe
1572	logagent.exe
1572	logagent.exe
1572	logagent.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe
3712	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2576 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

logagent.execontrol.exe

pid process

1572 logagent.exe
1572 logagent.exe
1572 logagent.exe
3712 control.exe
3712 control.exe
3712 control.exe
3712 control.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

logagent.execontrol.exe

description pid process

Token: SeDebugPrivilege 1572 logagent.exe
Token: SeDebugPrivilege 3712 control.exe

pid	process
2576	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1572	logagent.exe
Token: SeDebugPrivilege	3712	control.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

content.10801.13899.19312.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 4712 wrote to memory of 1572	4712	content.10801.13899.19312.exe	logagent.exe
PID 4712 wrote to memory of 1572	4712	content.10801.13899.19312.exe	logagent.exe
PID 4712 wrote to memory of 1572	4712	content.10801.13899.19312.exe	logagent.exe
PID 4712 wrote to memory of 1572	4712	content.10801.13899.19312.exe	logagent.exe
PID 4712 wrote to memory of 1572	4712	content.10801.13899.19312.exe	logagent.exe
PID 4712 wrote to memory of 1572	4712	content.10801.13899.19312.exe	logagent.exe
PID 2576 wrote to memory of 3712	2576	Explorer.EXE	control.exe
PID 2576 wrote to memory of 3712	2576	Explorer.EXE	control.exe
PID 2576 wrote to memory of 3712	2576	Explorer.EXE	control.exe
PID 3712 wrote to memory of 628	3712	control.exe	cmd.exe
PID 3712 wrote to memory of 628	3712	control.exe	cmd.exe
PID 3712 wrote to memory of 628	3712	control.exe	cmd.exe
PID 3712 wrote to memory of 1372	3712	control.exe	Firefox.exe
PID 3712 wrote to memory of 1372	3712	control.exe	Firefox.exe
PID 3712 wrote to memory of 1372	3712	control.exe	Firefox.exe
PID 2576 wrote to memory of 764	2576	Explorer.EXE	chkdskjzlt.exe
PID 2576 wrote to memory of 764	2576	Explorer.EXE	chkdskjzlt.exe
PID 2576 wrote to memory of 764	2576	Explorer.EXE	chkdskjzlt.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\content.10801.13899.19312.exe
"C:\Users\Admin\AppData\Local\Temp\content.10801.13899.19312.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\logagent.exe"
3⤵
PID:628

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1372

C:\Program Files (x86)\Ukpgd\chkdskjzlt.exe
"C:\Program Files (x86)\Ukpgd\chkdskjzlt.exe"
2⤵
- Executes dropped EXE
PID:764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ukpgd\chkdskjzlt.exe
Filesize
86KB

MD5
523a40703dd9e7da957aa92a204cb1c4

SHA1
2a069bff58a87f7d2b405fdf87634fb2ce213b21

SHA256
058e1a4389ae837fafc6a7bdfca2abf33ceb6915410edbc4b2ebca052e4f13a6

SHA512
ca5002ebddb39acd0dbbeb77297ffb719a36bc8288ad6f2732247a28cbf1a6fe7cd238ef126f6b1cca3f259cab55a5c01e3bfcd9bda3d25097233093bdb940bf

Download Submit
C:\Program Files (x86)\Ukpgd\chkdskjzlt.exe
Filesize
86KB

MD5
523a40703dd9e7da957aa92a204cb1c4

SHA1
2a069bff58a87f7d2b405fdf87634fb2ce213b21

SHA256
058e1a4389ae837fafc6a7bdfca2abf33ceb6915410edbc4b2ebca052e4f13a6

SHA512
ca5002ebddb39acd0dbbeb77297ffb719a36bc8288ad6f2732247a28cbf1a6fe7cd238ef126f6b1cca3f259cab55a5c01e3bfcd9bda3d25097233093bdb940bf

Download Submit
memory/628-194-0x0000000000000000-mapping.dmp

Download
memory/764-202-0x0000000000000000-mapping.dmp

Download
memory/1572-189-0x0000000010410000-0x000000001043C000-memory.dmp

Filesize
176KB

Download
memory/1572-190-0x0000000003020000-0x000000000336A000-memory.dmp

Filesize
3.3MB

Download
memory/1572-168-0x0000000000000000-mapping.dmp

Download
memory/1572-191-0x0000000001480000-0x0000000001491000-memory.dmp

Filesize
68KB

Download
memory/2576-201-0x0000000008920000-0x0000000008AAE000-memory.dmp

Filesize
1.6MB

Download
memory/2576-200-0x0000000008920000-0x0000000008AAE000-memory.dmp

Filesize
1.6MB

Download
memory/2576-192-0x0000000002DF0000-0x0000000002EF8000-memory.dmp

Filesize
1.0MB

Download
memory/3712-197-0x00000000031D0000-0x000000000351A000-memory.dmp

Filesize
3.3MB

Download
memory/3712-193-0x0000000000000000-mapping.dmp

Download
memory/3712-196-0x0000000001290000-0x00000000012BC000-memory.dmp

Filesize
176KB

Download
memory/3712-195-0x00000000004A0000-0x00000000004C7000-memory.dmp

Filesize
156KB

Download
memory/3712-198-0x0000000002F70000-0x0000000003000000-memory.dmp

Filesize
576KB

Download
memory/3712-199-0x0000000001290000-0x00000000012BC000-memory.dmp

Filesize
176KB

Download
memory/4712-155-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-165-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-163-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-162-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-161-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-160-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-159-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-157-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-171-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-172-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-173-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-170-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-181-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-185-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-184-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-183-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-182-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-180-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-169-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-164-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-167-0x0000000010410000-0x000000001043C000-memory.dmp

Filesize
176KB

Download
memory/4712-187-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-186-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-158-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-156-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-141-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-152-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-154-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-153-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-151-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-150-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-149-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-148-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-147-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-146-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-145-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-144-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-143-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download
memory/4712-142-0x0000000004EC0000-0x0000000004F13000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads