formbook | d24e3ddbed42b77cee50ff8a06e7414910d755cf2635eadf35b51091c8cba010

Analysis

max time kernel
147s
max time network
148s
platform
windows10_x64
resource
win10-20220414-en
submitted
07-07-2022 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9Vpz6YEQuRqDljF.exe
Size

664KB
MD5

ff73f2e9be581f3bbbaee6438a9ffa67
SHA1

6a77722a024580b6756120b1e0e358898557e129
SHA256

d24e3ddbed42b77cee50ff8a06e7414910d755cf2635eadf35b51091c8cba010
SHA512

b0b2c21cb7952d7b315671027c1af8ee46a684f42b50f50bac72787680290dc95f5ad9eb7451c0cec7fe4cc2b1f0ef22304a0beb877c8708f84515f952e8411f

Score

10^/10

formbook xloader loader persistence rat spyware stealer suricata trojan

Malware Config

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3752-188-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/3752-189-0x0000000000420070-mapping.dmp	xloader
behavioral2/memory/3752-219-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/2984-250-0x00000000027D0000-0x00000000027FC000-memory.dmp	xloader
behavioral2/memory/2984-255-0x00000000027D0000-0x00000000027FC000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9Vpz6YEQuRqDljF.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Control Panel\International\Geo\Nation	9Vpz6YEQuRqDljF.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cscript.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	cscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KZIHEDZXZR = "C:\\Program Files (x86)\\V6lopdxmx\\igfxali8f.exe"	cscript.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

9Vpz6YEQuRqDljF.exe9Vpz6YEQuRqDljF.execscript.exe

description	pid	process	target process
PID 3192 set thread context of 3752	3192	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 3752 set thread context of 2152	3752	9Vpz6YEQuRqDljF.exe	Explorer.EXE
PID 3752 set thread context of 2152	3752	9Vpz6YEQuRqDljF.exe	Explorer.EXE
PID 2984 set thread context of 2152	2984	cscript.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

cscript.exe

description ioc process

File opened for modification C:\Program Files (x86)\V6lopdxmx\igfxali8f.exe cscript.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\V6lopdxmx\igfxali8f.exe	cscript.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cscript.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3578829114-180201921-3281645608-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cscript.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

9Vpz6YEQuRqDljF.execscript.exe

pid	process
3752	9Vpz6YEQuRqDljF.exe
3752	9Vpz6YEQuRqDljF.exe
3752	9Vpz6YEQuRqDljF.exe
3752	9Vpz6YEQuRqDljF.exe
3752	9Vpz6YEQuRqDljF.exe
3752	9Vpz6YEQuRqDljF.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2152 Explorer.EXE

pid	process
2152	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

9Vpz6YEQuRqDljF.execscript.exe

pid	process
3752	9Vpz6YEQuRqDljF.exe
3752	9Vpz6YEQuRqDljF.exe
3752	9Vpz6YEQuRqDljF.exe
3752	9Vpz6YEQuRqDljF.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe
2984	cscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9Vpz6YEQuRqDljF.execscript.exe

description pid process

Token: SeDebugPrivilege 3752 9Vpz6YEQuRqDljF.exe
Token: SeDebugPrivilege 2984 cscript.exe

description	pid	process
Token: SeDebugPrivilege	3752	9Vpz6YEQuRqDljF.exe
Token: SeDebugPrivilege	2984	cscript.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

9Vpz6YEQuRqDljF.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 3192 wrote to memory of 3752	3192	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 3192 wrote to memory of 3752	3192	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 3192 wrote to memory of 3752	3192	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 3192 wrote to memory of 3752	3192	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 3192 wrote to memory of 3752	3192	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 3192 wrote to memory of 3752	3192	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 2152 wrote to memory of 2984	2152	Explorer.EXE	cscript.exe
PID 2152 wrote to memory of 2984	2152	Explorer.EXE	cscript.exe
PID 2152 wrote to memory of 2984	2152	Explorer.EXE	cscript.exe
PID 2984 wrote to memory of 704	2984	cscript.exe	cmd.exe
PID 2984 wrote to memory of 704	2984	cscript.exe	cmd.exe
PID 2984 wrote to memory of 704	2984	cscript.exe	cmd.exe
PID 2984 wrote to memory of 3888	2984	cscript.exe	Firefox.exe
PID 2984 wrote to memory of 3888	2984	cscript.exe	Firefox.exe
PID 2984 wrote to memory of 3888	2984	cscript.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\Temp\9Vpz6YEQuRqDljF.exe
"C:\Users\Admin\AppData\Local\Temp\9Vpz6YEQuRqDljF.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Local\Temp\9Vpz6YEQuRqDljF.exe
"C:\Users\Admin\AppData\Local\Temp\9Vpz6YEQuRqDljF.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\9Vpz6YEQuRqDljF.exe"
3⤵
PID:704

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/704-243-0x0000000000000000-mapping.dmp

Download
memory/2152-214-0x00000000025B0000-0x00000000026AB000-memory.dmp

Filesize
1004KB

Download
memory/2152-217-0x0000000004F70000-0x0000000005083000-memory.dmp

Filesize
1.1MB

Download
memory/2152-256-0x0000000005090000-0x00000000051D6000-memory.dmp

Filesize
1.3MB

Download
memory/2152-254-0x0000000005090000-0x00000000051D6000-memory.dmp

Filesize
1.3MB

Download
memory/2984-218-0x0000000000000000-mapping.dmp

Download
memory/2984-250-0x00000000027D0000-0x00000000027FC000-memory.dmp

Filesize
176KB

Download
memory/2984-255-0x00000000027D0000-0x00000000027FC000-memory.dmp

Filesize
176KB

Download
memory/2984-253-0x0000000004420000-0x00000000045B3000-memory.dmp

Filesize
1.6MB

Download
memory/2984-251-0x0000000004760000-0x0000000004A80000-memory.dmp

Filesize
3.1MB

Download
memory/2984-249-0x00000000000E0000-0x0000000000107000-memory.dmp

Filesize
156KB

Download
memory/3192-155-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/3192-161-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-124-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-125-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-126-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-127-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-128-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-129-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-130-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-131-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-132-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-133-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-134-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-135-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-136-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-137-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-138-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-140-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-139-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-141-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-142-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-143-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-145-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-144-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-146-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-147-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-148-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-149-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-150-0x0000000000830000-0x00000000008DC000-memory.dmp

Filesize
688KB

Download
memory/3192-151-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-152-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-153-0x00000000056F0000-0x0000000005BEE000-memory.dmp

Filesize
5.0MB

Download
memory/3192-154-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-122-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-156-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-157-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-158-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-159-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-160-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-123-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-162-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-163-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-164-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-165-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-166-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-167-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-168-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-169-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-170-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-171-0x0000000005100000-0x000000000510A000-memory.dmp

Filesize
40KB

Download
memory/3192-172-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-173-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-174-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-175-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-177-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-176-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-178-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-179-0x0000000005470000-0x0000000005490000-memory.dmp

Filesize
128KB

Download
memory/3192-180-0x0000000007950000-0x000000000795E000-memory.dmp

Filesize
56KB

Download
memory/3192-181-0x0000000007960000-0x00000000079AB000-memory.dmp

Filesize
300KB

Download
memory/3192-182-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-183-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-184-0x0000000007C10000-0x0000000007C8A000-memory.dmp

Filesize
488KB

Download
memory/3192-185-0x0000000007D30000-0x0000000007DCC000-memory.dmp

Filesize
624KB

Download
memory/3192-186-0x0000000001020000-0x0000000001086000-memory.dmp

Filesize
408KB

Download
memory/3192-187-0x0000000000990000-0x00000000009C2000-memory.dmp

Filesize
200KB

Download
memory/3192-116-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-117-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-118-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-119-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-120-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3192-121-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3752-213-0x00000000017F0000-0x0000000001980000-memory.dmp

Filesize
1.6MB

Download
memory/3752-212-0x0000000001980000-0x0000000001CA0000-memory.dmp

Filesize
3.1MB

Download
memory/3752-191-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3752-190-0x0000000077E40000-0x0000000077FCE000-memory.dmp

Filesize
1.6MB

Download
memory/3752-189-0x0000000000420070-mapping.dmp

Download
memory/3752-188-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3752-216-0x0000000001CC0000-0x0000000001CD1000-memory.dmp

Filesize
68KB

Download
memory/3752-219-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download