formbook | b47cf0eaed7e3798e77eaf01aac5783f2c03f7db7802a5215523d4ccdc631bc5

General

Target

tmp.exe
Size

293KB
MD5

960b0f8219762d17f6f47ee76275c7c1
SHA1

ed0eaa1b2d7636d74713c86548842cdb72b8c8cd
SHA256

b47cf0eaed7e3798e77eaf01aac5783f2c03f7db7802a5215523d4ccdc631bc5
SHA512

06d9751f85266c92e666400dc911271e3354ca550a12a6e45386f46f23c56e02986d8a763f394ecbe470952379a752cb0ab26dee5dcc8d4cab84d28e34104ccc
SSDEEP

6144:eqJT5/+TVlkf7jWDUaLOjYmCVdKrLVi2D9y4CUFHHv:e61+BIjbaafCi/Vi2D9yJU1

Score

10^/10

formbook xloader zgtb loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

zgtb

Decoy

gabriellep.com

honghe4.xyz

anisaofrendas.com

happy-tile.com

thesulkies.com

international-ipo.com

tazeco.info

hhhzzz.xyz

vrmonster.xyz

theearthresidencia.com

sportape.xyz

elshadaibaterias.com

koredeiihibi.com

taxtaa.com

globalcityb.com

fxivcama.com

dagsmith.com

elmar-bhp.com

peakice.net

jhcdjewelry.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1192-139-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral2/memory/1192-152-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral2/memory/1192-156-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral2/memory/484-160-0x0000000000C00000-0x0000000000C2B000-memory.dmp	xloader
behavioral2/memory/484-161-0x0000000000C00000-0x0000000000C2B000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\EXID3TV0V4ZX = "C:\\Program Files (x86)\\Wyn_hzldh\\wfi1bjlxv.exe"	cmd.exe

Drops startup file 2 IoCs

Processes:

Powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%Namee%	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%Namee%	Powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 4 IoCs

Processes:

tmp.exeaspnet_compiler.execmd.exe

description	pid	process	target process
PID 4828 set thread context of 1192	4828	tmp.exe	aspnet_compiler.exe
PID 1192 set thread context of 2976	1192	aspnet_compiler.exe	Explorer.EXE
PID 1192 set thread context of 2976	1192	aspnet_compiler.exe	Explorer.EXE
PID 484 set thread context of 2976	484	cmd.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Program Files (x86)\Wyn_hzldh\wfi1bjlxv.exe cmd.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Wyn_hzldh\wfi1bjlxv.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

tmp.exeaspnet_compiler.exePowershell.execmd.exe

pid	process
4828	tmp.exe
4828	tmp.exe
1192	aspnet_compiler.exe
1192	aspnet_compiler.exe
3680	Powershell.exe
1192	aspnet_compiler.exe
1192	aspnet_compiler.exe
3680	Powershell.exe
1192	aspnet_compiler.exe
1192	aspnet_compiler.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2976 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

aspnet_compiler.execmd.exe

pid process

1192 aspnet_compiler.exe
1192 aspnet_compiler.exe
1192 aspnet_compiler.exe
1192 aspnet_compiler.exe
484 cmd.exe
484 cmd.exe
484 cmd.exe
484 cmd.exe

pid	process
2976	Explorer.EXE

pid	process
1192	aspnet_compiler.exe
1192	aspnet_compiler.exe
1192	aspnet_compiler.exe
1192	aspnet_compiler.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe
484	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tmp.exePowershell.exeaspnet_compiler.execmd.exe

description	pid	process
Token: SeDebugPrivilege	4828	tmp.exe
Token: SeDebugPrivilege	3680	Powershell.exe
Token: SeDebugPrivilege	1192	aspnet_compiler.exe
Token: SeDebugPrivilege	484	cmd.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

tmp.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4828 wrote to memory of 3680	4828	tmp.exe	Powershell.exe
PID 4828 wrote to memory of 3680	4828	tmp.exe	Powershell.exe
PID 4828 wrote to memory of 3680	4828	tmp.exe	Powershell.exe
PID 4828 wrote to memory of 1408	4828	tmp.exe	aspnet_compiler.exe
PID 4828 wrote to memory of 1408	4828	tmp.exe	aspnet_compiler.exe
PID 4828 wrote to memory of 1408	4828	tmp.exe	aspnet_compiler.exe
PID 4828 wrote to memory of 1192	4828	tmp.exe	aspnet_compiler.exe
PID 4828 wrote to memory of 1192	4828	tmp.exe	aspnet_compiler.exe
PID 4828 wrote to memory of 1192	4828	tmp.exe	aspnet_compiler.exe
PID 4828 wrote to memory of 1192	4828	tmp.exe	aspnet_compiler.exe
PID 4828 wrote to memory of 1192	4828	tmp.exe	aspnet_compiler.exe
PID 4828 wrote to memory of 1192	4828	tmp.exe	aspnet_compiler.exe
PID 2976 wrote to memory of 484	2976	Explorer.EXE	cmd.exe
PID 2976 wrote to memory of 484	2976	Explorer.EXE	cmd.exe
PID 2976 wrote to memory of 484	2976	Explorer.EXE	cmd.exe
PID 484 wrote to memory of 4188	484	cmd.exe	cmd.exe
PID 484 wrote to memory of 4188	484	cmd.exe	cmd.exe
PID 484 wrote to memory of 4188	484	cmd.exe	cmd.exe
PID 484 wrote to memory of 3952	484	cmd.exe	cmd.exe
PID 484 wrote to memory of 3952	484	cmd.exe	cmd.exe
PID 484 wrote to memory of 3952	484	cmd.exe	cmd.exe
PID 484 wrote to memory of 2220	484	cmd.exe	cmd.exe
PID 484 wrote to memory of 2220	484	cmd.exe	cmd.exe
PID 484 wrote to memory of 2220	484	cmd.exe	cmd.exe
PID 484 wrote to memory of 2796	484	cmd.exe	Firefox.exe
PID 484 wrote to memory of 2796	484	cmd.exe	Firefox.exe
PID 484 wrote to memory of 2796	484	cmd.exe	Firefox.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\tmp.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%Namee%'
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:484

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4188

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:2220

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
memory/484-162-0x0000000001300000-0x0000000001390000-memory.dmp

Filesize
576KB

Download
memory/484-155-0x0000000000000000-mapping.dmp

Download
memory/484-158-0x0000000000020000-0x000000000007A000-memory.dmp

Filesize
360KB

Download
memory/484-161-0x0000000000C00000-0x0000000000C2B000-memory.dmp

Filesize
172KB

Download
memory/484-160-0x0000000000C00000-0x0000000000C2B000-memory.dmp

Filesize
172KB

Download
memory/484-159-0x00000000014D0000-0x000000000181A000-memory.dmp

Filesize
3.3MB

Download
memory/1192-153-0x0000000002B90000-0x0000000002BA1000-memory.dmp

Filesize
68KB

Download
memory/1192-152-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1192-138-0x0000000000000000-mapping.dmp

Download
memory/1192-139-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1192-156-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1192-146-0x0000000000E60000-0x00000000011AA000-memory.dmp

Filesize
3.3MB

Download
memory/1192-147-0x0000000000E00000-0x0000000000E11000-memory.dmp

Filesize
68KB

Download
memory/1408-137-0x0000000000000000-mapping.dmp

Download
memory/2220-167-0x0000000000000000-mapping.dmp

Download
memory/2976-148-0x0000000006CE0000-0x0000000006E42000-memory.dmp

Filesize
1.4MB

Download
memory/2976-163-0x0000000007C30000-0x0000000007DB7000-memory.dmp

Filesize
1.5MB

Download
memory/2976-154-0x0000000007B20000-0x0000000007BCF000-memory.dmp

Filesize
700KB

Download
memory/2976-164-0x0000000007C30000-0x0000000007DB7000-memory.dmp

Filesize
1.5MB

Download
memory/3680-141-0x0000000005C20000-0x0000000005C42000-memory.dmp

Filesize
136KB

Download
memory/3680-143-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/3680-150-0x00000000069A0000-0x00000000069BA000-memory.dmp

Filesize
104KB

Download
memory/3680-135-0x0000000000000000-mapping.dmp

Download
memory/3680-149-0x0000000006A20000-0x0000000006AB6000-memory.dmp

Filesize
600KB

Download
memory/3680-145-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/3680-144-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/3680-151-0x00000000069F0000-0x0000000006A12000-memory.dmp

Filesize
136KB

Download
memory/3680-136-0x0000000004F30000-0x0000000004F66000-memory.dmp

Filesize
216KB

Download
memory/3680-140-0x00000000055A0000-0x0000000005BC8000-memory.dmp

Filesize
6.2MB

Download
memory/3952-165-0x0000000000000000-mapping.dmp

Download
memory/4188-157-0x0000000000000000-mapping.dmp

Download
memory/4828-132-0x0000000000480000-0x00000000004D0000-memory.dmp

Filesize
320KB

Download
memory/4828-134-0x0000000004F90000-0x000000000502C000-memory.dmp

Filesize
624KB

Download
memory/4828-133-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads