formbook | c02ba72751bcd08440effe6f60db6c75d43c337f510f4b73f3fe70261b9d31c9

General

Target

DOC20220913-567890987655608.exe
Size

495KB
MD5

24cfcc6d2aad113f2cf5e56e6ad439f8
SHA1

a2ab91dee9e7671c57678469643e3b2463ec38a6
SHA256

c02ba72751bcd08440effe6f60db6c75d43c337f510f4b73f3fe70261b9d31c9
SHA512

76008b53103b3bb12af4fb68e6b01ce7abe9e8ed2d0be1ba27df42b9fbbc3e126447d7a8f71636983eefedf4fe30e8ee68692ad80e2756a11b0ae60bd8758206
SSDEEP

12288:MHBumaHX7OghxLM6O975yWddnhJuKL0pKk:suzOALFO995dM

Score

10^/10

formbook xloader c1no loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

c1no

Decoy

SKHcqi+am5xGsHiCoXnH

BObxRpdRlNT5GCo3Eg8azNIQ

GPkN2SZ9gJOYqn4iaNIH6d1MRlk=

ZrdQ6Q4zd05LBFWPDc8=

KYQZEtvg85sq1t9jd7kazNIQ

KWu2/CZdnIFgf0p8

YlJ9mWmf+XkCjxzXSw==

nPeaENkZPzjWSh5DJiBVhlrTSx9V

GfUN8rKft59DsH2CoXnH

5ThnVCgjBm96jxzXSw==

pfb0D48Mk38v

uK6V0h16ziJXZuQ3NR8asKzT2Q==

QaxeYCJXoHFvKesgBSozIyC6bkTR8rbF

QT12wt/a0nsdrbY/oSGKqcq2wQ==

vfuiENwZZrvruTm5lHDF

iNsQyVnb3NHbtXyCoXnH

9jjn4jP8RyrjBYwNPvtfPg==

Wz1uwtUpdbrpwZXZq5HpXV7TSx9V

e9+RDvTx9HSZej/7PvtfPg==

oAeNwswNS6QgtnOdmcc=

Extracted

Family

xloader

Version

3.7

Campaign

c1no

Decoy

SKHcqi+am5xGsHiCoXnH

BObxRpdRlNT5GCo3Eg8azNIQ

GPkN2SZ9gJOYqn4iaNIH6d1MRlk=

ZrdQ6Q4zd05LBFWPDc8=

KYQZEtvg85sq1t9jd7kazNIQ

KWu2/CZdnIFgf0p8

YlJ9mWmf+XkCjxzXSw==

nPeaENkZPzjWSh5DJiBVhlrTSx9V

GfUN8rKft59DsH2CoXnH

5ThnVCgjBm96jxzXSw==

pfb0D48Mk38v

uK6V0h16ziJXZuQ3NR8asKzT2Q==

QaxeYCJXoHFvKesgBSozIyC6bkTR8rbF

QT12wt/a0nsdrbY/oSGKqcq2wQ==

vfuiENwZZrvruTm5lHDF

iNsQyVnb3NHbtXyCoXnH

9jjn4jP8RyrjBYwNPvtfPg==

Wz1uwtUpdbrpwZXZq5HpXV7TSx9V

e9+RDvTx9HSZej/7PvtfPg==

oAeNwswNS6QgtnOdmcc=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

DOC20220913-567890987655608.execvtres.exesvchost.exe

description	pid	process	target process
PID 2328 set thread context of 1516	2328	DOC20220913-567890987655608.exe	cvtres.exe
PID 1516 set thread context of 3052	1516	cvtres.exe	Explorer.EXE
PID 4504 set thread context of 3052	4504	svchost.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

cvtres.exesvchost.exe

pid	process
1516	cvtres.exe
1516	cvtres.exe
1516	cvtres.exe
1516	cvtres.exe
1516	cvtres.exe
1516	cvtres.exe
1516	cvtres.exe
1516	cvtres.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

cvtres.exesvchost.exe

pid process

1516 cvtres.exe
1516 cvtres.exe
1516 cvtres.exe
4504 svchost.exe
4504 svchost.exe
4504 svchost.exe
4504 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cvtres.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1516 cvtres.exe
Token: SeDebugPrivilege 4504 svchost.exe

pid	process
3052	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1516	cvtres.exe
Token: SeDebugPrivilege	4504	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

DOC20220913-567890987655608.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 2328 wrote to memory of 1516	2328	DOC20220913-567890987655608.exe	cvtres.exe
PID 2328 wrote to memory of 1516	2328	DOC20220913-567890987655608.exe	cvtres.exe
PID 2328 wrote to memory of 1516	2328	DOC20220913-567890987655608.exe	cvtres.exe
PID 2328 wrote to memory of 1516	2328	DOC20220913-567890987655608.exe	cvtres.exe
PID 2328 wrote to memory of 1516	2328	DOC20220913-567890987655608.exe	cvtres.exe
PID 2328 wrote to memory of 1516	2328	DOC20220913-567890987655608.exe	cvtres.exe
PID 3052 wrote to memory of 4504	3052	Explorer.EXE	svchost.exe
PID 3052 wrote to memory of 4504	3052	Explorer.EXE	svchost.exe
PID 3052 wrote to memory of 4504	3052	Explorer.EXE	svchost.exe
PID 4504 wrote to memory of 2532	4504	svchost.exe	Firefox.exe
PID 4504 wrote to memory of 2532	4504	svchost.exe	Firefox.exe
PID 4504 wrote to memory of 2532	4504	svchost.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\DOC20220913-567890987655608.exe
"C:\Users\Admin\AppData\Local\Temp\DOC20220913-567890987655608.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1516-133-0x0000000000000000-mapping.dmp

Download
memory/1516-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-137-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1516-138-0x00000000010F0000-0x000000000143A000-memory.dmp

Filesize
3.3MB

Download
memory/1516-140-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Filesize
64KB

Download
memory/1516-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-144-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2328-132-0x0000000000A20000-0x0000000000AA4000-memory.dmp

Filesize
528KB

Download
memory/3052-149-0x0000000007FB0000-0x000000000805D000-memory.dmp

Filesize
692KB

Download
memory/3052-141-0x0000000007EF0000-0x0000000007FA5000-memory.dmp

Filesize
724KB

Download
memory/3052-151-0x0000000007FB0000-0x000000000805D000-memory.dmp

Filesize
692KB

Download
memory/4504-142-0x0000000000000000-mapping.dmp

Download
memory/4504-147-0x0000000001260000-0x000000000128D000-memory.dmp

Filesize
180KB

Download
memory/4504-148-0x0000000001970000-0x00000000019FF000-memory.dmp

Filesize
572KB

Download
memory/4504-146-0x0000000001D00000-0x000000000204A000-memory.dmp

Filesize
3.3MB

Download
memory/4504-150-0x0000000001260000-0x000000000128D000-memory.dmp

Filesize
180KB

Download
memory/4504-145-0x0000000000C90000-0x0000000000C9E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads