formbook | c67e6090d84532946ce00c79f918ea4733cd96b9ccb5dab54c0e0e2eeafb9cf9

General

Target

Purchase_Order.exe
Size

460KB
MD5

3b5056e4430804872a253c034ac9ca47
SHA1

2b0942b8aa1615a5d8c61326a3c88fa4d0658e09
SHA256

f468e0e25debea49005582be9279616ee2f100a73cbedaaecebdc210a5515102
SHA512

993b3511e6fa766b85418b2fc69ab921f8a51f377b3ca6a6caf818eaea9e6e90f26135c5dd89d76676b743d75f99a6d0d9c98942d16c522133e629a1484af3c3
SSDEEP

6144:j246z2kJ7ZM3X2a2gIi9pGB9o2L3v+1LqtOLzqTEogLXax:j246zrTMqi9EB9oU21LqtrETX

Score

10^/10

formbook xloader i65a loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

i65a

Decoy

r00zzvD9uoqMkFT8XDSqPg==

iSMQDJ3Tyuj8KXflBw==

Gq+tYoFrGU/5B4gGNnzHNg==

wEwcynSwpynZKUFhqyIK

bw3PbrjowhAVJA==

TggEt9LuwhAVJA==

r0UqC6sxgcWN7vc=

0m+fwBgf0oyehByUtx51BsBkuj8=

dhtdWWyIhRatp2dpv8tPcJoQ

jTAw4/4TCwcXjpECXDSqPg==

aglx4nPPkGp/raeivGVOfzdbFIu4

+qXr4cAGtQJm7Mf6

sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=

E6ohOo2zadVgzLIfaWALaik=

wXwu0yo/KbNm7Mf6

EcoyojCJYKg1laCuBK+exkNbFIu4

bhZgFvj6yP+R4F+0/5S/oFMpAA==

rzlylCB1NIMabG2dzGQd

+5ngCKjwwhAVJA==

AMUtZrYh+0LPL/QyfSo=

Extracted

Family

xloader

Version

3.8

Campaign

i65a

Decoy

r00zzvD9uoqMkFT8XDSqPg==

iSMQDJ3Tyuj8KXflBw==

Gq+tYoFrGU/5B4gGNnzHNg==

wEwcynSwpynZKUFhqyIK

bw3PbrjowhAVJA==

TggEt9LuwhAVJA==

r0UqC6sxgcWN7vc=

0m+fwBgf0oyehByUtx51BsBkuj8=

dhtdWWyIhRatp2dpv8tPcJoQ

jTAw4/4TCwcXjpECXDSqPg==

aglx4nPPkGp/raeivGVOfzdbFIu4

+qXr4cAGtQJm7Mf6

sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=

E6ohOo2zadVgzLIfaWALaik=

wXwu0yo/KbNm7Mf6

EcoyojCJYKg1laCuBK+exkNbFIu4

bhZgFvj6yP+R4F+0/5S/oFMpAA==

rzlylCB1NIMabG2dzGQd

+5ngCKjwwhAVJA==

AMUtZrYh+0LPL/QyfSo=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

Purchase_Order.exeregsvcs.exeNETSTAT.EXE

description	pid	process	target process
PID 4792 set thread context of 3932	4792	Purchase_Order.exe	regsvcs.exe
PID 3932 set thread context of 2664	3932	regsvcs.exe	Explorer.EXE
PID 3624 set thread context of 2664	3624	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

3624 NETSTAT.EXE

pid	process
3624	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvcs.exeNETSTAT.EXE

pid	process
3932	regsvcs.exe
3932	regsvcs.exe
3932	regsvcs.exe
3932	regsvcs.exe
3932	regsvcs.exe
3932	regsvcs.exe
3932	regsvcs.exe
3932	regsvcs.exe
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE
3624	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2664 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

regsvcs.exeNETSTAT.EXE

pid process

3932 regsvcs.exe
3932 regsvcs.exe
3932 regsvcs.exe
3624 NETSTAT.EXE
3624 NETSTAT.EXE
3624 NETSTAT.EXE
3624 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

regsvcs.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 3932 regsvcs.exe
Token: SeDebugPrivilege 3624 NETSTAT.EXE

pid	process
2664	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3932	regsvcs.exe
Token: SeDebugPrivilege	3624	NETSTAT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Purchase_Order.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 4792 wrote to memory of 3932	4792	Purchase_Order.exe	regsvcs.exe
PID 4792 wrote to memory of 3932	4792	Purchase_Order.exe	regsvcs.exe
PID 4792 wrote to memory of 3932	4792	Purchase_Order.exe	regsvcs.exe
PID 4792 wrote to memory of 3932	4792	Purchase_Order.exe	regsvcs.exe
PID 4792 wrote to memory of 3932	4792	Purchase_Order.exe	regsvcs.exe
PID 4792 wrote to memory of 3932	4792	Purchase_Order.exe	regsvcs.exe
PID 2664 wrote to memory of 3624	2664	Explorer.EXE	NETSTAT.EXE
PID 2664 wrote to memory of 3624	2664	Explorer.EXE	NETSTAT.EXE
PID 2664 wrote to memory of 3624	2664	Explorer.EXE	NETSTAT.EXE
PID 3624 wrote to memory of 364	3624	NETSTAT.EXE	Firefox.exe
PID 3624 wrote to memory of 364	3624	NETSTAT.EXE	Firefox.exe
PID 3624 wrote to memory of 364	3624	NETSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2664-141-0x0000000007FB0000-0x00000000080EA000-memory.dmp

Filesize
1.2MB

Download
memory/2664-151-0x0000000002DE0000-0x0000000002E88000-memory.dmp

Filesize
672KB

Download
memory/2664-149-0x0000000002DE0000-0x0000000002E88000-memory.dmp

Filesize
672KB

Download
memory/3624-146-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/3624-145-0x0000000000FE0000-0x0000000000FEB000-memory.dmp

Filesize
44KB

Download
memory/3624-150-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/3624-148-0x0000000000F50000-0x0000000000FDF000-memory.dmp

Filesize
572KB

Download
memory/3624-147-0x00000000011A0000-0x00000000014EA000-memory.dmp

Filesize
3.3MB

Download
memory/3624-142-0x0000000000000000-mapping.dmp

Download
memory/3932-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3932-144-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3932-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3932-137-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3932-140-0x00000000010D0000-0x00000000010E0000-memory.dmp

Filesize
64KB

Download
memory/3932-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3932-139-0x00000000016A0000-0x00000000019EA000-memory.dmp

Filesize
3.3MB

Download
memory/3932-133-0x0000000000000000-mapping.dmp

Download
memory/4792-132-0x0000000000970000-0x00000000009E6000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads