formbook | 88c13fcf3ec81929d9bf994b5b9e44fed8d59e22074142843db649d9ff2baaba

General

Target

2022FHS0927.exe
Size

559KB
MD5

1af80199193f11910eb4011b3fddd893
SHA1

c4fa00704232f0d10234c8dbde7f8f6d367e3043
SHA256

88c13fcf3ec81929d9bf994b5b9e44fed8d59e22074142843db649d9ff2baaba
SHA512

60e854f79b1c637282648a8ea0c86dc680974755180a291967e873885284060184b03175d66641d088e47656d7eef2147e31e5ef113dd246249987daf2865e74
SSDEEP

12288:HToPWBv/cpGrU3yxlfmWiUkVdxi5FUvc+tIK6Y2:HTbBv5rUsfmVri5Sk+aK6n

Score

10^/10

formbook xloader i65a loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

i65a

Decoy

r00zzvD9uoqMkFT8XDSqPg==

iSMQDJ3Tyuj8KXflBw==

Gq+tYoFrGU/5B4gGNnzHNg==

wEwcynSwpynZKUFhqyIK

bw3PbrjowhAVJA==

TggEt9LuwhAVJA==

r0UqC6sxgcWN7vc=

0m+fwBgf0oyehByUtx51BsBkuj8=

dhtdWWyIhRatp2dpv8tPcJoQ

jTAw4/4TCwcXjpECXDSqPg==

aglx4nPPkGp/raeivGVOfzdbFIu4

+qXr4cAGtQJm7Mf6

sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=

E6ohOo2zadVgzLIfaWALaik=

wXwu0yo/KbNm7Mf6

EcoyojCJYKg1laCuBK+exkNbFIu4

bhZgFvj6yP+R4F+0/5S/oFMpAA==

rzlylCB1NIMabG2dzGQd

+5ngCKjwwhAVJA==

AMUtZrYh+0LPL/QyfSo=

Extracted

Family

xloader

Version

3.8

Campaign

i65a

Decoy

r00zzvD9uoqMkFT8XDSqPg==

iSMQDJ3Tyuj8KXflBw==

Gq+tYoFrGU/5B4gGNnzHNg==

wEwcynSwpynZKUFhqyIK

bw3PbrjowhAVJA==

TggEt9LuwhAVJA==

r0UqC6sxgcWN7vc=

0m+fwBgf0oyehByUtx51BsBkuj8=

dhtdWWyIhRatp2dpv8tPcJoQ

jTAw4/4TCwcXjpECXDSqPg==

aglx4nPPkGp/raeivGVOfzdbFIu4

+qXr4cAGtQJm7Mf6

sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=

E6ohOo2zadVgzLIfaWALaik=

wXwu0yo/KbNm7Mf6

EcoyojCJYKg1laCuBK+exkNbFIu4

bhZgFvj6yP+R4F+0/5S/oFMpAA==

rzlylCB1NIMabG2dzGQd

+5ngCKjwwhAVJA==

AMUtZrYh+0LPL/QyfSo=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Executes dropped EXE 2 IoCs

Processes:

fxozeofvttswxx.exefxozeofvttswxx.exe

pid process

4792 fxozeofvttswxx.exe
3460 fxozeofvttswxx.exe

pid	process
4792	fxozeofvttswxx.exe
3460	fxozeofvttswxx.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2022FHS0927.exefxozeofvttswxx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	2022FHS0927.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fxozeofvttswxx.exe

Loads dropped DLL 1 IoCs

Processes:

fxozeofvttswxx.exe

pid process

540 fxozeofvttswxx.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

fxozeofvttswxx.exefxozeofvttswxx.exenetsh.exe

description	pid	process	target process
PID 4792 set thread context of 540	4792	fxozeofvttswxx.exe	fxozeofvttswxx.exe
PID 540 set thread context of 380	540	fxozeofvttswxx.exe	Explorer.EXE
PID 5092 set thread context of 380	5092	netsh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4124 4792 WerFault.exe fxozeofvttswxx.exe

pid	pid_target	process	target process
4124	4792	WerFault.exe	fxozeofvttswxx.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fxozeofvttswxx.exenetsh.exe

pid	process
540	fxozeofvttswxx.exe
540	fxozeofvttswxx.exe
540	fxozeofvttswxx.exe
540	fxozeofvttswxx.exe
540	fxozeofvttswxx.exe
540	fxozeofvttswxx.exe
540	fxozeofvttswxx.exe
540	fxozeofvttswxx.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

380 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

fxozeofvttswxx.exenetsh.exe

pid process

540 fxozeofvttswxx.exe
540 fxozeofvttswxx.exe
540 fxozeofvttswxx.exe
5092 netsh.exe
5092 netsh.exe
5092 netsh.exe
5092 netsh.exe

pid	process
380	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

fxozeofvttswxx.exeExplorer.EXEnetsh.exe

description	pid	process
Token: SeDebugPrivilege	540	fxozeofvttswxx.exe
Token: SeShutdownPrivilege	380	Explorer.EXE
Token: SeCreatePagefilePrivilege	380	Explorer.EXE
Token: SeDebugPrivilege	5092	netsh.exe
Token: SeShutdownPrivilege	380	Explorer.EXE
Token: SeCreatePagefilePrivilege	380	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2022FHS0927.exefxozeofvttswxx.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 2096 wrote to memory of 4792	2096	2022FHS0927.exe	fxozeofvttswxx.exe
PID 2096 wrote to memory of 4792	2096	2022FHS0927.exe	fxozeofvttswxx.exe
PID 2096 wrote to memory of 4792	2096	2022FHS0927.exe	fxozeofvttswxx.exe
PID 4792 wrote to memory of 3460	4792	fxozeofvttswxx.exe	fxozeofvttswxx.exe
PID 4792 wrote to memory of 3460	4792	fxozeofvttswxx.exe	fxozeofvttswxx.exe
PID 4792 wrote to memory of 3460	4792	fxozeofvttswxx.exe	fxozeofvttswxx.exe
PID 4792 wrote to memory of 540	4792	fxozeofvttswxx.exe	fxozeofvttswxx.exe
PID 4792 wrote to memory of 540	4792	fxozeofvttswxx.exe	fxozeofvttswxx.exe
PID 4792 wrote to memory of 540	4792	fxozeofvttswxx.exe	fxozeofvttswxx.exe
PID 4792 wrote to memory of 540	4792	fxozeofvttswxx.exe	fxozeofvttswxx.exe
PID 380 wrote to memory of 5092	380	Explorer.EXE	netsh.exe
PID 380 wrote to memory of 5092	380	Explorer.EXE	netsh.exe
PID 380 wrote to memory of 5092	380	Explorer.EXE	netsh.exe
PID 5092 wrote to memory of 3640	5092	netsh.exe	Firefox.exe
PID 5092 wrote to memory of 3640	5092	netsh.exe	Firefox.exe
PID 5092 wrote to memory of 3640	5092	netsh.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380

C:\Users\Admin\AppData\Local\Temp\2022FHS0927.exe
"C:\Users\Admin\AppData\Local\Temp\2022FHS0927.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe
"C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4792

C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe
"C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe"
4⤵
- Executes dropped EXE
PID:3460

C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe
"C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe"
4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 468
4⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4792 -ip 4792
1⤵
PID:4392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe
Filesize
56KB

MD5
80e53c7e9533304a1dd8451a44033963

SHA1
e3aa1439e674f771cdfd31d54f1919996d5d69c0

SHA256
5aa8f6151b8411d182b4cb5670be1fb91b164945547656fb7633115c59572647

SHA512
18ba8e642d9041bb1d712e0a2927e91e7e95bbc09c32a30bccea0e840858a9e3de531a68e9e6b5f00afec2034f35dd415cb14aeaa9b004783ef22e94e30afc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe
Filesize
56KB

MD5
80e53c7e9533304a1dd8451a44033963

SHA1
e3aa1439e674f771cdfd31d54f1919996d5d69c0

SHA256
5aa8f6151b8411d182b4cb5670be1fb91b164945547656fb7633115c59572647

SHA512
18ba8e642d9041bb1d712e0a2927e91e7e95bbc09c32a30bccea0e840858a9e3de531a68e9e6b5f00afec2034f35dd415cb14aeaa9b004783ef22e94e30afc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe
Filesize
56KB

MD5
80e53c7e9533304a1dd8451a44033963

SHA1
e3aa1439e674f771cdfd31d54f1919996d5d69c0

SHA256
5aa8f6151b8411d182b4cb5670be1fb91b164945547656fb7633115c59572647

SHA512
18ba8e642d9041bb1d712e0a2927e91e7e95bbc09c32a30bccea0e840858a9e3de531a68e9e6b5f00afec2034f35dd415cb14aeaa9b004783ef22e94e30afc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe
Filesize
56KB

MD5
80e53c7e9533304a1dd8451a44033963

SHA1
e3aa1439e674f771cdfd31d54f1919996d5d69c0

SHA256
5aa8f6151b8411d182b4cb5670be1fb91b164945547656fb7633115c59572647

SHA512
18ba8e642d9041bb1d712e0a2927e91e7e95bbc09c32a30bccea0e840858a9e3de531a68e9e6b5f00afec2034f35dd415cb14aeaa9b004783ef22e94e30afc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkzhqfmh.x
Filesize
4KB

MD5
b5ab6fd93a9219405f952da310e57be6

SHA1
bbce71fbe4ee76d501465fd690bdfaa223dbf8c7

SHA256
ce00fbcfd58b20199b5f72fe86ff7bc4dcdd299f01bce24fa503cf1522d63356

SHA512
8a1f6cee44307ce56984253fc91cb3457c98d5b602f4fc2acf4637149bed1db66238182c1f5655594bd49c32d941222b93c7c3f9a32756ac4123cd8a4eef209a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhwjutdfej.ewq
Filesize
185KB

MD5
2e5e95f9d3a1018b1ae484464631ba22

SHA1
87c85e0ea8c8aa00802e153906cb34c034b37992

SHA256
e6e23dd1ff1e26c2c272cfebd3014e683a026c7645d4261c81b848b51cc48d48

SHA512
7dd0d009d83786a48b8d775bb447cad41d24c6ea04bee0972d16531d248b269b99d8e9bfc971fa032f00c66cf22c77098abd7b934c368142d4a44ab68c105a48

Download Submit
memory/380-144-0x0000000005110000-0x000000000520D000-memory.dmp

Filesize
1012KB

Download
memory/380-152-0x00000000082E0000-0x000000000841C000-memory.dmp

Filesize
1.2MB

Download
memory/380-150-0x00000000082E0000-0x000000000841C000-memory.dmp

Filesize
1.2MB

Download
memory/540-142-0x0000000000F70000-0x00000000012BA000-memory.dmp

Filesize
3.3MB

Download
memory/540-143-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/540-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/540-138-0x0000000000000000-mapping.dmp

Download
memory/4792-132-0x0000000000000000-mapping.dmp

Download
memory/5092-145-0x0000000000000000-mapping.dmp

Download
memory/5092-146-0x0000000001780000-0x000000000179E000-memory.dmp

Filesize
120KB

Download
memory/5092-147-0x0000000000A20000-0x0000000000A4D000-memory.dmp

Filesize
180KB

Download
memory/5092-148-0x0000000001270000-0x00000000015BA000-memory.dmp

Filesize
3.3MB

Download
memory/5092-149-0x00000000010F0000-0x000000000117F000-memory.dmp

Filesize
572KB

Download
memory/5092-151-0x0000000000A20000-0x0000000000A4D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads