Behavioral Report

General

Target

2022FHS0927.exe
Size

559KB
MD5

1af80199193f11910eb4011b3fddd893
SHA1

c4fa00704232f0d10234c8dbde7f8f6d367e3043
SHA256

88c13fcf3ec81929d9bf994b5b9e44fed8d59e22074142843db649d9ff2baaba
SHA512

60e854f79b1c637282648a8ea0c86dc680974755180a291967e873885284060184b03175d66641d088e47656d7eef2147e31e5ef113dd246249987daf2865e74
SSDEEP

12288:HToPWBv/cpGrU3yxlfmWiUkVdxi5FUvc+tIK6Y2:HTbBv5rUsfmVri5Sk+aK6n

Score

10^/10

formbook xloader i65a loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

i65a

Decoy

r00zzvD9uoqMkFT8XDSqPg==
iSMQDJ3Tyuj8KXflBw==
Gq+tYoFrGU/5B4gGNnzHNg==
wEwcynSwpynZKUFhqyIK
bw3PbrjowhAVJA==
TggEt9LuwhAVJA==
r0UqC6sxgcWN7vc=
0m+fwBgf0oyehByUtx51BsBkuj8=
dhtdWWyIhRatp2dpv8tPcJoQ
jTAw4/4TCwcXjpECXDSqPg==
aglx4nPPkGp/raeivGVOfzdbFIu4
+qXr4cAGtQJm7Mf6
sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=
E6ohOo2zadVgzLIfaWALaik=
wXwu0yo/KbNm7Mf6
EcoyojCJYKg1laCuBK+exkNbFIu4
bhZgFvj6yP+R4F+0/5S/oFMpAA==
rzlylCB1NIMabG2dzGQd
+5ngCKjwwhAVJA==
AMUtZrYh+0LPL/QyfSo=
hzqw1O4JApAae41vjXUOeC8=
C7guqfg0PD5dvVf4DQ==
BsM1AaksgMWN7vc=
5pcGLkVbBUPPL/QyfSo=
TvMO/UKDdcWN7vc=
fCNJYrrKfTprvVf4DQ==
5rfNvNbPhEFrvVf4DQ==
9717JcIR+w4iNgKcr91It5f448HcIA==
Wfo2UPQmr3SeAgqCx+ihjjsY
Svg8XfRAHZ5DvXj4EA==
TuXg5TNpdh6yCOmt0pkeNaKCuzc=
fjn46QYnKM4w0+g=
WRV/AkxH/M7NzFzkCw91Zpz048HcIA==
Bo6ILlHigRGpGJRgtPd6WQFsGA==
ZCdTYvhSBMTjO0mpy+ihjjsY
Vg104XmxSn8DTRA2YCA=
fBmNxO/pwkHXAKalv3UOeC8=
2YL6LEtrcsyquo2wz3ahjjsY
iC2cyuTQsS3KHymco5LiuXXRdYc9KA==
JvGrI2XdqxWjoPQyfSo=
NMuVRIiBW1Nhjn9zgw3PwEJbFIu4
7KsjVqn0meiO7MVyjXUOeC8=
XvgsVPgmHCtBPPXC7IhcycBkuj8=
HsE0cZF7K+0KXVC4yexV8KqiJAA0Yi8=
ZA9olK7JxkTg6q7/TenoBXFnljPD7XGx
PvN6Nk9THuEFRZYCFA==
cx/LcM3luPqVmxJ+jhMI
smWwq8nUo09jvVf4DQ==
aBnnX3Z7RIQqQsRdhz0=
8o1CKXiwmgZm7Mf6
s2NR7g0vRFBRp3VhqyIK
DLYGcptChcWN7vc=
0GEVmuU0F1jkMfQyfSo=
s1Kiy26yq6+H9spyinUOeC8=
CZxV2PHhkdRu/ewuGg==
y8Xu3/EguTvj
ulTCKLYf9ULaNPQyfSo=
1Yl0JHHbnlR3eAp4uepO8u5YFRkKjVNu8Q==
V+zu64nHc059gzjoEtXhkxEB
dQkau9PuwhAVJA==
NMYypu3zqoGsllajzOShjjsY
Wxkhx+n/zcWN7vc=
74dZAaju4XcRfFR3kzM=
u3R6gBVPPDpcvVf4DQ==
partnermdg.com

r00zzvD9uoqMkFT8XDSqPg==

iSMQDJ3Tyuj8KXflBw==

Gq+tYoFrGU/5B4gGNnzHNg==

wEwcynSwpynZKUFhqyIK

bw3PbrjowhAVJA==

TggEt9LuwhAVJA==

r0UqC6sxgcWN7vc=

0m+fwBgf0oyehByUtx51BsBkuj8=

dhtdWWyIhRatp2dpv8tPcJoQ

jTAw4/4TCwcXjpECXDSqPg==

aglx4nPPkGp/raeivGVOfzdbFIu4

+qXr4cAGtQJm7Mf6

sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=

E6ohOo2zadVgzLIfaWALaik=

wXwu0yo/KbNm7Mf6

EcoyojCJYKg1laCuBK+exkNbFIu4

bhZgFvj6yP+R4F+0/5S/oFMpAA==

rzlylCB1NIMabG2dzGQd

+5ngCKjwwhAVJA==

AMUtZrYh+0LPL/QyfSo=

Extracted

Family

xloader

Version

3.8

Campaign

i65a

Decoy

r00zzvD9uoqMkFT8XDSqPg==
iSMQDJ3Tyuj8KXflBw==
Gq+tYoFrGU/5B4gGNnzHNg==
wEwcynSwpynZKUFhqyIK
bw3PbrjowhAVJA==
TggEt9LuwhAVJA==
r0UqC6sxgcWN7vc=
0m+fwBgf0oyehByUtx51BsBkuj8=
dhtdWWyIhRatp2dpv8tPcJoQ
jTAw4/4TCwcXjpECXDSqPg==
aglx4nPPkGp/raeivGVOfzdbFIu4
+qXr4cAGtQJm7Mf6
sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=
E6ohOo2zadVgzLIfaWALaik=
wXwu0yo/KbNm7Mf6
EcoyojCJYKg1laCuBK+exkNbFIu4
bhZgFvj6yP+R4F+0/5S/oFMpAA==
rzlylCB1NIMabG2dzGQd
+5ngCKjwwhAVJA==
AMUtZrYh+0LPL/QyfSo=
hzqw1O4JApAae41vjXUOeC8=
C7guqfg0PD5dvVf4DQ==
BsM1AaksgMWN7vc=
5pcGLkVbBUPPL/QyfSo=
TvMO/UKDdcWN7vc=
fCNJYrrKfTprvVf4DQ==
5rfNvNbPhEFrvVf4DQ==
9717JcIR+w4iNgKcr91It5f448HcIA==
Wfo2UPQmr3SeAgqCx+ihjjsY
Svg8XfRAHZ5DvXj4EA==
TuXg5TNpdh6yCOmt0pkeNaKCuzc=
fjn46QYnKM4w0+g=
WRV/AkxH/M7NzFzkCw91Zpz048HcIA==
Bo6ILlHigRGpGJRgtPd6WQFsGA==
ZCdTYvhSBMTjO0mpy+ihjjsY
Vg104XmxSn8DTRA2YCA=
fBmNxO/pwkHXAKalv3UOeC8=
2YL6LEtrcsyquo2wz3ahjjsY
iC2cyuTQsS3KHymco5LiuXXRdYc9KA==
JvGrI2XdqxWjoPQyfSo=
NMuVRIiBW1Nhjn9zgw3PwEJbFIu4
7KsjVqn0meiO7MVyjXUOeC8=
XvgsVPgmHCtBPPXC7IhcycBkuj8=
HsE0cZF7K+0KXVC4yexV8KqiJAA0Yi8=
ZA9olK7JxkTg6q7/TenoBXFnljPD7XGx
PvN6Nk9THuEFRZYCFA==
cx/LcM3luPqVmxJ+jhMI
smWwq8nUo09jvVf4DQ==
aBnnX3Z7RIQqQsRdhz0=
8o1CKXiwmgZm7Mf6
s2NR7g0vRFBRp3VhqyIK
DLYGcptChcWN7vc=
0GEVmuU0F1jkMfQyfSo=
s1Kiy26yq6+H9spyinUOeC8=
CZxV2PHhkdRu/ewuGg==
y8Xu3/EguTvj
ulTCKLYf9ULaNPQyfSo=
1Yl0JHHbnlR3eAp4uepO8u5YFRkKjVNu8Q==
V+zu64nHc059gzjoEtXhkxEB
dQkau9PuwhAVJA==
NMYypu3zqoGsllajzOShjjsY
Wxkhx+n/zcWN7vc=
74dZAaju4XcRfFR3kzM=
u3R6gBVPPDpcvVf4DQ==
partnermdg.com

r00zzvD9uoqMkFT8XDSqPg==

iSMQDJ3Tyuj8KXflBw==

Gq+tYoFrGU/5B4gGNnzHNg==

wEwcynSwpynZKUFhqyIK

bw3PbrjowhAVJA==

TggEt9LuwhAVJA==

r0UqC6sxgcWN7vc=

0m+fwBgf0oyehByUtx51BsBkuj8=

dhtdWWyIhRatp2dpv8tPcJoQ

jTAw4/4TCwcXjpECXDSqPg==

aglx4nPPkGp/raeivGVOfzdbFIu4

+qXr4cAGtQJm7Mf6

sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=

E6ohOo2zadVgzLIfaWALaik=

wXwu0yo/KbNm7Mf6

EcoyojCJYKg1laCuBK+exkNbFIu4

bhZgFvj6yP+R4F+0/5S/oFMpAA==

rzlylCB1NIMabG2dzGQd

+5ngCKjwwhAVJA==

AMUtZrYh+0LPL/QyfSo=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Executes dropped EXE ⋅ 2 IoCs

Processes:

fxozeofvttswxx.exefxozeofvttswxx.exe

pid process

4792 fxozeofvttswxx.exe
3460 fxozeofvttswxx.exe

pid	process
4792	fxozeofvttswxx.exe
3460	fxozeofvttswxx.exe

Checks computer location settings ⋅ 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

TTPs:

Query Registry System Information Discovery

Processes:

2022FHS0927.exefxozeofvttswxx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	2022FHS0927.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fxozeofvttswxx.exe

Loads dropped DLL ⋅ 1 IoCs

Processes:

fxozeofvttswxx.exe

pid process

540 fxozeofvttswxx.exe

Suspicious use of SetThreadContext ⋅ 3 IoCs

Processes:

fxozeofvttswxx.exefxozeofvttswxx.exenetsh.exe

description	pid	process	target process
PID 4792 set thread context of 540	4792	fxozeofvttswxx.exe	fxozeofvttswxx.exe
PID 540 set thread context of 380	540	fxozeofvttswxx.exe	Explorer.EXE
PID 5092 set thread context of 380	5092	netsh.exe	Explorer.EXE

Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery
Program crash ⋅ 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4124 4792 WerFault.exe fxozeofvttswxx.exe

pid	pid_target	process	target process
4124	4792	WerFault.exe	fxozeofvttswxx.exe

Modifies Internet Explorer settings ⋅ 1 TTPs 1 IoCs

adware spyware

TTPs:

Modify Registry

Processes:

netsh.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe

Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs

Processes:

fxozeofvttswxx.exenetsh.exe

pid	process
540	fxozeofvttswxx.exe
540	fxozeofvttswxx.exe
540	fxozeofvttswxx.exe
540	fxozeofvttswxx.exe
540	fxozeofvttswxx.exe
540	fxozeofvttswxx.exe
540	fxozeofvttswxx.exe
540	fxozeofvttswxx.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe
5092	netsh.exe

Suspicious behavior: GetForegroundWindowSpam ⋅ 1 IoCs

Processes:

Explorer.EXE

pid process

380 Explorer.EXE
Suspicious behavior: MapViewOfSection ⋅ 7 IoCs

Processes:

fxozeofvttswxx.exenetsh.exe

pid process

540 fxozeofvttswxx.exe
540 fxozeofvttswxx.exe
540 fxozeofvttswxx.exe
5092 netsh.exe
5092 netsh.exe
5092 netsh.exe
5092 netsh.exe

pid	process
380	Explorer.EXE

Suspicious use of AdjustPrivilegeToken ⋅ 6 IoCs

Processes:

fxozeofvttswxx.exeExplorer.EXEnetsh.exe

description	pid	process
Token: SeDebugPrivilege	540	fxozeofvttswxx.exe
Token: SeShutdownPrivilege	380	Explorer.EXE
Token: SeCreatePagefilePrivilege	380	Explorer.EXE
Token: SeDebugPrivilege	5092	netsh.exe
Token: SeShutdownPrivilege	380	Explorer.EXE
Token: SeCreatePagefilePrivilege	380	Explorer.EXE

Suspicious use of WriteProcessMemory ⋅ 16 IoCs

Processes:

2022FHS0927.exefxozeofvttswxx.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 2096 wrote to memory of 4792	2096	2022FHS0927.exe	fxozeofvttswxx.exe
PID 2096 wrote to memory of 4792	2096	2022FHS0927.exe	fxozeofvttswxx.exe
PID 2096 wrote to memory of 4792	2096	2022FHS0927.exe	fxozeofvttswxx.exe
PID 4792 wrote to memory of 3460	4792	fxozeofvttswxx.exe	fxozeofvttswxx.exe
PID 4792 wrote to memory of 3460	4792	fxozeofvttswxx.exe	fxozeofvttswxx.exe
PID 4792 wrote to memory of 3460	4792	fxozeofvttswxx.exe	fxozeofvttswxx.exe
PID 4792 wrote to memory of 540	4792	fxozeofvttswxx.exe	fxozeofvttswxx.exe
PID 4792 wrote to memory of 540	4792	fxozeofvttswxx.exe	fxozeofvttswxx.exe
PID 4792 wrote to memory of 540	4792	fxozeofvttswxx.exe	fxozeofvttswxx.exe
PID 4792 wrote to memory of 540	4792	fxozeofvttswxx.exe	fxozeofvttswxx.exe
PID 380 wrote to memory of 5092	380	Explorer.EXE	netsh.exe
PID 380 wrote to memory of 5092	380	Explorer.EXE	netsh.exe
PID 380 wrote to memory of 5092	380	Explorer.EXE	netsh.exe
PID 5092 wrote to memory of 3640	5092	netsh.exe	Firefox.exe
PID 5092 wrote to memory of 3640	5092	netsh.exe	Firefox.exe
PID 5092 wrote to memory of 3640	5092	netsh.exe	Firefox.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:380

C:\Users\Admin\AppData\Local\Temp\2022FHS0927.exe

"C:\Users\Admin\AppData\Local\Temp\2022FHS0927.exe"

Checks computer location settings
Suspicious use of WriteProcessMemory

PID:2096

C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe

"C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe"

Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:4792

C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe

"C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe"

Executes dropped EXE

PID:3460

C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe

"C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe"

Checks computer location settings
Loads dropped DLL
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken

PID:540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 468

Program crash

PID:4124

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe"

Suspicious use of SetThreadContext
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:5092

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

PID:3640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4792 -ip 4792

PID:4392

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe
MD5
80e53c7e9533304a1dd8451a44033963

SHA1
e3aa1439e674f771cdfd31d54f1919996d5d69c0

SHA256
5aa8f6151b8411d182b4cb5670be1fb91b164945547656fb7633115c59572647

SHA512
18ba8e642d9041bb1d712e0a2927e91e7e95bbc09c32a30bccea0e840858a9e3de531a68e9e6b5f00afec2034f35dd415cb14aeaa9b004783ef22e94e30afc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe
MD5
80e53c7e9533304a1dd8451a44033963

SHA1
e3aa1439e674f771cdfd31d54f1919996d5d69c0

SHA256
5aa8f6151b8411d182b4cb5670be1fb91b164945547656fb7633115c59572647

SHA512
18ba8e642d9041bb1d712e0a2927e91e7e95bbc09c32a30bccea0e840858a9e3de531a68e9e6b5f00afec2034f35dd415cb14aeaa9b004783ef22e94e30afc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe
MD5
80e53c7e9533304a1dd8451a44033963

SHA1
e3aa1439e674f771cdfd31d54f1919996d5d69c0

SHA256
5aa8f6151b8411d182b4cb5670be1fb91b164945547656fb7633115c59572647

SHA512
18ba8e642d9041bb1d712e0a2927e91e7e95bbc09c32a30bccea0e840858a9e3de531a68e9e6b5f00afec2034f35dd415cb14aeaa9b004783ef22e94e30afc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxozeofvttswxx.exe
MD5
80e53c7e9533304a1dd8451a44033963

SHA1
e3aa1439e674f771cdfd31d54f1919996d5d69c0

SHA256
5aa8f6151b8411d182b4cb5670be1fb91b164945547656fb7633115c59572647

SHA512
18ba8e642d9041bb1d712e0a2927e91e7e95bbc09c32a30bccea0e840858a9e3de531a68e9e6b5f00afec2034f35dd415cb14aeaa9b004783ef22e94e30afc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkzhqfmh.x
MD5
b5ab6fd93a9219405f952da310e57be6

SHA1
bbce71fbe4ee76d501465fd690bdfaa223dbf8c7

SHA256
ce00fbcfd58b20199b5f72fe86ff7bc4dcdd299f01bce24fa503cf1522d63356

SHA512
8a1f6cee44307ce56984253fc91cb3457c98d5b602f4fc2acf4637149bed1db66238182c1f5655594bd49c32d941222b93c7c3f9a32756ac4123cd8a4eef209a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhwjutdfej.ewq
MD5
2e5e95f9d3a1018b1ae484464631ba22

SHA1
87c85e0ea8c8aa00802e153906cb34c034b37992

SHA256
e6e23dd1ff1e26c2c272cfebd3014e683a026c7645d4261c81b848b51cc48d48

SHA512
7dd0d009d83786a48b8d775bb447cad41d24c6ea04bee0972d16531d248b269b99d8e9bfc971fa032f00c66cf22c77098abd7b934c368142d4a44ab68c105a48

Download Submit
memory/380-144-0x0000000005110000-0x000000000520D000-memory.dmp

Download
memory/380-152-0x00000000082E0000-0x000000000841C000-memory.dmp

Download
memory/380-150-0x00000000082E0000-0x000000000841C000-memory.dmp

Download
memory/540-142-0x0000000000F70000-0x00000000012BA000-memory.dmp

Download
memory/540-143-0x00000000005F0000-0x0000000000600000-memory.dmp

Download
memory/540-141-0x0000000000400000-0x000000000042F000-memory.dmp

Download
memory/540-140-0x0000000000401000-0x000000000042F000-memory.dmp

Download
memory/540-138-0x0000000000000000-mapping.dmp

Download
memory/4792-132-0x0000000000000000-mapping.dmp

Download
memory/5092-145-0x0000000000000000-mapping.dmp

Download
memory/5092-146-0x0000000001780000-0x000000000179E000-memory.dmp

Download
memory/5092-147-0x0000000000A20000-0x0000000000A4D000-memory.dmp

Download
memory/5092-148-0x0000000001270000-0x00000000015BA000-memory.dmp

Download
memory/5092-149-0x00000000010F0000-0x000000000117F000-memory.dmp

Download
memory/5092-151-0x0000000000A20000-0x0000000000A4D000-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Downloads