formbook | fe084e5fcd96061325aafd4528aedf59f3385a5c1bbf9daf3337ba1cabf4488f

General

Target

SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
Size

1.2MB
MD5

6aa5f75d805cdd7f85f0d2557baad857
SHA1

6624b51ae972cbe99903c897c9664c72369782f3
SHA256

fe084e5fcd96061325aafd4528aedf59f3385a5c1bbf9daf3337ba1cabf4488f
SHA512

0862f8dcfd782f0ecf30b57c12c00b19b20a5f31665a9bfeaf1263048030e91fdb9fd01af8ef76c35f3121785724ff1151692636d3eb7fbacc22665d2aa116c8
SSDEEP

12288:FftjvJ4/XAISq1kmsoPIPDzRJp5urond09qRdQEQR150nZsLVvhoQtckql6AK4HQ:FSK5JoPIF5DndcSdVa15JRyQt

Score

10^/10

formbook xloader fofg loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

fofg

Decoy

FHyydxpFBs0S8b4ZlP7ZEtd/

EVaCEKb/cVV9xQ==

U9I5lke0IuU7vj5EXus=

rXD3AKPV3qUblOUsV41KMfU=

PwBSy5z56XNzIvnS3ygsKv0=

CQe1BLbSnGXX

HuhKjxhLhxqBy2FFz8WoFA==

QJymezEoLOFZ1T5EXus=

V8r5PAdwuGK2AUARohas

b1XV06ANH9s5uj5EXus=

3EiEhwo7Euw2tl8=

c2PjK8Izkydy5N8x

CXCkYf0m/qPrv8QajKyT6Oo=

pHjy+Mk0CqvWBXdCz8WoFA==

QjSwr3/j5rAyvz5EXus=

+edxANg/sU+k8YFQz8WoFA==

tWiQq3rqyl6cTAG9pA==

GeAyMQxBUOlDwD5EXus=

nQ5eoT2mEKkhDN2DwBek

JP5dIbHlrXXR8umDwBek

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1660-68-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/1660-69-0x000000000041F770-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

description	pid	process	target process
PID 1228 set thread context of 1660	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1772 schtasks.exe

pid	process
1772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exepowershell.exeSecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

pid	process
1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
864	powershell.exe
1660	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
Token: SeDebugPrivilege 864 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

pid process

1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

pid process

1228 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

description	pid	process
Token: SeDebugPrivilege	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
Token: SeDebugPrivilege	864	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

description	pid	process	target process
PID 1228 wrote to memory of 864	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	powershell.exe
PID 1228 wrote to memory of 864	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	powershell.exe
PID 1228 wrote to memory of 864	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	powershell.exe
PID 1228 wrote to memory of 864	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	powershell.exe
PID 1228 wrote to memory of 1772	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	schtasks.exe
PID 1228 wrote to memory of 1772	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	schtasks.exe
PID 1228 wrote to memory of 1772	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	schtasks.exe
PID 1228 wrote to memory of 1772	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	schtasks.exe
PID 1228 wrote to memory of 1660	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
PID 1228 wrote to memory of 1660	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
PID 1228 wrote to memory of 1660	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
PID 1228 wrote to memory of 1660	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
PID 1228 wrote to memory of 1660	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
PID 1228 wrote to memory of 1660	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
PID 1228 wrote to memory of 1660	1228	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QaGACHm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QaGACHm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E5.tmp"
2⤵
- Creates scheduled task(s)
PID:1772

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1660

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1E5.tmp
Filesize
1KB

MD5
044e2a3fedba3de50340e0c2fe214c05

SHA1
cdce896e7d76d37a6ee120889dd39e03b6fcb93e

SHA256
a3ea0c49f27770094ec5db382e37fec59bcd6bead477ec348f96c59b6d8c710e

SHA512
5be0ee0f4ba85359a1d89c6c1a0ef194ffc93c79103c6cf80f92c2d0fd6cfd47c619c5db6e1322d45d7c284361171cc6df5da7f08e6f3bc4efb5b60cf6b4013d

Download Submit
memory/864-60-0x0000000000000000-mapping.dmp

Download
memory/864-73-0x000000006E2D0000-0x000000006E87B000-memory.dmp

Filesize
5.7MB

Download
memory/864-72-0x000000006E2D0000-0x000000006E87B000-memory.dmp

Filesize
5.7MB

Download
memory/1228-58-0x00000000007A0000-0x00000000007AC000-memory.dmp

Filesize
48KB

Download
memory/1228-71-0x0000000004FF5000-0x0000000005006000-memory.dmp

Filesize
68KB

Download
memory/1228-54-0x0000000001080000-0x00000000011C2000-memory.dmp

Filesize
1.3MB

Download
memory/1228-55-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1228-57-0x0000000004FF5000-0x0000000005006000-memory.dmp

Filesize
68KB

Download
memory/1228-64-0x0000000008190000-0x0000000008206000-memory.dmp

Filesize
472KB

Download
memory/1228-56-0x00000000005D0000-0x00000000005EC000-memory.dmp

Filesize
112KB

Download
memory/1228-59-0x00000000080C0000-0x000000000818E000-memory.dmp

Filesize
824KB

Download
memory/1660-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1660-69-0x000000000041F770-mapping.dmp

Download
memory/1660-70-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download
memory/1660-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1660-65-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1772-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads