formbook | fe084e5fcd96061325aafd4528aedf59f3385a5c1bbf9daf3337ba1cabf4488f

General

Target

SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
Size

1.2MB
MD5

6aa5f75d805cdd7f85f0d2557baad857
SHA1

6624b51ae972cbe99903c897c9664c72369782f3
SHA256

fe084e5fcd96061325aafd4528aedf59f3385a5c1bbf9daf3337ba1cabf4488f
SHA512

0862f8dcfd782f0ecf30b57c12c00b19b20a5f31665a9bfeaf1263048030e91fdb9fd01af8ef76c35f3121785724ff1151692636d3eb7fbacc22665d2aa116c8
SSDEEP

12288:FftjvJ4/XAISq1kmsoPIPDzRJp5urond09qRdQEQR150nZsLVvhoQtckql6AK4HQ:FSK5JoPIF5DndcSdVa15JRyQt

Score

10^/10

formbook xloader fofg loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

fofg

Decoy

FHyydxpFBs0S8b4ZlP7ZEtd/

EVaCEKb/cVV9xQ==

U9I5lke0IuU7vj5EXus=

rXD3AKPV3qUblOUsV41KMfU=

PwBSy5z56XNzIvnS3ygsKv0=

CQe1BLbSnGXX

HuhKjxhLhxqBy2FFz8WoFA==

QJymezEoLOFZ1T5EXus=

V8r5PAdwuGK2AUARohas

b1XV06ANH9s5uj5EXus=

3EiEhwo7Euw2tl8=

c2PjK8Izkydy5N8x

CXCkYf0m/qPrv8QajKyT6Oo=

pHjy+Mk0CqvWBXdCz8WoFA==

QjSwr3/j5rAyvz5EXus=

+edxANg/sU+k8YFQz8WoFA==

tWiQq3rqyl6cTAG9pA==

GeAyMQxBUOlDwD5EXus=

nQ5eoT2mEKkhDN2DwBek

JP5dIbHlrXXR8umDwBek

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1568-145-0x0000000000400000-0x000000000042C000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

description	pid	process	target process
PID 1760 set thread context of 1568	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4032 schtasks.exe

pid	process
4032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exepowershell.exeSecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

pid	process
1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
396	powershell.exe
1568	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
1568	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
396	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1760 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
Token: SeDebugPrivilege 396 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

pid process

1760 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

pid process

1760 SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

description	pid	process
Token: SeDebugPrivilege	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
Token: SeDebugPrivilege	396	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QaGACHm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QaGACHm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8E07.tmp"
2⤵
- Creates scheduled task(s)
PID:4032

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe"
2⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8E07.tmp
Filesize
1KB

MD5
b41852c11294cb46155b728d144d4a96

SHA1
69bfc56897548de4d8ccbf10e7ac4d2d6030fd09

SHA256
b8e81b3d1f0f5dccb655bc9337b1f9d7ed8e2a5849c035055101df01c4e41833

SHA512
f0683ac022b4cd5d6dc3f474ff914de4abda267e2477b8b418a78d7d0025a87553a74a22529858d57becc6ba56eb3ce08d63b3cfdf518ac32b206f63d25cc792

Download Submit
memory/396-153-0x0000000007BE0000-0x000000000825A000-memory.dmp

Filesize
6.5MB

Download
memory/396-159-0x00000000078C0000-0x00000000078C8000-memory.dmp

Filesize
32KB

Download
memory/396-146-0x00000000054C0000-0x00000000054E2000-memory.dmp

Filesize
136KB

Download
memory/396-158-0x00000000078E0000-0x00000000078FA000-memory.dmp

Filesize
104KB

Download
memory/396-157-0x00000000077D0000-0x00000000077DE000-memory.dmp

Filesize
56KB

Download
memory/396-138-0x0000000000000000-mapping.dmp

Download
memory/396-156-0x0000000007820000-0x00000000078B6000-memory.dmp

Filesize
600KB

Download
memory/396-140-0x0000000002950000-0x0000000002986000-memory.dmp

Filesize
216KB

Download
memory/396-155-0x0000000007610000-0x000000000761A000-memory.dmp

Filesize
40KB

Download
memory/396-142-0x0000000005510000-0x0000000005B38000-memory.dmp

Filesize
6.2MB

Download
memory/396-147-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/396-152-0x0000000006840000-0x000000000685E000-memory.dmp

Filesize
120KB

Download
memory/396-151-0x0000000071880000-0x00000000718CC000-memory.dmp

Filesize
304KB

Download
memory/396-150-0x0000000007260000-0x0000000007292000-memory.dmp

Filesize
200KB

Download
memory/396-154-0x00000000075A0000-0x00000000075BA000-memory.dmp

Filesize
104KB

Download
memory/396-149-0x00000000062A0000-0x00000000062BE000-memory.dmp

Filesize
120KB

Download
memory/1568-148-0x00000000011E0000-0x000000000152A000-memory.dmp

Filesize
3.3MB

Download
memory/1568-144-0x0000000000000000-mapping.dmp

Download
memory/1568-145-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1632-143-0x0000000000000000-mapping.dmp

Download
memory/1760-134-0x00000000051C0000-0x0000000005252000-memory.dmp

Filesize
584KB

Download
memory/1760-135-0x00000000051A0000-0x00000000051AA000-memory.dmp

Filesize
40KB

Download
memory/1760-132-0x00000000006C0000-0x0000000000802000-memory.dmp

Filesize
1.3MB

Download
memory/1760-133-0x00000000056D0000-0x0000000005C74000-memory.dmp

Filesize
5.6MB

Download
memory/1760-137-0x0000000009120000-0x0000000009186000-memory.dmp

Filesize
408KB

Download
memory/1760-136-0x0000000008E80000-0x0000000008F1C000-memory.dmp

Filesize
624KB

Download
memory/4032-139-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1760 wrote to memory of 396	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	powershell.exe
PID 1760 wrote to memory of 396	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	powershell.exe
PID 1760 wrote to memory of 396	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	powershell.exe
PID 1760 wrote to memory of 4032	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	schtasks.exe
PID 1760 wrote to memory of 4032	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	schtasks.exe
PID 1760 wrote to memory of 4032	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	schtasks.exe
PID 1760 wrote to memory of 1632	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
PID 1760 wrote to memory of 1632	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
PID 1760 wrote to memory of 1632	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
PID 1760 wrote to memory of 1568	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
PID 1760 wrote to memory of 1568	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
PID 1760 wrote to memory of 1568	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
PID 1760 wrote to memory of 1568	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
PID 1760 wrote to memory of 1568	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe
PID 1760 wrote to memory of 1568	1760	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe	SecuriteInfo.com.Win32.PWSX-gen.15814.13814.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads