formbook | 2bc804ba23087af0322ad6db39591dfa67663374579f40fb9b44321144beb9ce

General

Target

Bestellbeleg _ TCW23955 _.exe
Size

481KB
MD5

244e25f9594a67310c1e343439dc1a22
SHA1

9f358e6c79734d1624f5e282c527f88676d00436
SHA256

2bc804ba23087af0322ad6db39591dfa67663374579f40fb9b44321144beb9ce
SHA512

71650005d885af672f128b23718619633630da8f453fc0b6bbbd94ffb92679296b98eafa11f4b1eea61c94e32aff91ffad05c5d3ce4db87925858df1cf6b2225
SSDEEP

12288:uToPWBv/cpGrU3ywtmTcatB3WxS9YYNNDsePPc:uTbBv5rU9mT3fieK

Score

10^/10

formbook xloader nrln loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

nrln

Decoy

IG7zJSm49UqTTuu/N/oTCIg=

CVLdAPgw0CRSMuZnRRU=

PiA5Z3umP2NyX81VGQhjWyS59nFYhXiG

5i6p4GeQqtBgNRfGNQ==

5984keYswxh8mGZHz4ipAHtQ

VNJaK4Gh0CrOvHpW/p353A==

71rEtrL2icToyKGhcWrTxjsFU5T98zeO

r3q1sy1iZaL+2XIUAob7yw==

9+83Qkrk/vV/jVXsDvoTCIg=

aMFAgYF1prov8/UErH/Y1A==

Alqtx/0rxwEbCLdudftl

ImCbnglBSUHF0mv2tTSP40bPeYao

s4DFNvAJ4GIJ+g==

phOa6mtS8QQICuZnRRU=

7TSu5vqRtB45EZtf4WDSTBHPeYao

ImPWqwUUIVWMQLyMbUab7tmspvNCcT8=

HF7jKjbGox2SAffTPw==

yAM3mOQot5l+cD0ikR5MGp8=

UYzW0/8z70JcQenVLidu1kLPeYao

OoCznp5UWz+hT9OBFXbfVhXPeYao

Extracted

Family

xloader

Version

3.8

Campaign

nrln

Decoy

IG7zJSm49UqTTuu/N/oTCIg=

CVLdAPgw0CRSMuZnRRU=

PiA5Z3umP2NyX81VGQhjWyS59nFYhXiG

5i6p4GeQqtBgNRfGNQ==

5984keYswxh8mGZHz4ipAHtQ

VNJaK4Gh0CrOvHpW/p353A==

71rEtrL2icToyKGhcWrTxjsFU5T98zeO

r3q1sy1iZaL+2XIUAob7yw==

9+83Qkrk/vV/jVXsDvoTCIg=

aMFAgYF1prov8/UErH/Y1A==

Alqtx/0rxwEbCLdudftl

ImCbnglBSUHF0mv2tTSP40bPeYao

s4DFNvAJ4GIJ+g==

phOa6mtS8QQICuZnRRU=

7TSu5vqRtB45EZtf4WDSTBHPeYao

ImPWqwUUIVWMQLyMbUab7tmspvNCcT8=

HF7jKjbGox2SAffTPw==

yAM3mOQot5l+cD0ikR5MGp8=

UYzW0/8z70JcQenVLidu1kLPeYao

OoCznp5UWz+hT9OBFXbfVhXPeYao

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Executes dropped EXE 1 IoCs

Processes:

hjmxjiqeampicm.exe

pid process

3700 hjmxjiqeampicm.exe

pid	process
3700	hjmxjiqeampicm.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Bestellbeleg _ TCW23955 _.exehjmxjiqeampicm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Bestellbeleg _ TCW23955 _.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	hjmxjiqeampicm.exe

Loads dropped DLL 1 IoCs

Processes:

hjmxjiqeampicm.exe

pid process

3288 hjmxjiqeampicm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

hjmxjiqeampicm.exehjmxjiqeampicm.execmmon32.exe

description	pid	process	target process
PID 3700 set thread context of 3288	3700	hjmxjiqeampicm.exe	hjmxjiqeampicm.exe
PID 3288 set thread context of 2688	3288	hjmxjiqeampicm.exe	Explorer.EXE
PID 3364 set thread context of 2688	3364	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmmon32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmmon32.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

hjmxjiqeampicm.execmmon32.exe

pid	process
3288	hjmxjiqeampicm.exe
3288	hjmxjiqeampicm.exe
3288	hjmxjiqeampicm.exe
3288	hjmxjiqeampicm.exe
3288	hjmxjiqeampicm.exe
3288	hjmxjiqeampicm.exe
3288	hjmxjiqeampicm.exe
3288	hjmxjiqeampicm.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe
3364	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2688 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

hjmxjiqeampicm.execmmon32.exe

pid process

3288 hjmxjiqeampicm.exe
3288 hjmxjiqeampicm.exe
3288 hjmxjiqeampicm.exe
3364 cmmon32.exe
3364 cmmon32.exe
3364 cmmon32.exe
3364 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hjmxjiqeampicm.execmmon32.exe

description pid process

Token: SeDebugPrivilege 3288 hjmxjiqeampicm.exe
Token: SeDebugPrivilege 3364 cmmon32.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Explorer.EXE

pid process

2688 Explorer.EXE
2688 Explorer.EXE
2688 Explorer.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Explorer.EXE

pid process

2688 Explorer.EXE
2688 Explorer.EXE
2688 Explorer.EXE

pid	process
2688	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3288	hjmxjiqeampicm.exe
Token: SeDebugPrivilege	3364	cmmon32.exe

pid	process
2688	Explorer.EXE
2688	Explorer.EXE
2688	Explorer.EXE

pid	process
2688	Explorer.EXE
2688	Explorer.EXE
2688	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Bestellbeleg _ TCW23955 _.exehjmxjiqeampicm.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 484 wrote to memory of 3700	484	Bestellbeleg _ TCW23955 _.exe	hjmxjiqeampicm.exe
PID 484 wrote to memory of 3700	484	Bestellbeleg _ TCW23955 _.exe	hjmxjiqeampicm.exe
PID 484 wrote to memory of 3700	484	Bestellbeleg _ TCW23955 _.exe	hjmxjiqeampicm.exe
PID 3700 wrote to memory of 3288	3700	hjmxjiqeampicm.exe	hjmxjiqeampicm.exe
PID 3700 wrote to memory of 3288	3700	hjmxjiqeampicm.exe	hjmxjiqeampicm.exe
PID 3700 wrote to memory of 3288	3700	hjmxjiqeampicm.exe	hjmxjiqeampicm.exe
PID 3700 wrote to memory of 3288	3700	hjmxjiqeampicm.exe	hjmxjiqeampicm.exe
PID 2688 wrote to memory of 3364	2688	Explorer.EXE	cmmon32.exe
PID 2688 wrote to memory of 3364	2688	Explorer.EXE	cmmon32.exe
PID 2688 wrote to memory of 3364	2688	Explorer.EXE	cmmon32.exe
PID 3364 wrote to memory of 408	3364	cmmon32.exe	Firefox.exe
PID 3364 wrote to memory of 408	3364	cmmon32.exe	Firefox.exe
PID 3364 wrote to memory of 408	3364	cmmon32.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2688

C:\Users\Admin\AppData\Local\Temp\Bestellbeleg _ TCW23955 _.exe
"C:\Users\Admin\AppData\Local\Temp\Bestellbeleg _ TCW23955 _.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:484

C:\Users\Admin\AppData\Local\Temp\hjmxjiqeampicm.exe
"C:\Users\Admin\AppData\Local\Temp\hjmxjiqeampicm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3700

C:\Users\Admin\AppData\Local\Temp\hjmxjiqeampicm.exe
"C:\Users\Admin\AppData\Local\Temp\hjmxjiqeampicm.exe"
4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fxxyzvvy.idk
Filesize
4KB

MD5
d6a7357cebaec5c37d974b5b2cd30a39

SHA1
598bad151d50fa470f84e583d4f319d7c5c59e38

SHA256
61ccfdc9d45305bc4e0c7d83bd7b9e00d13d4112ffd31afd177a06f9ccaabbc3

SHA512
498fa77f2ebf8c80b94c4908e9bee7fb67ec7fe5c713d5b4a58b01f4cef822dea1f25ea09107c0ff1a6f953c4609c38cfce34e95b3f7e634258c89e5d0be21d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjmxjiqeampicm.exe
Filesize
6KB

MD5
201e0f4c5ce4e21eb9212ef6497ef6a4

SHA1
c5c6f145b2f97499db5f37aca2bbd6ec1d9c128e

SHA256
1739b151a25d21ad5733e7bdcfa8d84742a38da39361c7e968cebb5aa8cf6a80

SHA512
0153ec3a24344ec97a55bd45f004fb7956542041063ed736a8da0b368b14263e05fa2feed7fc3cb22f5094ab8fcca54d67473d1d0181844279dcd7da0701b1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjmxjiqeampicm.exe
Filesize
6KB

MD5
201e0f4c5ce4e21eb9212ef6497ef6a4

SHA1
c5c6f145b2f97499db5f37aca2bbd6ec1d9c128e

SHA256
1739b151a25d21ad5733e7bdcfa8d84742a38da39361c7e968cebb5aa8cf6a80

SHA512
0153ec3a24344ec97a55bd45f004fb7956542041063ed736a8da0b368b14263e05fa2feed7fc3cb22f5094ab8fcca54d67473d1d0181844279dcd7da0701b1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjmxjiqeampicm.exe
Filesize
6KB

MD5
201e0f4c5ce4e21eb9212ef6497ef6a4

SHA1
c5c6f145b2f97499db5f37aca2bbd6ec1d9c128e

SHA256
1739b151a25d21ad5733e7bdcfa8d84742a38da39361c7e968cebb5aa8cf6a80

SHA512
0153ec3a24344ec97a55bd45f004fb7956542041063ed736a8da0b368b14263e05fa2feed7fc3cb22f5094ab8fcca54d67473d1d0181844279dcd7da0701b1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wggrubs.apr
Filesize
185KB

MD5
fe0c6a28ac6b3e6fd8136d7726e3fd67

SHA1
329d8d90d4ccf515bf037632d2ef4bde60c9f575

SHA256
7988136a2acd903a45d385543cc740b3acee84163d21ad99ac8f5aa1503cd130

SHA512
3a91a4d170b945f339dba3a077f37c64192e9f795a24ba4252c14497a80ba4999da9ae4392249452775cb3f1c50b7cb44e19ab04a579711bf7105f98af8adf1d

Download Submit
memory/2688-143-0x0000000008280000-0x00000000083E7000-memory.dmp

Filesize
1.4MB

Download
memory/2688-152-0x00000000083F0000-0x00000000084CF000-memory.dmp

Filesize
892KB

Download
memory/2688-150-0x00000000083F0000-0x00000000084CF000-memory.dmp

Filesize
892KB

Download
memory/3288-142-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/3288-141-0x0000000001520000-0x000000000186A000-memory.dmp

Filesize
3.3MB

Download
memory/3288-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3288-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-137-0x0000000000000000-mapping.dmp

Download
memory/3364-144-0x0000000000000000-mapping.dmp

Download
memory/3364-147-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/3364-146-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/3364-148-0x00000000026A0000-0x00000000029EA000-memory.dmp

Filesize
3.3MB

Download
memory/3364-149-0x0000000002500000-0x000000000258F000-memory.dmp

Filesize
572KB

Download
memory/3364-151-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/3700-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads