formbook | 98420cf47e19574739cff3f1f74bd3c6c70e103d0b28040b64fd3c77588c7ee7

General

Target

db102a67350060a1e967aef81118f18d.exe
Size

311KB
MD5

db102a67350060a1e967aef81118f18d
SHA1

a3131a3df17a154e41c09973ca8a9aabac29929e
SHA256

98420cf47e19574739cff3f1f74bd3c6c70e103d0b28040b64fd3c77588c7ee7
SHA512

daad205a305f7774164f0ed2298501e8a4cade236b93f63db31e40713a66a379145a2e9ca861f8c337dcb5e3a29cbe50b1b77589941e1e1c7090c950766de7a3
SSDEEP

6144:NBn0ph65gGns2YvYPUaC55QAU4wVdsTbUi:EpoGHiO554Nbwb3

Score

10^/10

formbook xloader dwdp loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dwdp

Decoy

jPxWFTS1Rn/K/LD47WRRW7+Veuct8yc=

ke1Wv1l26dZZxDikX9dU3s6k8+w=

+vtNyVBkx8VMf5KCaIj8DYR5QyLJgQ==

GHXPhYzwXcKgZwqBb/kejm7rfobj

yalW64iE8+aXs70=

MD83dBR0KSF4fizgRhAM

Xti3uNm2JDWgssPgRhAM

X7gYbv5uJhpvjdI0Qg==

ydxGznbNJ3tCCLAX4arq4nweMuQ=

Ca+fvtST8OBbosPgRhAM

kG1QegD8mU/E/hLw1t0=

g9FFFjEC5C2IvR/BhbSrpw==

PCkpeg38W0aPdg1rav1DFnVASw==

vSq+xBf3qjY27H3yqepK+g+nOmOMc3m7

G7WYirSZS9EYob8=

WbEWaOVIAPlSNNc4LsfL53weMuQ=

hnyAvEY4n3rTKS4g5mHKxR0=

JN7b0uCqVrQydMl7JNw=

XTki/RASDK6BCW0q8sU=

DQMBWA9wJyOKqqGSmGHKxR0=

Extracted

Family

xloader

Version

3.8

Campaign

dwdp

Decoy

jPxWFTS1Rn/K/LD47WRRW7+Veuct8yc=

ke1Wv1l26dZZxDikX9dU3s6k8+w=

+vtNyVBkx8VMf5KCaIj8DYR5QyLJgQ==

GHXPhYzwXcKgZwqBb/kejm7rfobj

yalW64iE8+aXs70=

MD83dBR0KSF4fizgRhAM

Xti3uNm2JDWgssPgRhAM

X7gYbv5uJhpvjdI0Qg==

ydxGznbNJ3tCCLAX4arq4nweMuQ=

Ca+fvtST8OBbosPgRhAM

kG1QegD8mU/E/hLw1t0=

g9FFFjEC5C2IvR/BhbSrpw==

PCkpeg38W0aPdg1rav1DFnVASw==

vSq+xBf3qjY27H3yqepK+g+nOmOMc3m7

G7WYirSZS9EYob8=

WbEWaOVIAPlSNNc4LsfL53weMuQ=

hnyAvEY4n3rTKS4g5mHKxR0=

JN7b0uCqVrQydMl7JNw=

XTki/RASDK6BCW0q8sU=

DQMBWA9wJyOKqqGSmGHKxR0=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Executes dropped EXE 2 IoCs

Processes:

iscan.exeiscan.exe

pid process

4816 iscan.exe
2196 iscan.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

iscan.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation iscan.exe

pid	process
4816	iscan.exe
2196	iscan.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	iscan.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iscan.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oipsxnj = "C:\\Users\\Admin\\AppData\\Roaming\\iidryiceixqa\\iijhlev.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\iscan.exe\" C:\\Users\\Admin\\AppData\\Local"	iscan.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

iscan.exeiscan.exesystray.exe

description	pid	process	target process
PID 4816 set thread context of 2196	4816	iscan.exe	iscan.exe
PID 2196 set thread context of 2212	2196	iscan.exe	Explorer.EXE
PID 4900 set thread context of 2212	4900	systray.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

systray.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

iscan.exesystray.exe

pid	process
2196	iscan.exe
2196	iscan.exe
2196	iscan.exe
2196	iscan.exe
2196	iscan.exe
2196	iscan.exe
2196	iscan.exe
2196	iscan.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2212 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

iscan.exeiscan.exesystray.exe

pid process

4816 iscan.exe
2196 iscan.exe
2196 iscan.exe
2196 iscan.exe
4900 systray.exe
4900 systray.exe
4900 systray.exe
4900 systray.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

iscan.exesystray.exe

description pid process

Token: SeDebugPrivilege 2196 iscan.exe
Token: SeDebugPrivilege 4900 systray.exe

pid	process
2212	Explorer.EXE

pid	process
4816	iscan.exe
2196	iscan.exe
2196	iscan.exe
2196	iscan.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe
4900	systray.exe

description	pid	process
Token: SeDebugPrivilege	2196	iscan.exe
Token: SeDebugPrivilege	4900	systray.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

db102a67350060a1e967aef81118f18d.exeiscan.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 2152 wrote to memory of 4816	2152	db102a67350060a1e967aef81118f18d.exe	iscan.exe
PID 2152 wrote to memory of 4816	2152	db102a67350060a1e967aef81118f18d.exe	iscan.exe
PID 2152 wrote to memory of 4816	2152	db102a67350060a1e967aef81118f18d.exe	iscan.exe
PID 4816 wrote to memory of 2196	4816	iscan.exe	iscan.exe
PID 4816 wrote to memory of 2196	4816	iscan.exe	iscan.exe
PID 4816 wrote to memory of 2196	4816	iscan.exe	iscan.exe
PID 4816 wrote to memory of 2196	4816	iscan.exe	iscan.exe
PID 2212 wrote to memory of 4900	2212	Explorer.EXE	systray.exe
PID 2212 wrote to memory of 4900	2212	Explorer.EXE	systray.exe
PID 2212 wrote to memory of 4900	2212	Explorer.EXE	systray.exe
PID 4900 wrote to memory of 208	4900	systray.exe	Firefox.exe
PID 4900 wrote to memory of 208	4900	systray.exe	Firefox.exe
PID 4900 wrote to memory of 208	4900	systray.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2212

C:\Users\Admin\AppData\Local\Temp\db102a67350060a1e967aef81118f18d.exe
"C:\Users\Admin\AppData\Local\Temp\db102a67350060a1e967aef81118f18d.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\Temp\iscan.exe
"C:\Users\Admin\AppData\Local\Temp\iscan.exe" C:\Users\Admin\AppData\Local\Temp\zxtnbfvzh.c
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4816

C:\Users\Admin\AppData\Local\Temp\iscan.exe
"C:\Users\Admin\AppData\Local\Temp\iscan.exe" C:\Users\Admin\AppData\Local\Temp\zxtnbfvzh.c
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iscan.exe
Filesize
122KB

MD5
2b4b3369e04dedd66517641db0f5a8ab

SHA1
a5e482597f6f2d68250a4eb28911683e50fac4de

SHA256
a4c4bf78e737ccadbabf71b57e5676a846d9adfc5442344eda8267325223b964

SHA512
67eb46ab147ad92db741b60f851a78b6bf88f2da93601542ee67d4faad448ceca73938207f5daeb0153d5d2c1c84a64949cd7856f404c0781c4e9633727354cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iscan.exe
Filesize
122KB

MD5
2b4b3369e04dedd66517641db0f5a8ab

SHA1
a5e482597f6f2d68250a4eb28911683e50fac4de

SHA256
a4c4bf78e737ccadbabf71b57e5676a846d9adfc5442344eda8267325223b964

SHA512
67eb46ab147ad92db741b60f851a78b6bf88f2da93601542ee67d4faad448ceca73938207f5daeb0153d5d2c1c84a64949cd7856f404c0781c4e9633727354cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iscan.exe
Filesize
122KB

MD5
2b4b3369e04dedd66517641db0f5a8ab

SHA1
a5e482597f6f2d68250a4eb28911683e50fac4de

SHA256
a4c4bf78e737ccadbabf71b57e5676a846d9adfc5442344eda8267325223b964

SHA512
67eb46ab147ad92db741b60f851a78b6bf88f2da93601542ee67d4faad448ceca73938207f5daeb0153d5d2c1c84a64949cd7856f404c0781c4e9633727354cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmbedbm.jl
Filesize
185KB

MD5
ae2c848f5a91f0eefbcfaecb3660089d

SHA1
a280f4205aabbcadc444fd983207e41a5871784e

SHA256
72b7c4d8e791ea9a4a34ba3626c1ff4be294988650e960c7f7ed18ca90847098

SHA512
66b79443d897dab52b4d5ff19d790fdca1c2a070b481c201265988b490770747b83f3888cbc5b2a07eca8ca1b90008dc33f615126b3f73e419d2484b9b487198

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxtnbfvzh.c
Filesize
7KB

MD5
64c3c26ce45e8c154d7ca9febb385997

SHA1
d606b7d8cd6e3046992ed26d869e47afd2a390ae

SHA256
a2f81ab67da82f261e6979caf0df1e366499015c6ababbd1a020601d4fb58185

SHA512
7a61fac51b7abd0d20d7ef06161bd417d120181e67e3cef891bb6d149b0ba656b0f9229cce9ed77b00b9ce37a9fb871b355eff925d904fb4dde26288370e3ab3

Download Submit
memory/2196-142-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/2196-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-141-0x0000000000A10000-0x0000000000D5A000-memory.dmp

Filesize
3.3MB

Download
memory/2196-137-0x0000000000000000-mapping.dmp

Download
memory/2196-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-150-0x0000000008AA0000-0x0000000008BDF000-memory.dmp

Filesize
1.2MB

Download
memory/2212-143-0x0000000008820000-0x0000000008932000-memory.dmp

Filesize
1.1MB

Download
memory/2212-152-0x0000000008AA0000-0x0000000008BDF000-memory.dmp

Filesize
1.2MB

Download
memory/4816-132-0x0000000000000000-mapping.dmp

Download
memory/4900-144-0x0000000000000000-mapping.dmp

Download
memory/4900-148-0x0000000001070000-0x000000000109D000-memory.dmp

Filesize
180KB

Download
memory/4900-149-0x0000000002D60000-0x0000000002DEF000-memory.dmp

Filesize
572KB

Download
memory/4900-147-0x0000000002EC0000-0x000000000320A000-memory.dmp

Filesize
3.3MB

Download
memory/4900-151-0x0000000001070000-0x000000000109D000-memory.dmp

Filesize
180KB

Download
memory/4900-146-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads