formbook | 109ab3837f865b4ba288ca4a1fa4e8d416c04b3686376c55128553d4a4db55b5

General

Target

SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe
Size

824KB
MD5

4575f347077760e1257159f74291fad0
SHA1

d65c9fa35db54403c42b2731f6c616317eb23b78
SHA256

109ab3837f865b4ba288ca4a1fa4e8d416c04b3686376c55128553d4a4db55b5
SHA512

d238fead3b0efa0c6140f587b1d9ff9a9b7298189d6153a3d53aaeaa95b440807e9871ed60706e85c5f396f272ce6ab548184a0ba64c9f8e7b04300fed96936e
SSDEEP

12288:88xW3p8fe9EgNBWWJXVy20V0abqYU3K4j2X2Er5OxG2:8xCfe9EmLJlNIF3RXVr0G

Score

10^/10

formbook modiloader xloader n7ak uj3c loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

wise-transfer.info

jam-nins.com

thebestsocialcrm.com

majomeow222.com

ancientshadowguilt.space

gentleman-china.com

parquemermoz.store

taxuw.com

sharqiyapaints.com

libraryofkath.com

1949wan.com

synqr.net

bitchessgirls.com

btonu.cfd

coding-bootcamps-16314.com

leadership22-tdh.site

maximsboutique.com

irishsummertruffles.com

sdnaqianchuan.com

uyews.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3464-164-0x0000000010410000-0x000000001043F000-memory.dmp	formbook
behavioral2/memory/4224-166-0x0000000010410000-0x000000001043F000-memory.dmp	formbook

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4268-132-0x00000000021C0000-0x00000000021EB000-memory.dmp	modiloader_stage2
behavioral2/memory/3464-158-0x0000000002690000-0x00000000026BB000-memory.dmp	modiloader_stage2

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4268-136-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral2/memory/2824-138-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral2/memory/4792-145-0x0000000000BC0000-0x0000000000BEB000-memory.dmp	xloader
behavioral2/memory/4792-149-0x0000000000BC0000-0x0000000000BEB000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

cscript.exe

flow pid process

50 4792 cscript.exe
Executes dropped EXE 1 IoCs

Processes:

-zvhy.exe

pid process

3464 -zvhy.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
50	4792	cscript.exe

pid	process
3464	-zvhy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Win32.TrojanX-gen.360.32285.execscript.exe-zvhy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Blxzzvfq = "C:\\Users\\Public\\Libraries\\qfvzzxlB.url"	SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	cscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MJVHTBGXCLQ = "C:\\Program Files (x86)\\Bglr\\fpxxanhkv1tsdz.exe"	cscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xithgxdv = "C:\\Users\\Public\\Libraries\\vdxghtiX.url"	-zvhy.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

colorcpl.execscript.exewscript.exe

description	pid	process	target process
PID 2824 set thread context of 676	2824	colorcpl.exe	Explorer.EXE
PID 4792 set thread context of 676	4792	cscript.exe	Explorer.EXE
PID 4224 set thread context of 676	4224	wscript.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

cscript.exe

description ioc process

File opened for modification C:\Program Files (x86)\Bglr\fpxxanhkv1tsdz.exe cscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files (x86)\Bglr\fpxxanhkv1tsdz.exe	cscript.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cscript.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cscript.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

SecuriteInfo.com.Win32.TrojanX-gen.360.32285.execolorcpl.execscript.exe-zvhy.exewscript.exe

pid	process
4268	SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe
4268	SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe
2824	colorcpl.exe
2824	colorcpl.exe
2824	colorcpl.exe
2824	colorcpl.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
3464	-zvhy.exe
3464	-zvhy.exe
4224	wscript.exe
4792	cscript.exe
4792	cscript.exe
4224	wscript.exe
4224	wscript.exe
4224	wscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

676 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

colorcpl.execscript.exewscript.exe

pid process

2824 colorcpl.exe
2824 colorcpl.exe
2824 colorcpl.exe
4792 cscript.exe
4792 cscript.exe
4792 cscript.exe
4792 cscript.exe
4224 wscript.exe

pid	process
676	Explorer.EXE

pid	process
2824	colorcpl.exe
2824	colorcpl.exe
2824	colorcpl.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4792	cscript.exe
4224	wscript.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

colorcpl.exeExplorer.EXEcscript.exewscript.exe

description	pid	process
Token: SeDebugPrivilege	2824	colorcpl.exe
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeDebugPrivilege	4792	cscript.exe
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeDebugPrivilege	4224	wscript.exe
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exeExplorer.EXEcscript.exe-zvhy.exe

description	pid	process	target process
PID 4268 wrote to memory of 2824	4268	SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe	colorcpl.exe
PID 4268 wrote to memory of 2824	4268	SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe	colorcpl.exe
PID 4268 wrote to memory of 2824	4268	SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe	colorcpl.exe
PID 4268 wrote to memory of 2824	4268	SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe	colorcpl.exe
PID 4268 wrote to memory of 2824	4268	SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe	colorcpl.exe
PID 4268 wrote to memory of 2824	4268	SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe	colorcpl.exe
PID 676 wrote to memory of 4792	676	Explorer.EXE	cscript.exe
PID 676 wrote to memory of 4792	676	Explorer.EXE	cscript.exe
PID 676 wrote to memory of 4792	676	Explorer.EXE	cscript.exe
PID 4792 wrote to memory of 4712	4792	cscript.exe	cmd.exe
PID 4792 wrote to memory of 4712	4792	cscript.exe	cmd.exe
PID 4792 wrote to memory of 4712	4792	cscript.exe	cmd.exe
PID 4792 wrote to memory of 1560	4792	cscript.exe	cmd.exe
PID 4792 wrote to memory of 1560	4792	cscript.exe	cmd.exe
PID 4792 wrote to memory of 1560	4792	cscript.exe	cmd.exe
PID 4792 wrote to memory of 220	4792	cscript.exe	cmd.exe
PID 4792 wrote to memory of 220	4792	cscript.exe	cmd.exe
PID 4792 wrote to memory of 220	4792	cscript.exe	cmd.exe
PID 4792 wrote to memory of 3416	4792	cscript.exe	Firefox.exe
PID 4792 wrote to memory of 3416	4792	cscript.exe	Firefox.exe
PID 4792 wrote to memory of 3416	4792	cscript.exe	Firefox.exe
PID 4792 wrote to memory of 3464	4792	cscript.exe	-zvhy.exe
PID 4792 wrote to memory of 3464	4792	cscript.exe	-zvhy.exe
PID 4792 wrote to memory of 3464	4792	cscript.exe	-zvhy.exe
PID 3464 wrote to memory of 4224	3464	-zvhy.exe	wscript.exe
PID 3464 wrote to memory of 4224	3464	-zvhy.exe	wscript.exe
PID 3464 wrote to memory of 4224	3464	-zvhy.exe	wscript.exe
PID 3464 wrote to memory of 4224	3464	-zvhy.exe	wscript.exe
PID 3464 wrote to memory of 4224	3464	-zvhy.exe	wscript.exe
PID 3464 wrote to memory of 4224	3464	-zvhy.exe	wscript.exe
PID 676 wrote to memory of 3488	676	Explorer.EXE	help.exe
PID 676 wrote to memory of 3488	676	Explorer.EXE	help.exe
PID 676 wrote to memory of 3488	676	Explorer.EXE	help.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.360.32285.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\System32\colorcpl.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\colorcpl.exe"
3⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:220

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\-zvhy.exe
"C:\Users\Admin\AppData\Local\Temp\-zvhy.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\wscript.exe
C:\Windows\System32\wscript.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:3488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0AB67BD4882FB0E09822529CFEB33A58
Filesize
926B

MD5
4cba44f3f001d431f7e49270bd0f6db4

SHA1
dc75ec40f389866eacf0140c44f53f3947e72541

SHA256
0dfd9c9d1c4f7dea9adfe3ef6070c02d50cbf5f33f304ecc98a0ab89a346d7fe

SHA512
2c227ff133ef2838a246161a2e53ee657d0af9512b71cdf7d27627faecfde23ea2a499e3a9f0350775f4f8eb5cdcda96a85020bfb818f48d78c6e5f2b73d7ec2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0AB67BD4882FB0E09822529CFEB33A58
Filesize
246B

MD5
8bfc79346387a4fae273ae726ebebe4e

SHA1
bfec66e4110d35d1ac7cdd3e428d51b290678ce9

SHA256
ad02e36a372a64b08b4ccb3f8f677abf8596aab746680964907399dfe12289f8

SHA512
5cffc88a1a2aac8a3f547219de308c02c25a6579e497733b0b4487331a72f9cd3698ed6987d9cb999af7f6de2dcfc4c9b829ebcc2719f54aa8e8fcd5efe171e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\-zvhy.exe
Filesize
719KB

MD5
5cfcd1cb21be63288522804b0bf41e78

SHA1
221718e1e08511927c854e3a140771b42c51b22c

SHA256
c15b967e4707686feb6123a348cdec350dbc73c53a77b454fb046fa24296a880

SHA512
39f050484d9e30d9770ba035f13f245004515ad563bdd6bd0ad6ebce0f531f68607b006fc4c1aecd975824bb588081efc879a53c306a06bf334773f82880a76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\-zvhy.exe
Filesize
719KB

MD5
5cfcd1cb21be63288522804b0bf41e78

SHA1
221718e1e08511927c854e3a140771b42c51b22c

SHA256
c15b967e4707686feb6123a348cdec350dbc73c53a77b454fb046fa24296a880

SHA512
39f050484d9e30d9770ba035f13f245004515ad563bdd6bd0ad6ebce0f531f68607b006fc4c1aecd975824bb588081efc879a53c306a06bf334773f82880a76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
memory/220-153-0x0000000000000000-mapping.dmp

Download
memory/676-141-0x0000000002790000-0x00000000028F2000-memory.dmp

Filesize
1.4MB

Download
memory/676-169-0x0000000007B80000-0x0000000007D12000-memory.dmp

Filesize
1.6MB

Download
memory/676-170-0x0000000007B80000-0x0000000007D12000-memory.dmp

Filesize
1.6MB

Download
memory/676-148-0x0000000007AC0000-0x0000000007B75000-memory.dmp

Filesize
724KB

Download
memory/676-150-0x0000000007AC0000-0x0000000007B75000-memory.dmp

Filesize
724KB

Download
memory/1560-151-0x0000000000000000-mapping.dmp

Download
memory/2824-140-0x0000000005140000-0x0000000005151000-memory.dmp

Filesize
68KB

Download
memory/2824-139-0x00000000051B0000-0x00000000054FA000-memory.dmp

Filesize
3.3MB

Download
memory/2824-138-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/2824-134-0x0000000000000000-mapping.dmp

Download
memory/3464-158-0x0000000002690000-0x00000000026BB000-memory.dmp

Filesize
172KB

Download
memory/3464-164-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/3464-155-0x0000000000000000-mapping.dmp

Download
memory/3464-163-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/4224-168-0x0000000003AD0000-0x0000000003AE4000-memory.dmp

Filesize
80KB

Download
memory/4224-167-0x0000000003B40000-0x0000000003E8A000-memory.dmp

Filesize
3.3MB

Download
memory/4224-166-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/4224-162-0x0000000000000000-mapping.dmp

Download
memory/4268-135-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/4268-136-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/4268-132-0x00000000021C0000-0x00000000021EB000-memory.dmp

Filesize
172KB

Download
memory/4712-143-0x0000000000000000-mapping.dmp

Download
memory/4792-145-0x0000000000BC0000-0x0000000000BEB000-memory.dmp

Filesize
172KB

Download
memory/4792-142-0x0000000000000000-mapping.dmp

Download
memory/4792-144-0x0000000000520000-0x0000000000547000-memory.dmp

Filesize
156KB

Download
memory/4792-149-0x0000000000BC0000-0x0000000000BEB000-memory.dmp

Filesize
172KB

Download
memory/4792-146-0x0000000002F50000-0x000000000329A000-memory.dmp

Filesize
3.3MB

Download
memory/4792-147-0x0000000002D80000-0x0000000002E10000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads