formbook | 4aba8fe16a25f04df115b34a57b6fff9782664c208348cf57d921d12f158c8b1

General

Target

DHL INVOICE#-002834.exe
Size

306KB
MD5

9564349d362fe854594e13217800ea9f
SHA1

5067b33410d6a859f96e07d7fa006446b5e3abdb
SHA256

4aba8fe16a25f04df115b34a57b6fff9782664c208348cf57d921d12f158c8b1
SHA512

d919fbc75fd973ddd8e425b728d3ab7c251b5671493517d4eb8e825f6b26a4b5f36d70468b171a336bafcc6c8eaf9deea3c31af7ba26b9ba1aee9649b0b5a1ca
SSDEEP

6144:NBn0JAr0W067hhLsgQfQIRHWGdEzFgu+sdIEOZz9Kgzl:EerA67sF9Hj2RzEkql

Score

10^/10

formbook xloader codp loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

codp

Decoy

WLwbp9IgDF0DRbuq

oNQ7DHBzVHVMTxxxFCORk65Z5w==

eKyDm2P0S8i8tXrGSRxyN/GB+g==

DWLDupksnDvfKi7Q7PI=

JAaYbOFx1G0f4pcM36gDB3YaG796

KWQ71Z4U7+2Nv8K72OXED5M9oe8=

YJpvEHW5TU/wL02R9TiN0A==

tpQX78fPprFMi7ocSgXfUNYKpTq33Icp

a9Z0eju3FKFA/YBy+MQfG3QaG796

uQzt58fSssDUenxacQCY2g==

vijGzYPYOfi2gxZLhlbA

kZfzlQg7IGPxc29BJA==

dcQu+blQlxGyZu7qw5P4L6s=

TTIXAcXMr85yqqvxWBMqdrw=

xZb/tyGC8sOjIS7Q7PI=

KnzenvO+cXkVS3biKfRDwJ9Q5Q==

ZqZvDt9+yYxqh1Si

vZD8CtVZigY/cqnmLA==

QJy2dd/p0MO1Ji7Q7PI=

l+Hmoea3jsiAcqnmLA==

Extracted

Family

xloader

Version

3.ƅ

Campaign

codp

Decoy

WLwbp9IgDF0DRbuq

oNQ7DHBzVHVMTxxxFCORk65Z5w==

eKyDm2P0S8i8tXrGSRxyN/GB+g==

DWLDupksnDvfKi7Q7PI=

JAaYbOFx1G0f4pcM36gDB3YaG796

KWQ71Z4U7+2Nv8K72OXED5M9oe8=

YJpvEHW5TU/wL02R9TiN0A==

tpQX78fPprFMi7ocSgXfUNYKpTq33Icp

a9Z0eju3FKFA/YBy+MQfG3QaG796

uQzt58fSssDUenxacQCY2g==

vijGzYPYOfi2gxZLhlbA

kZfzlQg7IGPxc29BJA==

dcQu+blQlxGyZu7qw5P4L6s=

TTIXAcXMr85yqqvxWBMqdrw=

xZb/tyGC8sOjIS7Q7PI=

KnzenvO+cXkVS3biKfRDwJ9Q5Q==

ZqZvDt9+yYxqh1Si

vZD8CtVZigY/cqnmLA==

QJy2dd/p0MO1Ji7Q7PI=

l+Hmoea3jsiAcqnmLA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Executes dropped EXE 2 IoCs

Processes:

nwbaihgld.exenwbaihgld.exe

pid process

1548 nwbaihgld.exe
904 nwbaihgld.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

nwbaihgld.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation nwbaihgld.exe
Loads dropped DLL 3 IoCs

Processes:

DHL INVOICE#-002834.exenwbaihgld.exeNAPSTAT.EXE

pid process

1544 DHL INVOICE#-002834.exe
1548 nwbaihgld.exe
1476 NAPSTAT.EXE

pid	process
1548	nwbaihgld.exe
904	nwbaihgld.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	nwbaihgld.exe

pid	process
1544	DHL INVOICE#-002834.exe
1548	nwbaihgld.exe
1476	NAPSTAT.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

nwbaihgld.exenwbaihgld.exeNAPSTAT.EXE

description	pid	process	target process
PID 1548 set thread context of 904	1548	nwbaihgld.exe	nwbaihgld.exe
PID 904 set thread context of 1220	904	nwbaihgld.exe	Explorer.EXE
PID 1476 set thread context of 1220	1476	NAPSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NAPSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NAPSTAT.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

nwbaihgld.exeNAPSTAT.EXE

pid	process
904	nwbaihgld.exe
904	nwbaihgld.exe
904	nwbaihgld.exe
904	nwbaihgld.exe
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

nwbaihgld.exenwbaihgld.exeNAPSTAT.EXE

pid process

1548 nwbaihgld.exe
904 nwbaihgld.exe
904 nwbaihgld.exe
904 nwbaihgld.exe
1476 NAPSTAT.EXE
1476 NAPSTAT.EXE
1476 NAPSTAT.EXE
1476 NAPSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

nwbaihgld.exeNAPSTAT.EXE

description pid process

Token: SeDebugPrivilege 904 nwbaihgld.exe
Token: SeDebugPrivilege 1476 NAPSTAT.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE

pid	process
1220	Explorer.EXE

pid	process
1548	nwbaihgld.exe
904	nwbaihgld.exe
904	nwbaihgld.exe
904	nwbaihgld.exe
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE
1476	NAPSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	904	nwbaihgld.exe
Token: SeDebugPrivilege	1476	NAPSTAT.EXE

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

DHL INVOICE#-002834.exenwbaihgld.exeExplorer.EXENAPSTAT.EXE

description	pid	process	target process
PID 1544 wrote to memory of 1548	1544	DHL INVOICE#-002834.exe	nwbaihgld.exe
PID 1544 wrote to memory of 1548	1544	DHL INVOICE#-002834.exe	nwbaihgld.exe
PID 1544 wrote to memory of 1548	1544	DHL INVOICE#-002834.exe	nwbaihgld.exe
PID 1544 wrote to memory of 1548	1544	DHL INVOICE#-002834.exe	nwbaihgld.exe
PID 1548 wrote to memory of 904	1548	nwbaihgld.exe	nwbaihgld.exe
PID 1548 wrote to memory of 904	1548	nwbaihgld.exe	nwbaihgld.exe
PID 1548 wrote to memory of 904	1548	nwbaihgld.exe	nwbaihgld.exe
PID 1548 wrote to memory of 904	1548	nwbaihgld.exe	nwbaihgld.exe
PID 1548 wrote to memory of 904	1548	nwbaihgld.exe	nwbaihgld.exe
PID 1220 wrote to memory of 1476	1220	Explorer.EXE	NAPSTAT.EXE
PID 1220 wrote to memory of 1476	1220	Explorer.EXE	NAPSTAT.EXE
PID 1220 wrote to memory of 1476	1220	Explorer.EXE	NAPSTAT.EXE
PID 1220 wrote to memory of 1476	1220	Explorer.EXE	NAPSTAT.EXE
PID 1476 wrote to memory of 844	1476	NAPSTAT.EXE	Firefox.exe
PID 1476 wrote to memory of 844	1476	NAPSTAT.EXE	Firefox.exe
PID 1476 wrote to memory of 844	1476	NAPSTAT.EXE	Firefox.exe
PID 1476 wrote to memory of 844	1476	NAPSTAT.EXE	Firefox.exe
PID 1476 wrote to memory of 844	1476	NAPSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\DHL INVOICE#-002834.exe
"C:\Users\Admin\AppData\Local\Temp\DHL INVOICE#-002834.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe
"C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe" C:\Users\Admin\AppData\Local\Temp\xlpgzp.d
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe
"C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lfpawsddp.vnb
Filesize
185KB

MD5
63197a586b382ba5464003f7275236e6

SHA1
f2073ba4af95098e71bbb384383a227aecce8f35

SHA256
d411c5620287a19b2e4c41e7e1ae4e459199feb864c292304e21be73ea9029e6

SHA512
ab02ec855769551f784a7ee6287519648e0302cd0b1ddb3135bf5c635231d175aa7fa97d8cd27045bb2408c438150375498eea25a43104e0c6458a0adff44eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe
Filesize
98KB

MD5
5a5ff44ad9dbf2ad128e94d9f2cd5932

SHA1
6b0a95040616a32343d812ddd5398b0139c6a5e8

SHA256
38ac98c631349cc33767e9e04a2c8be4d1126ccec77735b7e285ecd53d44a90f

SHA512
029ba785a6598c599933719883390d11b1e598367d1eed256a9b8b66da83fbe5ee38ec5a29cab53f2a103f626f48bbb3e896071efac7f127363def8f699382d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe
Filesize
98KB

MD5
5a5ff44ad9dbf2ad128e94d9f2cd5932

SHA1
6b0a95040616a32343d812ddd5398b0139c6a5e8

SHA256
38ac98c631349cc33767e9e04a2c8be4d1126ccec77735b7e285ecd53d44a90f

SHA512
029ba785a6598c599933719883390d11b1e598367d1eed256a9b8b66da83fbe5ee38ec5a29cab53f2a103f626f48bbb3e896071efac7f127363def8f699382d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwbaihgld.exe
Filesize
98KB

MD5
5a5ff44ad9dbf2ad128e94d9f2cd5932

SHA1
6b0a95040616a32343d812ddd5398b0139c6a5e8

SHA256
38ac98c631349cc33767e9e04a2c8be4d1126ccec77735b7e285ecd53d44a90f

SHA512
029ba785a6598c599933719883390d11b1e598367d1eed256a9b8b66da83fbe5ee38ec5a29cab53f2a103f626f48bbb3e896071efac7f127363def8f699382d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlpgzp.d
Filesize
5KB

MD5
d18c95ac432c99f8258833f63a5d2596

SHA1
68b4b9a95a574b05100c693b6f5a74ab2fd24351

SHA256
7a756c0994c7bd8ee13469088db0facaf20dac4b8ac46ad891cc9429af0c10c6

SHA512
23e49e410c676d8de243c90eed7e8ce97fa15a0ad617dc5cd3dd89e7492d28cd565dbdbbd367f428d85a0c4efb3ed28130ea1ae1d3e224cb9af42b0fbda992ac

Download Submit
\Users\Admin\AppData\Local\Temp\nwbaihgld.exe
Filesize
98KB

MD5
5a5ff44ad9dbf2ad128e94d9f2cd5932

SHA1
6b0a95040616a32343d812ddd5398b0139c6a5e8

SHA256
38ac98c631349cc33767e9e04a2c8be4d1126ccec77735b7e285ecd53d44a90f

SHA512
029ba785a6598c599933719883390d11b1e598367d1eed256a9b8b66da83fbe5ee38ec5a29cab53f2a103f626f48bbb3e896071efac7f127363def8f699382d4

Download Submit
\Users\Admin\AppData\Local\Temp\nwbaihgld.exe
Filesize
98KB

MD5
5a5ff44ad9dbf2ad128e94d9f2cd5932

SHA1
6b0a95040616a32343d812ddd5398b0139c6a5e8

SHA256
38ac98c631349cc33767e9e04a2c8be4d1126ccec77735b7e285ecd53d44a90f

SHA512
029ba785a6598c599933719883390d11b1e598367d1eed256a9b8b66da83fbe5ee38ec5a29cab53f2a103f626f48bbb3e896071efac7f127363def8f699382d4

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
1.0MB

MD5
ce5c15b5092877974d5b6476ad1cb2d7

SHA1
76a6fc307d1524081cba1886d312df97c9dd658f

SHA256
1f1a186ea26bd2462ea2a9cf35a816b92caf0897fdf332af3a61569e0ba97b24

SHA512
bb9ced38c63d2a29e18c38f60020cfdf0161384cd4ad6328352626643becdf49f6b4bef47012391720344fdd8ad520aa802dcbbed15b5026d27eb93b0a839c90

Download Submit
memory/904-66-0x0000000000B90000-0x0000000000E93000-memory.dmp

Filesize
3.0MB

Download
memory/904-62-0x00000000004012B0-mapping.dmp

Download
memory/904-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/904-65-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/904-67-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/1220-77-0x0000000006C60000-0x0000000006DCA000-memory.dmp

Filesize
1.4MB

Download
memory/1220-68-0x0000000006500000-0x0000000006620000-memory.dmp

Filesize
1.1MB

Download
memory/1220-74-0x0000000006C60000-0x0000000006DCA000-memory.dmp

Filesize
1.4MB

Download
memory/1476-72-0x0000000001FF0000-0x00000000022F3000-memory.dmp

Filesize
3.0MB

Download
memory/1476-71-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1476-70-0x0000000000100000-0x0000000000146000-memory.dmp

Filesize
280KB

Download
memory/1476-73-0x0000000000420000-0x00000000004AF000-memory.dmp

Filesize
572KB

Download
memory/1476-69-0x0000000000000000-mapping.dmp

Download
memory/1476-75-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1544-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1548-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads