formbook | dd6ef39d8ed08e7355551c7140b5094d57f5c1bf70549f686ca18b9b1698e468

General

Target

Jyoti CNC Automation Ltd.exe
Size

386KB
MD5

76546253ae7de8218aaea566454db844
SHA1

fdeef99c922f422a1d49e7d692391a1afa1ac521
SHA256

dd6ef39d8ed08e7355551c7140b5094d57f5c1bf70549f686ca18b9b1698e468
SHA512

2d261ae2988644b7f0d033dda3aa0309f9f895d50d1539053b20702cf43adc6a1c5484bcf0b3b8ab6ffc7cd16d207c9b3ee518506783da525f2f91814942d1eb
SSDEEP

6144:hBn7A5jMUCoQxOXdAwD6D7OUg00HsWFyChk1ucywA+EpxWGFjSHl:vrsXd1O3OUfDWFyChk+wA+ER2F

Score

10^/10

formbook xloader m9ae loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Extracted

Family

xloader

Version

3.ƅ

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Executes dropped EXE 2 IoCs

Processes:

gdewgyravi.exegdewgyravi.exe

pid process

3608 gdewgyravi.exe
2320 gdewgyravi.exe

pid	process
3608	gdewgyravi.exe
2320	gdewgyravi.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

gdewgyravi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	gdewgyravi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gdewgyravi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vsrnknxbbfjpr = "C:\\Users\\Admin\\AppData\\Roaming\\vpucspicxonfp\\ivledueeepcrys.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\gdewgyravi.exe\" C:\\Users\\Admin\\"	gdewgyravi.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

gdewgyravi.exegdewgyravi.execontrol.exe

description	pid	process	target process
PID 3608 set thread context of 2320	3608	gdewgyravi.exe	gdewgyravi.exe
PID 2320 set thread context of 652	2320	gdewgyravi.exe	Explorer.EXE
PID 220 set thread context of 652	220	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gdewgyravi.execontrol.exe

pid	process
2320	gdewgyravi.exe
2320	gdewgyravi.exe
2320	gdewgyravi.exe
2320	gdewgyravi.exe
2320	gdewgyravi.exe
2320	gdewgyravi.exe
2320	gdewgyravi.exe
2320	gdewgyravi.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

652 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

gdewgyravi.exegdewgyravi.execontrol.exe

pid process

3608 gdewgyravi.exe
2320 gdewgyravi.exe
2320 gdewgyravi.exe
2320 gdewgyravi.exe
220 control.exe
220 control.exe
220 control.exe
220 control.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

gdewgyravi.execontrol.exe

description pid process

Token: SeDebugPrivilege 2320 gdewgyravi.exe
Token: SeDebugPrivilege 220 control.exe

pid	process
652	Explorer.EXE

pid	process
3608	gdewgyravi.exe
2320	gdewgyravi.exe
2320	gdewgyravi.exe
2320	gdewgyravi.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe

description	pid	process
Token: SeDebugPrivilege	2320	gdewgyravi.exe
Token: SeDebugPrivilege	220	control.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Jyoti CNC Automation Ltd.exegdewgyravi.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 3404 wrote to memory of 3608	3404	Jyoti CNC Automation Ltd.exe	gdewgyravi.exe
PID 3404 wrote to memory of 3608	3404	Jyoti CNC Automation Ltd.exe	gdewgyravi.exe
PID 3404 wrote to memory of 3608	3404	Jyoti CNC Automation Ltd.exe	gdewgyravi.exe
PID 3608 wrote to memory of 2320	3608	gdewgyravi.exe	gdewgyravi.exe
PID 3608 wrote to memory of 2320	3608	gdewgyravi.exe	gdewgyravi.exe
PID 3608 wrote to memory of 2320	3608	gdewgyravi.exe	gdewgyravi.exe
PID 3608 wrote to memory of 2320	3608	gdewgyravi.exe	gdewgyravi.exe
PID 652 wrote to memory of 220	652	Explorer.EXE	control.exe
PID 652 wrote to memory of 220	652	Explorer.EXE	control.exe
PID 652 wrote to memory of 220	652	Explorer.EXE	control.exe
PID 220 wrote to memory of 1352	220	control.exe	Firefox.exe
PID 220 wrote to memory of 1352	220	control.exe	Firefox.exe
PID 220 wrote to memory of 1352	220	control.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:652
- C:\Users\Admin\AppData\Local\Temp\Jyoti CNC Automation Ltd.exe
  "C:\Users\Admin\AppData\Local\Temp\Jyoti CNC Automation Ltd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Users\Admin\AppData\Local\Temp\gdewgyravi.exe
    "C:\Users\Admin\AppData\Local\Temp\gdewgyravi.exe" C:\Users\Admin\AppData\Local\Temp\enmpxrww.lqw
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\gdewgyravi.exe
      "C:\Users\Admin\AppData\Local\Temp\gdewgyravi.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2320
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\duwlw.yil

Filesize
185KB

MD5
6af1f7f71544c056d5a3e1be13c37039

SHA1
35dd40721252cf258f9bd0ecd86e6888c0e4385c

SHA256
f9ca5eb8cae0b4ffede83c5de312a1b6dbc526ae2ba048bd9760852553d9f742

SHA512
86af6cb01413fb880f0e68223701b07564e819fc8dbeee8e8773faaee91eddd8d507ec0ae2d535314400566d4cc80fb305dfc6db909e43c7435d11a0d07c4c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\enmpxrww.lqw

Filesize
7KB

MD5
ea06d1f592896dff9f1dc843e24631ae

SHA1
34a159f17be945609f7f27932eadca34e7f246a2

SHA256
c40f5623dc86a4f5c36ddaefc4d3f3e3e3ae9b0ad5f7bb3fbd9cf096bdd49915

SHA512
cfb96e6869f62ff65c5cc2a138e2f33d71e73e5ea178caa019f25143b2c5cb0810dfb8a188f2f01b06a66ec597d53c4e71d9f65acfdeec8afb1c962efd28b072

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdewgyravi.exe

Filesize
99KB

MD5
19909c3b966b5b1b39c534d2e20720cd

SHA1
d42367909a22b7f3092a7e606beec75ee09e1da0

SHA256
219959ca29fa2c6450ac40bd5684f098db93b7b3aa5993175b87dc6b00e43513

SHA512
298c5ffb3345127946eff6334473dece6009118add41877070fb8482bae5f916f6faaeec0a57c52f5d4c1f6eb79dec5e91989b08d53f3f7dae009c92ce4adcc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdewgyravi.exe

Filesize
99KB

MD5
19909c3b966b5b1b39c534d2e20720cd

SHA1
d42367909a22b7f3092a7e606beec75ee09e1da0

SHA256
219959ca29fa2c6450ac40bd5684f098db93b7b3aa5993175b87dc6b00e43513

SHA512
298c5ffb3345127946eff6334473dece6009118add41877070fb8482bae5f916f6faaeec0a57c52f5d4c1f6eb79dec5e91989b08d53f3f7dae009c92ce4adcc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdewgyravi.exe

Filesize
99KB

MD5
19909c3b966b5b1b39c534d2e20720cd

SHA1
d42367909a22b7f3092a7e606beec75ee09e1da0

SHA256
219959ca29fa2c6450ac40bd5684f098db93b7b3aa5993175b87dc6b00e43513

SHA512
298c5ffb3345127946eff6334473dece6009118add41877070fb8482bae5f916f6faaeec0a57c52f5d4c1f6eb79dec5e91989b08d53f3f7dae009c92ce4adcc6

Download Submit
memory/220-145-0x0000000000000000-mapping.dmp

Download
memory/220-153-0x0000000000480000-0x00000000004AD000-memory.dmp

Filesize
180KB

Download
memory/220-151-0x00000000021B0000-0x000000000223F000-memory.dmp

Filesize
572KB

Download
memory/220-150-0x0000000000480000-0x00000000004AD000-memory.dmp

Filesize
180KB

Download
memory/220-149-0x0000000002330000-0x000000000267A000-memory.dmp

Filesize
3.3MB

Download
memory/220-148-0x0000000000780000-0x00000000007A7000-memory.dmp

Filesize
156KB

Download
memory/652-154-0x0000000008260000-0x000000000836A000-memory.dmp

Filesize
1.0MB

Download
memory/652-152-0x0000000008260000-0x000000000836A000-memory.dmp

Filesize
1.0MB

Download
memory/652-144-0x0000000002F40000-0x0000000003010000-memory.dmp

Filesize
832KB

Download
memory/2320-142-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/2320-147-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2320-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-143-0x0000000001450000-0x0000000001460000-memory.dmp

Filesize
64KB

Download
memory/2320-141-0x00000000018F0000-0x0000000001C3A000-memory.dmp

Filesize
3.3MB

Download
memory/2320-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2320-137-0x0000000000000000-mapping.dmp

Download
memory/3608-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads