formbook | 93887029eda377fa78729cbf1c96c582c029a828a8f721b731d5ecdda7555fec

General

Target

SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe
Size

422KB
MD5

2671db3cba1e1848ec04b0dfb326fea8
SHA1

e78905b037becf55e0049aa3247f1bcecc379cd3
SHA256

93887029eda377fa78729cbf1c96c582c029a828a8f721b731d5ecdda7555fec
SHA512

7023a6be740c4e3ee0a1e3c12df743976130a20ab7a0cafed1f88fd5ff623587ca31a2317d727ec1c2f89adb33aa7f4c54567323a7d3b6f878124256e3baf908
SSDEEP

6144:qBnmeG0xkz6C2U/2aqg9JBP/W5/tuzQxgJhyESBNoliLAmtESJwx6rbs8S:OGlaKpW5/tuxJhyfB6iLA8ac/S

Score

10^/10

formbook xloader m9ae loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Extracted

Family

xloader

Version

3.ƅ

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Executes dropped EXE 2 IoCs

Processes:

opwovm.exeopwovm.exe

pid process

2784 opwovm.exe
4340 opwovm.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

opwovm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation opwovm.exe

pid	process
2784	opwovm.exe
4340	opwovm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	opwovm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

opwovm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\satytuyqndhqqq = "C:\\Users\\Admin\\AppData\\Roaming\\pugcbmf\\wnrbbehkxrwbgu.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\opwovm.exe\" C:\\Users\\Admin\\AppData\\Lo"	opwovm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

opwovm.exeopwovm.exemsdt.exe

description	pid	process	target process
PID 2784 set thread context of 4340	2784	opwovm.exe	opwovm.exe
PID 4340 set thread context of 3048	4340	opwovm.exe	Explorer.EXE
PID 5056 set thread context of 3048	5056	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

opwovm.exemsdt.exe

pid	process
4340	opwovm.exe
4340	opwovm.exe
4340	opwovm.exe
4340	opwovm.exe
4340	opwovm.exe
4340	opwovm.exe
4340	opwovm.exe
4340	opwovm.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

opwovm.exeopwovm.exemsdt.exe

pid process

2784 opwovm.exe
4340 opwovm.exe
4340 opwovm.exe
4340 opwovm.exe
5056 msdt.exe
5056 msdt.exe
5056 msdt.exe
5056 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

opwovm.exemsdt.exe

description pid process

Token: SeDebugPrivilege 4340 opwovm.exe
Token: SeDebugPrivilege 5056 msdt.exe

pid	process
3048	Explorer.EXE

pid	process
2784	opwovm.exe
4340	opwovm.exe
4340	opwovm.exe
4340	opwovm.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe
5056	msdt.exe

description	pid	process
Token: SeDebugPrivilege	4340	opwovm.exe
Token: SeDebugPrivilege	5056	msdt.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exeopwovm.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 3108 wrote to memory of 2784	3108	SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe	opwovm.exe
PID 3108 wrote to memory of 2784	3108	SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe	opwovm.exe
PID 3108 wrote to memory of 2784	3108	SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe	opwovm.exe
PID 2784 wrote to memory of 4340	2784	opwovm.exe	opwovm.exe
PID 2784 wrote to memory of 4340	2784	opwovm.exe	opwovm.exe
PID 2784 wrote to memory of 4340	2784	opwovm.exe	opwovm.exe
PID 2784 wrote to memory of 4340	2784	opwovm.exe	opwovm.exe
PID 3048 wrote to memory of 5056	3048	Explorer.EXE	msdt.exe
PID 3048 wrote to memory of 5056	3048	Explorer.EXE	msdt.exe
PID 3048 wrote to memory of 5056	3048	Explorer.EXE	msdt.exe
PID 5056 wrote to memory of 3132	5056	msdt.exe	Firefox.exe
PID 5056 wrote to memory of 3132	5056	msdt.exe	Firefox.exe
PID 5056 wrote to memory of 3132	5056	msdt.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Users\Admin\AppData\Local\Temp\opwovm.exe
"C:\Users\Admin\AppData\Local\Temp\opwovm.exe" C:\Users\Admin\AppData\Local\Temp\jzacvyuruta.yv
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Local\Temp\opwovm.exe
"C:\Users\Admin\AppData\Local\Temp\opwovm.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jzacvyuruta.yv
Filesize
7KB

MD5
9a98bcbaeadc635d0612286a89c766a9

SHA1
05293ad929c73cde605a08682691613a8b05c4b0

SHA256
1e740c732eeb938a59122b1b15e3ec15d56ac5b2a6462f1662c8b98465243181

SHA512
fd62d37d09907bd390257da69a36117a305f56bf94e74dc9063924c0f30f21aedcf66f066f3824b3ee34c53637206d4a286eb81ccafdbeea079525b9941ec2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\opwovm.exe
Filesize
12KB

MD5
6e53ec51f109b4b2f96df15d9f57b63c

SHA1
8c5d9586542abf5ff996a1e29dd079197c85483e

SHA256
6814d2488b5dfe90c8985bf2b482655457cc44b24d58c4094e5d69a42edc8c0e

SHA512
98777876611029169268b9de5cac66f33cc09d039d5f2825e0887749a0dd01107491e9d81e5185b6105f4e75e9aec0942ed3bffe27a375ac2a11530c10abdeca

Download Submit
C:\Users\Admin\AppData\Local\Temp\opwovm.exe
Filesize
12KB

MD5
6e53ec51f109b4b2f96df15d9f57b63c

SHA1
8c5d9586542abf5ff996a1e29dd079197c85483e

SHA256
6814d2488b5dfe90c8985bf2b482655457cc44b24d58c4094e5d69a42edc8c0e

SHA512
98777876611029169268b9de5cac66f33cc09d039d5f2825e0887749a0dd01107491e9d81e5185b6105f4e75e9aec0942ed3bffe27a375ac2a11530c10abdeca

Download Submit
C:\Users\Admin\AppData\Local\Temp\opwovm.exe
Filesize
12KB

MD5
6e53ec51f109b4b2f96df15d9f57b63c

SHA1
8c5d9586542abf5ff996a1e29dd079197c85483e

SHA256
6814d2488b5dfe90c8985bf2b482655457cc44b24d58c4094e5d69a42edc8c0e

SHA512
98777876611029169268b9de5cac66f33cc09d039d5f2825e0887749a0dd01107491e9d81e5185b6105f4e75e9aec0942ed3bffe27a375ac2a11530c10abdeca

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjxwsz.gz
Filesize
185KB

MD5
6d5c5d1fb0c5217ddaf28db7ae4e5a91

SHA1
2c911a84e92136f2f37ca979198b4b5ac1f3f2d7

SHA256
3c483f7dfd417a90a73fb0305e3dedd0e5a91bdb2b17c8209308e4d90c2ab1ba

SHA512
5e8084ab7c9001823878a8099dcbb37df11419c31b3c4200a020c46a0354226d4c31d3a247c0bfcef02c5a1b284527e86b87eaba5918e1fafa02a11f424dfc48

Download Submit
memory/2784-132-0x0000000000000000-mapping.dmp

Download
memory/3048-154-0x0000000007D30000-0x0000000007E5D000-memory.dmp

Filesize
1.2MB

Download
memory/3048-152-0x0000000007D30000-0x0000000007E5D000-memory.dmp

Filesize
1.2MB

Download
memory/3048-144-0x00000000075E0000-0x0000000007712000-memory.dmp

Filesize
1.2MB

Download
memory/4340-142-0x00000000018D0000-0x00000000018E0000-memory.dmp

Filesize
64KB

Download
memory/4340-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-143-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/4340-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4340-137-0x0000000000000000-mapping.dmp

Download
memory/4340-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-147-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4340-141-0x0000000001910000-0x0000000001C5A000-memory.dmp

Filesize
3.3MB

Download
memory/5056-148-0x00000000009D0000-0x0000000000A27000-memory.dmp

Filesize
348KB

Download
memory/5056-150-0x0000000003330000-0x000000000367A000-memory.dmp

Filesize
3.3MB

Download
memory/5056-151-0x0000000003060000-0x00000000030EF000-memory.dmp

Filesize
572KB

Download
memory/5056-149-0x0000000001220000-0x000000000124D000-memory.dmp

Filesize
180KB

Download
memory/5056-153-0x0000000001220000-0x000000000124D000-memory.dmp

Filesize
180KB

Download
memory/5056-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads