formbook | f24844ae60ec044f13365541b3e5f0cb41f9645ff7bc461820da7236518e2330

General

Target

Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exe
Size

527KB
MD5

935896b0a7367983d64d1cf39014c698
SHA1

a073a30a468a54458b30f3d9abfa712995426e7b
SHA256

f24844ae60ec044f13365541b3e5f0cb41f9645ff7bc461820da7236518e2330
SHA512

d4d287a355cf8a50f5b19d96f98c25241c5686ba657c4bfc33da0d0a4a0a3e23a84bc407a40fe0b411e4391037ada656f2d9eb25ee7fae607e3b729878616b9c
SSDEEP

6144:/kw+0xk6e96C2U/2aqg9JBP/ECkkDoozYIdG2Cgf1bN9lpPAS+JsMMvOhdI:slzAKp5k5oLMqJlpYDJzMvOhdI

Score

10^/10

formbook xloader m9ae loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Extracted

Family

xloader

Version

3.ƅ

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Executes dropped EXE 2 IoCs

Processes:

dsabwv.exedsabwv.exe

pid process

2812 dsabwv.exe
2120 dsabwv.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

dsabwv.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation dsabwv.exe

pid	process
2812	dsabwv.exe
2120	dsabwv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dsabwv.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dsabwv.exedsabwv.exeexplorer.exe

description	pid	process	target process
PID 2812 set thread context of 2120	2812	dsabwv.exe	dsabwv.exe
PID 2120 set thread context of 3060	2120	dsabwv.exe	Explorer.EXE
PID 3388 set thread context of 3060	3388	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	explorer.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

dsabwv.exeexplorer.exe

pid	process
2120	dsabwv.exe
2120	dsabwv.exe
2120	dsabwv.exe
2120	dsabwv.exe
2120	dsabwv.exe
2120	dsabwv.exe
2120	dsabwv.exe
2120	dsabwv.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3060 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

dsabwv.exedsabwv.exeexplorer.exe

pid process

2812 dsabwv.exe
2120 dsabwv.exe
2120 dsabwv.exe
2120 dsabwv.exe
3388 explorer.exe
3388 explorer.exe
3388 explorer.exe
3388 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dsabwv.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 2120 dsabwv.exe
Token: SeDebugPrivilege 3388 explorer.exe

pid	process
3060	Explorer.EXE

pid	process
2812	dsabwv.exe
2120	dsabwv.exe
2120	dsabwv.exe
2120	dsabwv.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe
3388	explorer.exe

description	pid	process
Token: SeDebugPrivilege	2120	dsabwv.exe
Token: SeDebugPrivilege	3388	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exedsabwv.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 4660 wrote to memory of 2812	4660	Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exe	dsabwv.exe
PID 4660 wrote to memory of 2812	4660	Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exe	dsabwv.exe
PID 4660 wrote to memory of 2812	4660	Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exe	dsabwv.exe
PID 2812 wrote to memory of 2120	2812	dsabwv.exe	dsabwv.exe
PID 2812 wrote to memory of 2120	2812	dsabwv.exe	dsabwv.exe
PID 2812 wrote to memory of 2120	2812	dsabwv.exe	dsabwv.exe
PID 2812 wrote to memory of 2120	2812	dsabwv.exe	dsabwv.exe
PID 3060 wrote to memory of 3388	3060	Explorer.EXE	explorer.exe
PID 3060 wrote to memory of 3388	3060	Explorer.EXE	explorer.exe
PID 3060 wrote to memory of 3388	3060	Explorer.EXE	explorer.exe
PID 3388 wrote to memory of 5080	3388	explorer.exe	Firefox.exe
PID 3388 wrote to memory of 5080	3388	explorer.exe	Firefox.exe
PID 3388 wrote to memory of 5080	3388	explorer.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130 Second Party Ref128141001808.PDF.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Users\Admin\AppData\Local\Temp\dsabwv.exe
"C:\Users\Admin\AppData\Local\Temp\dsabwv.exe" C:\Users\Admin\AppData\Local\Temp\bsslvloumd.x
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\AppData\Local\Temp\dsabwv.exe
"C:\Users\Admin\AppData\Local\Temp\dsabwv.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:5080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bsslvloumd.x
Filesize
5KB

MD5
8460cfa7e953e05eb15ae8a2ef8c7bfd

SHA1
aee6657a7c92efe7d54dea0c6589f0605f71fca6

SHA256
9f7575af4dadc05f6328dd289d9c08470af802f466e5ff34859df6a4b8803262

SHA512
b184ad074b77197231437c95018e0d0c74c2370e555607523940182ec2ceb232ed7eb526944cc9cc5691f2f46fa6715830fd4913541166310aa7d7d2eec821b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsabwv.exe
Filesize
276KB

MD5
bc28ac82294e4faf2977ed0ca9ac9cd5

SHA1
16b251f10fdb5cbe3491d117d4e2d050cb595314

SHA256
86075385db5c75604bc9831c6e05f9d27db44f24f822b614ac67177180f934b7

SHA512
813ea4006ff39438b2439539f4b793f299a81965691047b3c474012f0a744751ac46f750bb6b6c06154dea696b0de19ad62743206ea22eb580f287a9a19043e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsabwv.exe
Filesize
276KB

MD5
bc28ac82294e4faf2977ed0ca9ac9cd5

SHA1
16b251f10fdb5cbe3491d117d4e2d050cb595314

SHA256
86075385db5c75604bc9831c6e05f9d27db44f24f822b614ac67177180f934b7

SHA512
813ea4006ff39438b2439539f4b793f299a81965691047b3c474012f0a744751ac46f750bb6b6c06154dea696b0de19ad62743206ea22eb580f287a9a19043e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsabwv.exe
Filesize
276KB

MD5
bc28ac82294e4faf2977ed0ca9ac9cd5

SHA1
16b251f10fdb5cbe3491d117d4e2d050cb595314

SHA256
86075385db5c75604bc9831c6e05f9d27db44f24f822b614ac67177180f934b7

SHA512
813ea4006ff39438b2439539f4b793f299a81965691047b3c474012f0a744751ac46f750bb6b6c06154dea696b0de19ad62743206ea22eb580f287a9a19043e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtwrrtm.w
Filesize
185KB

MD5
5db68f680def35c080d6ba876cb5cae3

SHA1
1c4bc95b79350f41266c04786d522337f2c0f735

SHA256
d620f4bae9fc7070096a1b3031dc05ddb998d0b8a6ba74f8a1bea393c9546c89

SHA512
a94a8342999e23fe743f8b8ca1a9427ac690b3630c26236495d396c9c6b4f40f3dee417a33970cda9eab526c642ebbfc7d477ed5a80790db286783bf4c84f567

Download Submit
memory/2120-142-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/2120-137-0x0000000000000000-mapping.dmp

Download
memory/2120-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2120-141-0x0000000000A00000-0x0000000000D4A000-memory.dmp

Filesize
3.3MB

Download
memory/2120-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-132-0x0000000000000000-mapping.dmp

Download
memory/3060-148-0x0000000008340000-0x00000000084A2000-memory.dmp

Filesize
1.4MB

Download
memory/3060-143-0x0000000008340000-0x00000000084A2000-memory.dmp

Filesize
1.4MB

Download
memory/3060-152-0x0000000008900000-0x0000000008A17000-memory.dmp

Filesize
1.1MB

Download
memory/3060-150-0x0000000008900000-0x0000000008A17000-memory.dmp

Filesize
1.1MB

Download
memory/3388-144-0x0000000000000000-mapping.dmp

Download
memory/3388-147-0x0000000002870000-0x0000000002BBA000-memory.dmp

Filesize
3.3MB

Download
memory/3388-149-0x00000000026A0000-0x000000000272F000-memory.dmp

Filesize
572KB

Download
memory/3388-146-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/3388-151-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/3388-145-0x00000000001D0000-0x0000000000603000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads