formbook | 76565bfaf2fe4e6ca50046fcd0cd13dd3ea45398a01a343bf9cec3cfe0998388

General

Target

RFQ PT089110.exe
Size

272KB
MD5

8ea739a14035ea523b015f33eafe6953
SHA1

228ee69b1fccea68b79f9c1a9bb9796882696cf3
SHA256

1a685538deaab9e0cfe393b43f4f08e48c076ce115911c46e93952a121322c87
SHA512

76d462569c16143c41ce75eb8e5f4f6304f32f42f939433752a5aa3fefcfa4550da8a55179dfef2d3eef0c6a41a9de8018de785669bfc6daf337a14323f98f2a
SSDEEP

6144:9kwrUMSvXxBADF+bVEN8fyqNkpHVtxgWljiXcU0GfJyqI2q:/UMEBBAAJVfjS1EWljiXcU0EJyqy

Score

10^/10

formbook xloader m5oe loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m5oe

Decoy

HdR8hG6r12hBYuHY4zv6YeeFPQ==

tD1V9gswYvgQXEGd

1xKtJ1LdqRYMRMC84U1A

MbhjiWb7Lz8z7KIWl3UyUIJwA6Tb

joVB5Xggy2RtE+odsZg=

TrduAIay6Y3SvoIK20xI

pSna7LOsXXwXT/zz3Iow4g==

QnthmO4Qst5gC3sDoA==

eAirzOOgO7SOCenz3Iow4g==

xg0uSbfLTg==

YWQXwyGRzPEHzGrDFE8CBSE=

ujLnfuXoH9dbgHIK20xI

291v0XsGFrYQXEGd

MRvTd/qMuaHpjCM=

X131fLC6VWX4MsvCb2IPjIfq8wlksWfg

Y9Bur8DbgqFt/Yni86MMCCE=

q6RTBmJkmy5pWTmmCCrvmuCDPw==

mQS26DojT+EQXEGd

sjHQ+Kav2Wx9FeodsZg=

JA24UKnTA5re1LhcQaVo/w==

Extracted

Family

xloader

Version

3.ƅ

Campaign

m5oe

Decoy

HdR8hG6r12hBYuHY4zv6YeeFPQ==

tD1V9gswYvgQXEGd

1xKtJ1LdqRYMRMC84U1A

MbhjiWb7Lz8z7KIWl3UyUIJwA6Tb

joVB5Xggy2RtE+odsZg=

TrduAIay6Y3SvoIK20xI

pSna7LOsXXwXT/zz3Iow4g==

QnthmO4Qst5gC3sDoA==

eAirzOOgO7SOCenz3Iow4g==

xg0uSbfLTg==

YWQXwyGRzPEHzGrDFE8CBSE=

ujLnfuXoH9dbgHIK20xI

291v0XsGFrYQXEGd

MRvTd/qMuaHpjCM=

X131fLC6VWX4MsvCb2IPjIfq8wlksWfg

Y9Bur8DbgqFt/Yni86MMCCE=

q6RTBmJkmy5pWTmmCCrvmuCDPw==

mQS26DojT+EQXEGd

sjHQ+Kav2Wx9FeodsZg=

JA24UKnTA5re1LhcQaVo/w==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Executes dropped EXE 2 IoCs

Processes:

faclv.exefaclv.exe

pid process

956 faclv.exe
888 faclv.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

faclv.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation faclv.exe
Loads dropped DLL 3 IoCs

Processes:

RFQ PT089110.exefaclv.exemstsc.exe

pid process

1964 RFQ PT089110.exe
956 faclv.exe
268 mstsc.exe

pid	process
956	faclv.exe
888	faclv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	faclv.exe

pid	process
1964	RFQ PT089110.exe
956	faclv.exe
268	mstsc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

faclv.exefaclv.exemstsc.exe

description	pid	process	target process
PID 956 set thread context of 888	956	faclv.exe	faclv.exe
PID 888 set thread context of 1212	888	faclv.exe	Explorer.EXE
PID 888 set thread context of 1212	888	faclv.exe	Explorer.EXE
PID 268 set thread context of 1212	268	mstsc.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mstsc.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

faclv.exemstsc.exe

pid	process
888	faclv.exe
888	faclv.exe
888	faclv.exe
888	faclv.exe
888	faclv.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

faclv.exefaclv.exemstsc.exe

pid process

956 faclv.exe
888 faclv.exe
888 faclv.exe
888 faclv.exe
888 faclv.exe
268 mstsc.exe
268 mstsc.exe
268 mstsc.exe
268 mstsc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

faclv.exemstsc.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 888 faclv.exe
Token: SeDebugPrivilege 268 mstsc.exe
Token: SeShutdownPrivilege 1212 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE

pid	process
1212	Explorer.EXE

pid	process
956	faclv.exe
888	faclv.exe
888	faclv.exe
888	faclv.exe
888	faclv.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe
268	mstsc.exe

description	pid	process
Token: SeDebugPrivilege	888	faclv.exe
Token: SeDebugPrivilege	268	mstsc.exe
Token: SeShutdownPrivilege	1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

RFQ PT089110.exefaclv.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 1964 wrote to memory of 956	1964	RFQ PT089110.exe	faclv.exe
PID 1964 wrote to memory of 956	1964	RFQ PT089110.exe	faclv.exe
PID 1964 wrote to memory of 956	1964	RFQ PT089110.exe	faclv.exe
PID 1964 wrote to memory of 956	1964	RFQ PT089110.exe	faclv.exe
PID 956 wrote to memory of 888	956	faclv.exe	faclv.exe
PID 956 wrote to memory of 888	956	faclv.exe	faclv.exe
PID 956 wrote to memory of 888	956	faclv.exe	faclv.exe
PID 956 wrote to memory of 888	956	faclv.exe	faclv.exe
PID 956 wrote to memory of 888	956	faclv.exe	faclv.exe
PID 1212 wrote to memory of 268	1212	Explorer.EXE	mstsc.exe
PID 1212 wrote to memory of 268	1212	Explorer.EXE	mstsc.exe
PID 1212 wrote to memory of 268	1212	Explorer.EXE	mstsc.exe
PID 1212 wrote to memory of 268	1212	Explorer.EXE	mstsc.exe
PID 268 wrote to memory of 1740	268	mstsc.exe	Firefox.exe
PID 268 wrote to memory of 1740	268	mstsc.exe	Firefox.exe
PID 268 wrote to memory of 1740	268	mstsc.exe	Firefox.exe
PID 268 wrote to memory of 1740	268	mstsc.exe	Firefox.exe
PID 268 wrote to memory of 1740	268	mstsc.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\RFQ PT089110.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ PT089110.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\faclv.exe
"C:\Users\Admin\AppData\Local\Temp\faclv.exe" C:\Users\Admin\AppData\Local\Temp\jjqrtywbglb.t
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\faclv.exe
"C:\Users\Admin\AppData\Local\Temp\faclv.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\faclv.exe
Filesize
141KB

MD5
f88b0229271ec4a4962ade420916973f

SHA1
8c3eff757988b1b43213b85dd272af0289a85f2f

SHA256
e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e

SHA512
f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53

Download Submit
C:\Users\Admin\AppData\Local\Temp\faclv.exe
Filesize
141KB

MD5
f88b0229271ec4a4962ade420916973f

SHA1
8c3eff757988b1b43213b85dd272af0289a85f2f

SHA256
e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e

SHA512
f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53

Download Submit
C:\Users\Admin\AppData\Local\Temp\faclv.exe
Filesize
141KB

MD5
f88b0229271ec4a4962ade420916973f

SHA1
8c3eff757988b1b43213b85dd272af0289a85f2f

SHA256
e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e

SHA512
f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjqrtywbglb.t
Filesize
5KB

MD5
c4da7b1938a01beace3d69275e1826f9

SHA1
bb7e8c0d6b9e404551d45e9d1701a49a6aa41eda

SHA256
7d1696aa4c800e800aa5b49124b66cc00e94d155e78cd06aece207a9d7b7e47d

SHA512
9a6493fb8eaee411248e0eb65b134baee7d2746d9ff0af493f7083c6403f80c1c0588971409e2c1a5d785b674b029eaf6122d2f60bce7cc16154d91947e97fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhphjyjg.axk
Filesize
185KB

MD5
c290c052854d20566294229800e4471d

SHA1
eb4cef65b362a4ade2977078286e60b06551d2c3

SHA256
69c12b29ea58482fa5a07f00810e350c9436d40808f4b9bcc6567b32f8104255

SHA512
d199fc2fed053c1d5107084fd9930630bcb297ce281b3fdc62e83ecf641e62f1b9d64049b446f9d546347ca025305dd4f699defb1c661a1646dd9583a0207d7d

Download Submit
\Users\Admin\AppData\Local\Temp\faclv.exe
Filesize
141KB

MD5
f88b0229271ec4a4962ade420916973f

SHA1
8c3eff757988b1b43213b85dd272af0289a85f2f

SHA256
e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e

SHA512
f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53

Download Submit
\Users\Admin\AppData\Local\Temp\faclv.exe
Filesize
141KB

MD5
f88b0229271ec4a4962ade420916973f

SHA1
8c3eff757988b1b43213b85dd272af0289a85f2f

SHA256
e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e

SHA512
f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
910KB

MD5
d79258c5189103d69502eac786addb04

SHA1
f34b33681cfe8ce649218173a7f58b237821c1ef

SHA256
57d89a52061d70d87e40281f1196d53273f87860c4d707d667a8c7d9573da675

SHA512
da797f4dd1ad628aa4e8004b2e00b7c278facbc57a313f56b70dc8fcfbdb0050ea8b025b3475098223cce96ea53537d678273656d46c2d33d81b496d90da34b2

Download Submit
memory/268-77-0x0000000002070000-0x0000000002373000-memory.dmp

Filesize
3.0MB

Download
memory/268-79-0x0000000000780000-0x000000000080F000-memory.dmp

Filesize
572KB

Download
memory/268-81-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/268-76-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/268-75-0x0000000000840000-0x0000000000944000-memory.dmp

Filesize
1.0MB

Download
memory/268-72-0x0000000000000000-mapping.dmp

Download
memory/888-70-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/888-68-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/888-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-67-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/888-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-63-0x00000000004012B0-mapping.dmp

Download
memory/956-56-0x0000000000000000-mapping.dmp

Download
memory/1212-69-0x0000000004B60000-0x0000000004C62000-memory.dmp

Filesize
1.0MB

Download
memory/1212-78-0x0000000004D20000-0x0000000004E21000-memory.dmp

Filesize
1.0MB

Download
memory/1212-80-0x0000000004E30000-0x0000000004FA0000-memory.dmp

Filesize
1.4MB

Download
memory/1212-82-0x0000000004E30000-0x0000000004FA0000-memory.dmp

Filesize
1.4MB

Download
memory/1212-71-0x0000000004D20000-0x0000000004E21000-memory.dmp

Filesize
1.0MB

Download
memory/1964-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads