formbook | 9e7423c4b8904ca8dc44c184cd15e755e1e0b554a9182b0e5d4c4e85f341eb84

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payload_formbook.exe
Size

188KB
MD5

96525c4a51a40ab74dcb485b86d72a84
SHA1

c0f5fb91272bcf033156266d447fadb58668fb96
SHA256

9e7423c4b8904ca8dc44c184cd15e755e1e0b554a9182b0e5d4c4e85f341eb84
SHA512

96f142b2eabc5109d87df0b3a6f39a4e735401981d71e471753215b2048924cb9f4f028f3b830de4f5f93d3e4d8711247c1d187f86549e6c3c8c06cfef62b3e3
SSDEEP

3072:y8qzRkfWIYczfzD7nqV+K0fp1TpckexJReVMsYykt9WIFMfWynpXA:yziWIYGzD77jp1FMRKMsCFMrn

Score

10^/10

formbook xloader pgnt loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

pgnt

Decoy

0WG18LbM4lR9iqMRa4nlBzTb

jcfGYzPgZTqFZVO9FV2yIw==

laIfrdSC8/4CNg==

Q73ilev5GIWuOrAAFV2yIw==

Q2u/pMw7pv4sPA==

TbqvIUHwlQscPo0HFV2yIw==

8PNWfGPyE8n0IQ==

WtgROxXzvY2L

PryaRBNjm4eP

Y9Hdi06Cry1um9Sj68YAu1o=

3Gulyp7CMQtR78jvLkk=

JJ3GasTVTCRQT6Tfz6S6GlI=

RnS42bhb9tI0R6UpD6wOxriNxw==

he1mi2sOGfzTRGHnuA==

eaYjCtjxVjdU5XLRtBMBLKk9quA=

k9rTeEqYzzw8WaTfz6S6GlI=

5luVQwe2vJWKEAiMdF4=

MGW14L9OVk5Y5TaR6w/DqdhYxXVY

mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==

y5klhuMbE8n0IQ==

Extracted

Family

xloader

Version

3.�E

Campaign

pgnt

Decoy

0WG18LbM4lR9iqMRa4nlBzTb

jcfGYzPgZTqFZVO9FV2yIw==

laIfrdSC8/4CNg==

Q73ilev5GIWuOrAAFV2yIw==

Q2u/pMw7pv4sPA==

TbqvIUHwlQscPo0HFV2yIw==

8PNWfGPyE8n0IQ==

WtgROxXzvY2L

PryaRBNjm4eP

Y9Hdi06Cry1um9Sj68YAu1o=

3Gulyp7CMQtR78jvLkk=

JJ3GasTVTCRQT6Tfz6S6GlI=

RnS42bhb9tI0R6UpD6wOxriNxw==

he1mi2sOGfzTRGHnuA==

eaYjCtjxVjdU5XLRtBMBLKk9quA=

k9rTeEqYzzw8WaTfz6S6GlI=

5luVQwe2vJWKEAiMdF4=

MGW14L9OVk5Y5TaR6w/DqdhYxXVY

mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==

y5klhuMbE8n0IQ==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

payload_formbook.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	payload_formbook.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

payload_formbook.exenetsh.exe

description	pid	process	target process
PID 2112 set thread context of 2628	2112	payload_formbook.exe	Explorer.EXE
PID 2596 set thread context of 2628	2596	netsh.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

payload_formbook.exenetsh.exe

pid	process
2112	payload_formbook.exe
2112	payload_formbook.exe
2112	payload_formbook.exe
2112	payload_formbook.exe
2112	payload_formbook.exe
2112	payload_formbook.exe
2112	payload_formbook.exe
2112	payload_formbook.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe
2596	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2628 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

payload_formbook.exenetsh.exe

pid process

2112 payload_formbook.exe
2112 payload_formbook.exe
2112 payload_formbook.exe
2596 netsh.exe
2596 netsh.exe
2596 netsh.exe
2596 netsh.exe

pid	process
2628	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

payload_formbook.exenetsh.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2112	payload_formbook.exe
Token: SeDebugPrivilege	2596	netsh.exe
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE
Token: SeShutdownPrivilege	2628	Explorer.EXE
Token: SeCreatePagefilePrivilege	2628	Explorer.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Explorer.EXEnetsh.exe

description	pid	process	target process
PID 2628 wrote to memory of 2596	2628	Explorer.EXE	netsh.exe
PID 2628 wrote to memory of 2596	2628	Explorer.EXE	netsh.exe
PID 2628 wrote to memory of 2596	2628	Explorer.EXE	netsh.exe
PID 2596 wrote to memory of 1948	2596	netsh.exe	Firefox.exe
PID 2596 wrote to memory of 1948	2596	netsh.exe	Firefox.exe
PID 2596 wrote to memory of 1948	2596	netsh.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Local\Temp\payload_formbook.exe
"C:\Users\Admin\AppData\Local\Temp\payload_formbook.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2112-132-0x0000000000870000-0x000000000089F000-memory.dmp

Filesize
188KB

Download
memory/2112-133-0x0000000001480000-0x00000000017CA000-memory.dmp

Filesize
3.3MB

Download
memory/2112-135-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/2112-134-0x0000000000870000-0x000000000089F000-memory.dmp

Filesize
188KB

Download
memory/2596-137-0x0000000000000000-mapping.dmp

Download
memory/2596-138-0x00000000009B0000-0x00000000009CE000-memory.dmp

Filesize
120KB

Download
memory/2596-140-0x0000000001C40000-0x0000000001F8A000-memory.dmp

Filesize
3.3MB

Download
memory/2596-139-0x0000000000F40000-0x0000000000F6D000-memory.dmp

Filesize
180KB

Download
memory/2596-141-0x0000000001A70000-0x0000000001AFF000-memory.dmp

Filesize
572KB

Download
memory/2596-143-0x0000000000F40000-0x0000000000F6D000-memory.dmp

Filesize
180KB

Download
memory/2628-136-0x0000000008EB0000-0x0000000009047000-memory.dmp

Filesize
1.6MB

Download
memory/2628-142-0x00000000030E0000-0x0000000003172000-memory.dmp

Filesize
584KB

Download
memory/2628-144-0x00000000030E0000-0x0000000003172000-memory.dmp

Filesize
584KB

Download
memory/2628-145-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-146-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-147-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-148-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-150-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-149-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-151-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-152-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/2628-153-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-154-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-155-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-156-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-157-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-158-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-159-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-160-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-161-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-162-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-163-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-164-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-165-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/2628-166-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/2628-167-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/2628-168-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/2628-169-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/2628-170-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/2628-171-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-172-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-173-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-174-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-175-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-176-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-177-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-178-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-181-0x00000000012C0000-0x00000000012D0000-memory.dmp

Filesize
64KB

Download
memory/2628-180-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-183-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-184-0x00000000012D0000-0x00000000012E0000-memory.dmp

Filesize
64KB

Download
memory/2628-179-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-186-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-188-0x00000000012D0000-0x00000000012E0000-memory.dmp

Filesize
64KB

Download
memory/2628-187-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-189-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-190-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-191-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-192-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-193-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2628-194-0x00000000012D0000-0x00000000012E0000-memory.dmp

Filesize
64KB

Download
memory/2628-195-0x00000000012C0000-0x00000000012D0000-memory.dmp

Filesize
64KB

Download
memory/2628-196-0x00000000012D0000-0x00000000012E0000-memory.dmp

Filesize
64KB

Download
memory/2628-197-0x00000000012D0000-0x00000000012E0000-memory.dmp

Filesize
64KB

Download
memory/2628-198-0x00000000012D0000-0x00000000012E0000-memory.dmp

Filesize
64KB

Download