formbook | 373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16

General

Target

373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exe
Size

422KB
MD5

c01519ccb12236a0977c1654ead8f14e
SHA1

33cdbfa6067bf67108724dcdeeb7014748ff0896
SHA256

373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16
SHA512

64e04c9a8aee4bc29ac4d89a19a2b4194a35616bc35c55c0be617c6173a35d2f5551a4040a47a9fd77a335b46f2ccaa782e6d613f1d33acac5004be0aed359a3
SSDEEP

6144:qBnmeG0xkz6C2U/2aqg9JBP/W9OGxEx82mThudVzCjmece9staSOdq9gmbn72:OGlaKpWcGOx2udQueAOIlC

Score

10^/10

formbook xloader m9ae loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Extracted

Family

xloader

Version

3.ƅ

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Executes dropped EXE 2 IoCs

Processes:

lmkqj.exelmkqj.exe

pid process

1456 lmkqj.exe
1224 lmkqj.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

lmkqj.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation lmkqj.exe
Loads dropped DLL 3 IoCs

Processes:

373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exelmkqj.exewininit.exe

pid process

1704 373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exe
1456 lmkqj.exe
688 wininit.exe

pid	process
1456	lmkqj.exe
1224	lmkqj.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	lmkqj.exe

pid	process
1704	373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exe
1456	lmkqj.exe
688	wininit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lmkqj.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sfcledy = "C:\\Users\\Admin\\AppData\\Roaming\\hkcddcd\\vgeyjkvexfnacj.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\lmkqj.exe\" C:\\Users\\Admin\\AppData\\Loc"	lmkqj.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

lmkqj.exelmkqj.exewininit.exe

description	pid	process	target process
PID 1456 set thread context of 1224	1456	lmkqj.exe	lmkqj.exe
PID 1224 set thread context of 1272	1224	lmkqj.exe	Explorer.EXE
PID 688 set thread context of 1272	688	wininit.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wininit.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wininit.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

lmkqj.exewininit.exe

pid	process
1224	lmkqj.exe
1224	lmkqj.exe
1224	lmkqj.exe
1224	lmkqj.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

lmkqj.exelmkqj.exewininit.exe

pid process

1456 lmkqj.exe
1224 lmkqj.exe
1224 lmkqj.exe
1224 lmkqj.exe
688 wininit.exe
688 wininit.exe
688 wininit.exe
688 wininit.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

lmkqj.exewininit.exe

description pid process

Token: SeDebugPrivilege 1224 lmkqj.exe
Token: SeDebugPrivilege 688 wininit.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE

pid	process
1272	Explorer.EXE

pid	process
1456	lmkqj.exe
1224	lmkqj.exe
1224	lmkqj.exe
1224	lmkqj.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe
688	wininit.exe

description	pid	process
Token: SeDebugPrivilege	1224	lmkqj.exe
Token: SeDebugPrivilege	688	wininit.exe

pid	process
1272	Explorer.EXE
1272	Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exelmkqj.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 1704 wrote to memory of 1456	1704	373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exe	lmkqj.exe
PID 1704 wrote to memory of 1456	1704	373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exe	lmkqj.exe
PID 1704 wrote to memory of 1456	1704	373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exe	lmkqj.exe
PID 1704 wrote to memory of 1456	1704	373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exe	lmkqj.exe
PID 1456 wrote to memory of 1224	1456	lmkqj.exe	lmkqj.exe
PID 1456 wrote to memory of 1224	1456	lmkqj.exe	lmkqj.exe
PID 1456 wrote to memory of 1224	1456	lmkqj.exe	lmkqj.exe
PID 1456 wrote to memory of 1224	1456	lmkqj.exe	lmkqj.exe
PID 1456 wrote to memory of 1224	1456	lmkqj.exe	lmkqj.exe
PID 1272 wrote to memory of 688	1272	Explorer.EXE	wininit.exe
PID 1272 wrote to memory of 688	1272	Explorer.EXE	wininit.exe
PID 1272 wrote to memory of 688	1272	Explorer.EXE	wininit.exe
PID 1272 wrote to memory of 688	1272	Explorer.EXE	wininit.exe
PID 688 wrote to memory of 1960	688	wininit.exe	Firefox.exe
PID 688 wrote to memory of 1960	688	wininit.exe	Firefox.exe
PID 688 wrote to memory of 1960	688	wininit.exe	Firefox.exe
PID 688 wrote to memory of 1960	688	wininit.exe	Firefox.exe
PID 688 wrote to memory of 1960	688	wininit.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exe
"C:\Users\Admin\AppData\Local\Temp\373ddb58250751db49b54926cdd14ed7f99a46a8dbd4afca2626324439663f16.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\lmkqj.exe
"C:\Users\Admin\AppData\Local\Temp\lmkqj.exe" C:\Users\Admin\AppData\Local\Temp\gjzvkkyig.re
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\lmkqj.exe
"C:\Users\Admin\AppData\Local\Temp\lmkqj.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gjzvkkyig.re
Filesize
7KB

MD5
10f8e90e2dd7401fb3f721c98c81288e

SHA1
39b43b5d48b4a2d87429d967465f26c5917f32c7

SHA256
a8410a9f41d2af96098d194e8dabd8ad01760bd7d5460a06feefcac929009bc9

SHA512
0806cb941029c6eb4c73f6ab7a7b8f18b66dd7934ab752e2e55819a672bd3dcfcd0c60b706c1294c451ae5a2e8a02d18fe29097bcefae0d721aadca3998aa29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmkqj.exe
Filesize
13KB

MD5
37c9b73565b20f58bdc6d5dd737d61a3

SHA1
c0888e25fd15cf927e36352bdf387c183d09211e

SHA256
60af5163fda45456f8d1e013932b7f1fb4dc008b052b2dabfe747ed0b6845f91

SHA512
d0a90d95eda915fb0e45b8133913126408628609c7cfad22f69cc9575d999319c616f5a0ed60fd38bf5a25b4459504c8b5ff187c9704fa6ec68cefc3b010a01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmkqj.exe
Filesize
13KB

MD5
37c9b73565b20f58bdc6d5dd737d61a3

SHA1
c0888e25fd15cf927e36352bdf387c183d09211e

SHA256
60af5163fda45456f8d1e013932b7f1fb4dc008b052b2dabfe747ed0b6845f91

SHA512
d0a90d95eda915fb0e45b8133913126408628609c7cfad22f69cc9575d999319c616f5a0ed60fd38bf5a25b4459504c8b5ff187c9704fa6ec68cefc3b010a01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmkqj.exe
Filesize
13KB

MD5
37c9b73565b20f58bdc6d5dd737d61a3

SHA1
c0888e25fd15cf927e36352bdf387c183d09211e

SHA256
60af5163fda45456f8d1e013932b7f1fb4dc008b052b2dabfe747ed0b6845f91

SHA512
d0a90d95eda915fb0e45b8133913126408628609c7cfad22f69cc9575d999319c616f5a0ed60fd38bf5a25b4459504c8b5ff187c9704fa6ec68cefc3b010a01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svlqdv.hgm
Filesize
185KB

MD5
b640508ca8194b7b7154e5284657d371

SHA1
a2c067da18b2180182eb61de6db7fcce59085e58

SHA256
1c6c854da27054259309d47bc738f711072ba7e75d3a2f2a18a8368c47a21adf

SHA512
0242e6c28b4f8a23cb9d0b611e33ef1097904850e54bbad1d0a62052e30083218fa7edc90f30d5f6c4432580f9f0b2c55d86068088f6980380e22197bb480c82

Download Submit
\Users\Admin\AppData\Local\Temp\lmkqj.exe
Filesize
13KB

MD5
37c9b73565b20f58bdc6d5dd737d61a3

SHA1
c0888e25fd15cf927e36352bdf387c183d09211e

SHA256
60af5163fda45456f8d1e013932b7f1fb4dc008b052b2dabfe747ed0b6845f91

SHA512
d0a90d95eda915fb0e45b8133913126408628609c7cfad22f69cc9575d999319c616f5a0ed60fd38bf5a25b4459504c8b5ff187c9704fa6ec68cefc3b010a01c

Download Submit
\Users\Admin\AppData\Local\Temp\lmkqj.exe
Filesize
13KB

MD5
37c9b73565b20f58bdc6d5dd737d61a3

SHA1
c0888e25fd15cf927e36352bdf387c183d09211e

SHA256
60af5163fda45456f8d1e013932b7f1fb4dc008b052b2dabfe747ed0b6845f91

SHA512
d0a90d95eda915fb0e45b8133913126408628609c7cfad22f69cc9575d999319c616f5a0ed60fd38bf5a25b4459504c8b5ff187c9704fa6ec68cefc3b010a01c

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
1.0MB

MD5
f1e5f58f9eb43ecec773acbdb410b888

SHA1
f1b8076b0bbde696694bbc0ab259a77893839464

SHA256
a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14

SHA512
0aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456

Download Submit
memory/688-73-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/688-71-0x0000000000000000-mapping.dmp

Download
memory/688-77-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/688-75-0x0000000000860000-0x00000000008EF000-memory.dmp

Filesize
572KB

Download
memory/688-74-0x0000000000B30000-0x0000000000E33000-memory.dmp

Filesize
3.0MB

Download
memory/688-72-0x0000000000F60000-0x0000000000F7A000-memory.dmp

Filesize
104KB

Download
memory/1224-68-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/1224-69-0x0000000000130000-0x0000000000140000-memory.dmp

Filesize
64KB

Download
memory/1224-63-0x00000000004012B0-mapping.dmp

Download
memory/1224-67-0x0000000000B20000-0x0000000000E23000-memory.dmp

Filesize
3.0MB

Download
memory/1224-66-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1224-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1272-70-0x0000000006E10000-0x0000000006F11000-memory.dmp

Filesize
1.0MB

Download
memory/1272-76-0x0000000003F20000-0x0000000003FBF000-memory.dmp

Filesize
636KB

Download
memory/1272-79-0x0000000003F20000-0x0000000003FBF000-memory.dmp

Filesize
636KB

Download
memory/1456-56-0x0000000000000000-mapping.dmp

Download
memory/1704-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads