formbook | f5ae9ee403c63e78514c23cdb6297c09a5367c241f6151def5fe1fc096946de4

Analysis

max time kernel
145s
max time network
151s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
11/01/2023, 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice NO 22073895.exe
Size

422KB
MD5

dee7396305b42cf03353059427ef8338
SHA1

656b2744eed942b4a4659d73813e3bebe704eb5a
SHA256

f5ae9ee403c63e78514c23cdb6297c09a5367c241f6151def5fe1fc096946de4
SHA512

d7b0a4e2f1478272dad605f92137e6cc649d3ffbee6e27710d290c4983a22d3e7bf8f3117c3e3b76c9044cc00e0503f9061454a2faa3d2651fb56323330f4159
SSDEEP

6144:oYa63qgvG1/xZGA3iCc34BJ8/BL7jYaMRHajFvC/H2wGy1JBq6Ou:oYNnvKHyx2J8xQvVa4/HBGy1Xr

Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1324-66-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/564-72-0x0000000000080000-0x00000000000AC000-memory.dmp	xloader
behavioral1/memory/564-77-0x0000000000080000-0x00000000000AC000-memory.dmp	xloader

Executes dropped EXE 3 IoCs

pid	Process
1956	yuzvbe.exe
1324	yuzvbe.exe
1644	vgazhg4mxxx.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	yuzvbe.exe

Loads dropped DLL 7 IoCs

pid	Process
1720	Invoice NO 22073895.exe
1720	Invoice NO 22073895.exe
1956	yuzvbe.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	systray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\J0A4ANSH7V = "C:\\Program Files (x86)\\O0fdx\\vgazhg4mxxx.exe"	systray.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1956 set thread context of 1324	1956	yuzvbe.exe	29
PID 1324 set thread context of 1248	1324	yuzvbe.exe	15
PID 564 set thread context of 1248	564	systray.exe	15

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\O0fdx\vgazhg4mxxx.exe	systray.exe
File created	C:\Program Files (x86)\O0fdx\vgazhg4mxxx.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1472	1644	WerFault.exe	36

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1324	yuzvbe.exe
1324	yuzvbe.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1248	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1956	yuzvbe.exe
1324	yuzvbe.exe
1324	yuzvbe.exe
1324	yuzvbe.exe
564	systray.exe
564	systray.exe
564	systray.exe
564	systray.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	yuzvbe.exe
Token: SeDebugPrivilege	564	systray.exe
Token: SeShutdownPrivilege	1248	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1956	1720	Invoice NO 22073895.exe	28
PID 1720 wrote to memory of 1956	1720	Invoice NO 22073895.exe	28
PID 1720 wrote to memory of 1956	1720	Invoice NO 22073895.exe	28
PID 1720 wrote to memory of 1956	1720	Invoice NO 22073895.exe	28
PID 1956 wrote to memory of 1324	1956	yuzvbe.exe	29
PID 1956 wrote to memory of 1324	1956	yuzvbe.exe	29
PID 1956 wrote to memory of 1324	1956	yuzvbe.exe	29
PID 1956 wrote to memory of 1324	1956	yuzvbe.exe	29
PID 1956 wrote to memory of 1324	1956	yuzvbe.exe	29
PID 1248 wrote to memory of 564	1248	Explorer.EXE	30
PID 1248 wrote to memory of 564	1248	Explorer.EXE	30
PID 1248 wrote to memory of 564	1248	Explorer.EXE	30
PID 1248 wrote to memory of 564	1248	Explorer.EXE	30
PID 564 wrote to memory of 1412	564	systray.exe	31
PID 564 wrote to memory of 1412	564	systray.exe	31
PID 564 wrote to memory of 1412	564	systray.exe	31
PID 564 wrote to memory of 1412	564	systray.exe	31
PID 564 wrote to memory of 1476	564	systray.exe	34
PID 564 wrote to memory of 1476	564	systray.exe	34
PID 564 wrote to memory of 1476	564	systray.exe	34
PID 564 wrote to memory of 1476	564	systray.exe	34
PID 564 wrote to memory of 1476	564	systray.exe	34
PID 1248 wrote to memory of 1644	1248	Explorer.EXE	36
PID 1248 wrote to memory of 1644	1248	Explorer.EXE	36
PID 1248 wrote to memory of 1644	1248	Explorer.EXE	36
PID 1248 wrote to memory of 1644	1248	Explorer.EXE	36
PID 1644 wrote to memory of 1472	1644	vgazhg4mxxx.exe	37
PID 1644 wrote to memory of 1472	1644	vgazhg4mxxx.exe	37
PID 1644 wrote to memory of 1472	1644	vgazhg4mxxx.exe	37
PID 1644 wrote to memory of 1472	1644	vgazhg4mxxx.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\Invoice NO 22073895.exe
  "C:\Users\Admin\AppData\Local\Temp\Invoice NO 22073895.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\yuzvbe.exe
    "C:\Users\Admin\AppData\Local\Temp\yuzvbe.exe" C:\Users\Admin\AppData\Local\Temp\oiudcvk.naz
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\yuzvbe.exe
      "C:\Users\Admin\AppData\Local\Temp\yuzvbe.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1324
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\yuzvbe.exe"
    3⤵
    PID:1412
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1476
- C:\Program Files (x86)\O0fdx\vgazhg4mxxx.exe
  "C:\Program Files (x86)\O0fdx\vgazhg4mxxx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 188
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\O0fdx\vgazhg4mxxx.exe

Filesize
84KB

MD5
bb7ce9d5bf22e0feaaa9edf66bf01316

SHA1
e9ff3c8b46963f58b74ea69b293530ebe691d188

SHA256
a1dc5eb9fc043bb98f9cd8feaeec06d32eb3ba8e0a5a3ba26de41b8e728c6f51

SHA512
ca7910b68f486b619883855e6f4cd90334346bf887f7e2c9c24377b6780f2ef63bec95581cf892cdde26e718edf89cf229ccf36e9c3632ba0c82dbfb2fbb1703

Download Submit
C:\Program Files (x86)\O0fdx\vgazhg4mxxx.exe

Filesize
84KB

MD5
bb7ce9d5bf22e0feaaa9edf66bf01316

SHA1
e9ff3c8b46963f58b74ea69b293530ebe691d188

SHA256
a1dc5eb9fc043bb98f9cd8feaeec06d32eb3ba8e0a5a3ba26de41b8e728c6f51

SHA512
ca7910b68f486b619883855e6f4cd90334346bf887f7e2c9c24377b6780f2ef63bec95581cf892cdde26e718edf89cf229ccf36e9c3632ba0c82dbfb2fbb1703

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnlqt.ylv

Filesize
196KB

MD5
c72cb34300327e99eb492e77f72bd939

SHA1
6d1e70b919f8d28dfafff422bf3ca812d095bbea

SHA256
1626ef2488418b4956a5b2d973d03c6ff2c61892b2aafa5ff252048a32383923

SHA512
fc1c116065c03600d687375008ab90eeebbcf678db469549877d70a254fc491d383d01280756777ab35fd7c024b674d0f637ecaf9da95c21b7f6087b5d67e561

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiudcvk.naz

Filesize
5KB

MD5
84246e403c2b874c2bf654d2b6257b1b

SHA1
de9d51e2deed96c0e4d6a442605214019d0d318f

SHA256
00e6e836f3118ae645edc02d49a29d96dca6691853ef158217f78b523a92a64e

SHA512
5a92e73c89e48d9d44653e15eb055741f5d2c266783e6faf9742220d7e6959c8196e6a5bbd647f62170995f45f03a23d537800439d1aac7ddb69b226ded02d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuzvbe.exe

Filesize
84KB

MD5
bb7ce9d5bf22e0feaaa9edf66bf01316

SHA1
e9ff3c8b46963f58b74ea69b293530ebe691d188

SHA256
a1dc5eb9fc043bb98f9cd8feaeec06d32eb3ba8e0a5a3ba26de41b8e728c6f51

SHA512
ca7910b68f486b619883855e6f4cd90334346bf887f7e2c9c24377b6780f2ef63bec95581cf892cdde26e718edf89cf229ccf36e9c3632ba0c82dbfb2fbb1703

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuzvbe.exe

Filesize
84KB

MD5
bb7ce9d5bf22e0feaaa9edf66bf01316

SHA1
e9ff3c8b46963f58b74ea69b293530ebe691d188

SHA256
a1dc5eb9fc043bb98f9cd8feaeec06d32eb3ba8e0a5a3ba26de41b8e728c6f51

SHA512
ca7910b68f486b619883855e6f4cd90334346bf887f7e2c9c24377b6780f2ef63bec95581cf892cdde26e718edf89cf229ccf36e9c3632ba0c82dbfb2fbb1703

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuzvbe.exe

Filesize
84KB

MD5
bb7ce9d5bf22e0feaaa9edf66bf01316

SHA1
e9ff3c8b46963f58b74ea69b293530ebe691d188

SHA256
a1dc5eb9fc043bb98f9cd8feaeec06d32eb3ba8e0a5a3ba26de41b8e728c6f51

SHA512
ca7910b68f486b619883855e6f4cd90334346bf887f7e2c9c24377b6780f2ef63bec95581cf892cdde26e718edf89cf229ccf36e9c3632ba0c82dbfb2fbb1703

Download Submit
\Program Files (x86)\O0fdx\vgazhg4mxxx.exe

Filesize
84KB

MD5
bb7ce9d5bf22e0feaaa9edf66bf01316

SHA1
e9ff3c8b46963f58b74ea69b293530ebe691d188

SHA256
a1dc5eb9fc043bb98f9cd8feaeec06d32eb3ba8e0a5a3ba26de41b8e728c6f51

SHA512
ca7910b68f486b619883855e6f4cd90334346bf887f7e2c9c24377b6780f2ef63bec95581cf892cdde26e718edf89cf229ccf36e9c3632ba0c82dbfb2fbb1703

Download Submit
\Program Files (x86)\O0fdx\vgazhg4mxxx.exe

Filesize
84KB

MD5
bb7ce9d5bf22e0feaaa9edf66bf01316

SHA1
e9ff3c8b46963f58b74ea69b293530ebe691d188

SHA256
a1dc5eb9fc043bb98f9cd8feaeec06d32eb3ba8e0a5a3ba26de41b8e728c6f51

SHA512
ca7910b68f486b619883855e6f4cd90334346bf887f7e2c9c24377b6780f2ef63bec95581cf892cdde26e718edf89cf229ccf36e9c3632ba0c82dbfb2fbb1703

Download Submit
\Program Files (x86)\O0fdx\vgazhg4mxxx.exe

Filesize
84KB

MD5
bb7ce9d5bf22e0feaaa9edf66bf01316

SHA1
e9ff3c8b46963f58b74ea69b293530ebe691d188

SHA256
a1dc5eb9fc043bb98f9cd8feaeec06d32eb3ba8e0a5a3ba26de41b8e728c6f51

SHA512
ca7910b68f486b619883855e6f4cd90334346bf887f7e2c9c24377b6780f2ef63bec95581cf892cdde26e718edf89cf229ccf36e9c3632ba0c82dbfb2fbb1703

Download Submit
\Program Files (x86)\O0fdx\vgazhg4mxxx.exe

Filesize
84KB

MD5
bb7ce9d5bf22e0feaaa9edf66bf01316

SHA1
e9ff3c8b46963f58b74ea69b293530ebe691d188

SHA256
a1dc5eb9fc043bb98f9cd8feaeec06d32eb3ba8e0a5a3ba26de41b8e728c6f51

SHA512
ca7910b68f486b619883855e6f4cd90334346bf887f7e2c9c24377b6780f2ef63bec95581cf892cdde26e718edf89cf229ccf36e9c3632ba0c82dbfb2fbb1703

Download Submit
\Users\Admin\AppData\Local\Temp\yuzvbe.exe

Filesize
84KB

MD5
bb7ce9d5bf22e0feaaa9edf66bf01316

SHA1
e9ff3c8b46963f58b74ea69b293530ebe691d188

SHA256
a1dc5eb9fc043bb98f9cd8feaeec06d32eb3ba8e0a5a3ba26de41b8e728c6f51

SHA512
ca7910b68f486b619883855e6f4cd90334346bf887f7e2c9c24377b6780f2ef63bec95581cf892cdde26e718edf89cf229ccf36e9c3632ba0c82dbfb2fbb1703

Download Submit
\Users\Admin\AppData\Local\Temp\yuzvbe.exe

Filesize
84KB

MD5
bb7ce9d5bf22e0feaaa9edf66bf01316

SHA1
e9ff3c8b46963f58b74ea69b293530ebe691d188

SHA256
a1dc5eb9fc043bb98f9cd8feaeec06d32eb3ba8e0a5a3ba26de41b8e728c6f51

SHA512
ca7910b68f486b619883855e6f4cd90334346bf887f7e2c9c24377b6780f2ef63bec95581cf892cdde26e718edf89cf229ccf36e9c3632ba0c82dbfb2fbb1703

Download Submit
\Users\Admin\AppData\Local\Temp\yuzvbe.exe

Filesize
84KB

MD5
bb7ce9d5bf22e0feaaa9edf66bf01316

SHA1
e9ff3c8b46963f58b74ea69b293530ebe691d188

SHA256
a1dc5eb9fc043bb98f9cd8feaeec06d32eb3ba8e0a5a3ba26de41b8e728c6f51

SHA512
ca7910b68f486b619883855e6f4cd90334346bf887f7e2c9c24377b6780f2ef63bec95581cf892cdde26e718edf89cf229ccf36e9c3632ba0c82dbfb2fbb1703

Download Submit
memory/564-71-0x0000000000880000-0x0000000000885000-memory.dmp

Filesize
20KB

Download
memory/564-72-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/564-74-0x0000000001FB0000-0x00000000022B3000-memory.dmp

Filesize
3.0MB

Download
memory/564-75-0x00000000007A0000-0x0000000000830000-memory.dmp

Filesize
576KB

Download
memory/564-77-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1248-69-0x00000000067F0000-0x0000000006948000-memory.dmp

Filesize
1.3MB

Download
memory/1248-78-0x0000000003A20000-0x0000000003ABA000-memory.dmp

Filesize
616KB

Download
memory/1248-76-0x0000000003A20000-0x0000000003ABA000-memory.dmp

Filesize
616KB

Download
memory/1324-67-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/1324-68-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download
memory/1324-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1720-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download