formbook | d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2023 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c.exe
Size

330KB
MD5

58a93d1d064b9e8265ea798531adb0bf
SHA1

d5e30f238fabd304d30ba2c726c71fb47765b494
SHA256

d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c
SHA512

c5e9c0e07ea8904a45011380836ff8f0b936954729df4fb18f62414322f5815ec8ebc5803729a13b783cf87a5bd723fc821405e3579e017c7b19059e57f76bfb
SSDEEP

6144:PYa69K+mD7y0q2hhBCH4m6Qx8qQ5+/ucZiE2TZPwc7j0W6KmZE0HOkv/kBa:PYnUD71qc+6Q+qQuu/Tn396KmLDv/

Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3484-139-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/3484-144-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/1732-147-0x00000000008D0000-0x00000000008FC000-memory.dmp	xloader
behavioral1/memory/1732-151-0x00000000008D0000-0x00000000008FC000-memory.dmp	xloader

Executes dropped EXE 3 IoCs

Processes:

xnozsgld.exexnozsgld.exest3dufwclv.exe

pid process

1436 xnozsgld.exe
3484 xnozsgld.exe
1360 st3dufwclv.exe

pid	process
1436	xnozsgld.exe
3484	xnozsgld.exe
1360	st3dufwclv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xnozsgld.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	xnozsgld.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	chkdsk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\V0XPQ2EPL8 = "C:\\Program Files (x86)\\D8p8xnhtp\\st3dufwclv.exe"	chkdsk.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

xnozsgld.exexnozsgld.exechkdsk.exe

description	pid	process	target process
PID 1436 set thread context of 3484	1436	xnozsgld.exe	xnozsgld.exe
PID 3484 set thread context of 2584	3484	xnozsgld.exe	Explorer.EXE
PID 1732 set thread context of 2584	1732	chkdsk.exe	Explorer.EXE

Drops file in Program Files directory 4 IoCs

Processes:

chkdsk.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe	chkdsk.exe
File opened for modification	C:\Program Files (x86)\D8p8xnhtp	Explorer.EXE
File created	C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2168 1360 WerFault.exe st3dufwclv.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

pid	pid_target	process	target process
2168	1360	WerFault.exe	st3dufwclv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

xnozsgld.exechkdsk.exe

pid	process
3484	xnozsgld.exe
3484	xnozsgld.exe
3484	xnozsgld.exe
3484	xnozsgld.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2584 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

xnozsgld.exexnozsgld.exechkdsk.exe

pid process

1436 xnozsgld.exe
3484 xnozsgld.exe
3484 xnozsgld.exe
3484 xnozsgld.exe
1732 chkdsk.exe
1732 chkdsk.exe
1732 chkdsk.exe
1732 chkdsk.exe

pid	process
2584	Explorer.EXE

pid	process
1436	xnozsgld.exe
3484	xnozsgld.exe
3484	xnozsgld.exe
3484	xnozsgld.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe
1732	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

xnozsgld.exechkdsk.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3484	xnozsgld.exe
Token: SeDebugPrivilege	1732	chkdsk.exe
Token: SeShutdownPrivilege	2584	Explorer.EXE
Token: SeCreatePagefilePrivilege	2584	Explorer.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c.exexnozsgld.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 4032 wrote to memory of 1436	4032	d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c.exe	xnozsgld.exe
PID 4032 wrote to memory of 1436	4032	d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c.exe	xnozsgld.exe
PID 4032 wrote to memory of 1436	4032	d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c.exe	xnozsgld.exe
PID 1436 wrote to memory of 3484	1436	xnozsgld.exe	xnozsgld.exe
PID 1436 wrote to memory of 3484	1436	xnozsgld.exe	xnozsgld.exe
PID 1436 wrote to memory of 3484	1436	xnozsgld.exe	xnozsgld.exe
PID 1436 wrote to memory of 3484	1436	xnozsgld.exe	xnozsgld.exe
PID 2584 wrote to memory of 1732	2584	Explorer.EXE	chkdsk.exe
PID 2584 wrote to memory of 1732	2584	Explorer.EXE	chkdsk.exe
PID 2584 wrote to memory of 1732	2584	Explorer.EXE	chkdsk.exe
PID 1732 wrote to memory of 5028	1732	chkdsk.exe	cmd.exe
PID 1732 wrote to memory of 5028	1732	chkdsk.exe	cmd.exe
PID 1732 wrote to memory of 5028	1732	chkdsk.exe	cmd.exe
PID 1732 wrote to memory of 3444	1732	chkdsk.exe	cmd.exe
PID 1732 wrote to memory of 3444	1732	chkdsk.exe	cmd.exe
PID 1732 wrote to memory of 3444	1732	chkdsk.exe	cmd.exe
PID 1732 wrote to memory of 2244	1732	chkdsk.exe	cmd.exe
PID 1732 wrote to memory of 2244	1732	chkdsk.exe	cmd.exe
PID 1732 wrote to memory of 2244	1732	chkdsk.exe	cmd.exe
PID 1732 wrote to memory of 3668	1732	chkdsk.exe	Firefox.exe
PID 1732 wrote to memory of 3668	1732	chkdsk.exe	Firefox.exe
PID 1732 wrote to memory of 3668	1732	chkdsk.exe	Firefox.exe
PID 2584 wrote to memory of 1360	2584	Explorer.EXE	st3dufwclv.exe
PID 2584 wrote to memory of 1360	2584	Explorer.EXE	st3dufwclv.exe
PID 2584 wrote to memory of 1360	2584	Explorer.EXE	st3dufwclv.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584

C:\Users\Admin\AppData\Local\Temp\d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c.exe
"C:\Users\Admin\AppData\Local\Temp\d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe" C:\Users\Admin\AppData\Local\Temp\ucpha.v
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"
3⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3444

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:2244

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3668

C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe
"C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe"
2⤵
- Executes dropped EXE
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 468
3⤵
- Program crash
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1360 -ip 1360
1⤵
PID:64

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe
Filesize
253KB

MD5
d8394c44bc790e1bdab00823f689c1bd

SHA1
735d8986424e2ab3440f49a7a720ecaad43d491d

SHA256
234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007

SHA512
c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

Download Submit
C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe
Filesize
253KB

MD5
d8394c44bc790e1bdab00823f689c1bd

SHA1
735d8986424e2ab3440f49a7a720ecaad43d491d

SHA256
234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007

SHA512
c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcmpu.cqa
Filesize
196KB

MD5
28eed71dacb4522dbf2c1aeca39e2c5d

SHA1
b5633dcf66f1657552ba992c55e7124250c23a35

SHA256
22bfb554d299b3fc4686643b0522384db2c92ebf64bd80475439b8dd9bbe7bc5

SHA512
7f08bc8237868fb6509baafd3c4a01663b0577ebec86aef9cb185bec13acb8c5787604329a85c74a2ebbc3f39933929a2f36ea21513330124bd2d66363e54cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucpha.v
Filesize
5KB

MD5
d934356067b6133646fad1aa12371a1e

SHA1
23fe2ea62be0949a32ea6609345a8b8d27ce3757

SHA256
81f2eb3bd3c2135b0d6abdcc4f2e6427a76dac558928d4c8beb648a045010ae5

SHA512
26b50a5599353328bfc4609754ead9efd9e4084e4fdb6a9479ad56ea79aed81648de897e66c3dd1c9de1cdb6eba04855e4498f0d8d09f7804224ba27ceab91d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
Filesize
253KB

MD5
d8394c44bc790e1bdab00823f689c1bd

SHA1
735d8986424e2ab3440f49a7a720ecaad43d491d

SHA256
234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007

SHA512
c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
Filesize
253KB

MD5
d8394c44bc790e1bdab00823f689c1bd

SHA1
735d8986424e2ab3440f49a7a720ecaad43d491d

SHA256
234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007

SHA512
c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
Filesize
253KB

MD5
d8394c44bc790e1bdab00823f689c1bd

SHA1
735d8986424e2ab3440f49a7a720ecaad43d491d

SHA256
234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007

SHA512
c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

Download Submit
memory/1360-157-0x0000000000000000-mapping.dmp

Download
memory/1436-132-0x0000000000000000-mapping.dmp

Download
memory/1732-146-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/1732-143-0x0000000000000000-mapping.dmp

Download
memory/1732-147-0x00000000008D0000-0x00000000008FC000-memory.dmp

Filesize
176KB

Download
memory/1732-148-0x0000000001000000-0x000000000134A000-memory.dmp

Filesize
3.3MB

Download
memory/1732-149-0x0000000000EA0000-0x0000000000F30000-memory.dmp

Filesize
576KB

Download
memory/1732-151-0x00000000008D0000-0x00000000008FC000-memory.dmp

Filesize
176KB

Download
memory/2244-155-0x0000000000000000-mapping.dmp

Download
memory/2584-142-0x00000000028B0000-0x00000000029BE000-memory.dmp

Filesize
1.1MB

Download
memory/2584-150-0x0000000008150000-0x00000000082AE000-memory.dmp

Filesize
1.4MB

Download
memory/2584-152-0x0000000008150000-0x00000000082AE000-memory.dmp

Filesize
1.4MB

Download
memory/3444-153-0x0000000000000000-mapping.dmp

Download
memory/3484-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3484-141-0x0000000000500000-0x0000000000511000-memory.dmp

Filesize
68KB

Download
memory/3484-140-0x0000000000A60000-0x0000000000DAA000-memory.dmp

Filesize
3.3MB

Download
memory/3484-139-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3484-137-0x0000000000000000-mapping.dmp

Download
memory/5028-145-0x0000000000000000-mapping.dmp

Download