Malware Analysis Report

2025-06-16 05:13

Sample ID 230125-z2qtsacc8s
Target tmp
SHA256 d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c
Tags
formbook xloader poub loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

formbook xloader poub loader persistence rat spyware stealer trojan

Formbook

Xloader

Xloader payload

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-25 21:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-25 21:13

Reported

2023-01-25 21:15

Platform

win7-20220812-en

Max time kernel

145s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\mstsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YXZDLRUH5 = "C:\\Program Files (x86)\\Gmbi4508\\ms2d-.exe" C:\Windows\SysWOW64\mstsc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1648 set thread context of 1556 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1556 set thread context of 1260 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Windows\Explorer.EXE
PID 1556 set thread context of 1260 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Windows\Explorer.EXE
PID 1396 set thread context of 1260 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Gmbi4508\ms2d-.exe C:\Windows\SysWOW64\mstsc.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\mstsc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\mstsc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1916 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1916 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1916 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1648 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1648 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1648 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1648 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1648 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1260 wrote to memory of 1396 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 1260 wrote to memory of 1396 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 1260 wrote to memory of 1396 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 1260 wrote to memory of 1396 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 1396 wrote to memory of 948 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 948 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 948 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 948 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 1772 N/A C:\Windows\SysWOW64\mstsc.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1396 wrote to memory of 1772 N/A C:\Windows\SysWOW64\mstsc.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1396 wrote to memory of 1772 N/A C:\Windows\SysWOW64\mstsc.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1396 wrote to memory of 1772 N/A C:\Windows\SysWOW64\mstsc.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1396 wrote to memory of 1772 N/A C:\Windows\SysWOW64\mstsc.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe" C:\Users\Admin\AppData\Local\Temp\ucpha.v

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"

C:\Windows\SysWOW64\mstsc.exe

"C:\Windows\SysWOW64\mstsc.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.pmtj013.xyz udp
N/A 8.8.8.8:53 www.w3bsports.club udp
N/A 34.102.136.180:80 www.w3bsports.club tcp
N/A 8.8.8.8:53 www.look856.com udp
N/A 180.215.68.138:80 www.look856.com tcp
N/A 8.8.8.8:53 www.anglicanadebrasilia.com udp
N/A 149.62.37.97:80 www.anglicanadebrasilia.com tcp
N/A 8.8.8.8:53 www.crimsonnight.org udp
N/A 34.117.168.233:80 www.crimsonnight.org tcp
N/A 8.8.8.8:53 www.peiphitan.com udp
N/A 192.64.115.133:80 www.peiphitan.com tcp
N/A 8.8.8.8:53 www.sqlite.org udp
N/A 45.33.6.223:80 www.sqlite.org tcp
N/A 8.8.8.8:53 www.232ppp.com udp
N/A 156.235.245.66:80 www.232ppp.com tcp
N/A 8.8.8.8:53 www.232ppp.com udp
N/A 156.235.245.66:80 www.232ppp.com tcp
N/A 8.8.8.8:53 www.ppparadise.xyz udp
N/A 133.167.73.73:80 www.ppparadise.xyz tcp
N/A 8.8.8.8:53 www.unimeet.club udp
N/A 34.117.168.233:80 www.unimeet.club tcp
N/A 8.8.8.8:53 www.adcki-xenmk.com udp
N/A 8.8.8.8:53 www.drzjup.space udp
N/A 172.255.33.179:80 www.drzjup.space tcp

Files

memory/1916-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

memory/1648-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

C:\Users\Admin\AppData\Local\Temp\ucpha.v

MD5 d934356067b6133646fad1aa12371a1e
SHA1 23fe2ea62be0949a32ea6609345a8b8d27ce3757
SHA256 81f2eb3bd3c2135b0d6abdcc4f2e6427a76dac558928d4c8beb648a045010ae5
SHA512 26b50a5599353328bfc4609754ead9efd9e4084e4fdb6a9479ad56ea79aed81648de897e66c3dd1c9de1cdb6eba04855e4498f0d8d09f7804224ba27ceab91d8

C:\Users\Admin\AppData\Local\Temp\hcmpu.cqa

MD5 28eed71dacb4522dbf2c1aeca39e2c5d
SHA1 b5633dcf66f1657552ba992c55e7124250c23a35
SHA256 22bfb554d299b3fc4686643b0522384db2c92ebf64bd80475439b8dd9bbe7bc5
SHA512 7f08bc8237868fb6509baafd3c4a01663b0577ebec86aef9cb185bec13acb8c5787604329a85c74a2ebbc3f39933929a2f36ea21513330124bd2d66363e54cae

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

memory/1556-62-0x000000000041FF10-mapping.dmp

memory/1556-64-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1556-65-0x0000000000730000-0x0000000000A33000-memory.dmp

memory/1556-66-0x0000000000480000-0x0000000000491000-memory.dmp

memory/1260-67-0x0000000005EA0000-0x0000000005F93000-memory.dmp

memory/1556-68-0x00000000006C0000-0x00000000006D1000-memory.dmp

memory/1260-69-0x0000000006020000-0x00000000060FE000-memory.dmp

memory/1396-70-0x0000000000000000-mapping.dmp

memory/1556-71-0x0000000000400000-0x000000000042C000-memory.dmp

memory/948-73-0x0000000000000000-mapping.dmp

memory/1396-75-0x0000000000080000-0x00000000000AC000-memory.dmp

memory/1396-74-0x0000000000F40000-0x0000000001044000-memory.dmp

memory/1396-76-0x0000000000AF0000-0x0000000000DF3000-memory.dmp

memory/1396-77-0x0000000000970000-0x0000000000A00000-memory.dmp

memory/1260-78-0x0000000002C60000-0x0000000002CFC000-memory.dmp

memory/1396-79-0x0000000000080000-0x00000000000AC000-memory.dmp

memory/1260-80-0x0000000002C60000-0x0000000002CFC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-25 21:13

Reported

2023-01-25 21:15

Platform

win10v2004-20221111-en

Max time kernel

148s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2000 set thread context of 2132 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 2132 set thread context of 2744 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Windows\Explorer.EXE
PID 2132 set thread context of 2744 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe" C:\Users\Admin\AppData\Local\Temp\ucpha.v

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"

Network

Country Destination Domain Proto
N/A 8.248.99.254:80 tcp
N/A 20.42.65.88:443 tcp
N/A 8.238.20.126:80 tcp
N/A 8.238.20.126:80 tcp
N/A 8.238.20.126:80 tcp
N/A 104.80.225.205:443 tcp

Files

memory/2000-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

C:\Users\Admin\AppData\Local\Temp\ucpha.v

MD5 d934356067b6133646fad1aa12371a1e
SHA1 23fe2ea62be0949a32ea6609345a8b8d27ce3757
SHA256 81f2eb3bd3c2135b0d6abdcc4f2e6427a76dac558928d4c8beb648a045010ae5
SHA512 26b50a5599353328bfc4609754ead9efd9e4084e4fdb6a9479ad56ea79aed81648de897e66c3dd1c9de1cdb6eba04855e4498f0d8d09f7804224ba27ceab91d8

C:\Users\Admin\AppData\Local\Temp\hcmpu.cqa

MD5 28eed71dacb4522dbf2c1aeca39e2c5d
SHA1 b5633dcf66f1657552ba992c55e7124250c23a35
SHA256 22bfb554d299b3fc4686643b0522384db2c92ebf64bd80475439b8dd9bbe7bc5
SHA512 7f08bc8237868fb6509baafd3c4a01663b0577ebec86aef9cb185bec13acb8c5787604329a85c74a2ebbc3f39933929a2f36ea21513330124bd2d66363e54cae

memory/2132-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

memory/2132-139-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2132-140-0x0000000000BF0000-0x0000000000F3A000-memory.dmp

memory/2132-141-0x0000000000B10000-0x0000000000B21000-memory.dmp

memory/2744-142-0x0000000003310000-0x000000000343E000-memory.dmp

memory/2132-143-0x0000000000B80000-0x0000000000B91000-memory.dmp

memory/2744-144-0x0000000008D30000-0x0000000008E5B000-memory.dmp

memory/2132-145-0x0000000000400000-0x000000000042C000-memory.dmp