formbook | 7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558

General

Target

7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe
Size

508KB
MD5

abeda51681ababbfbea5aae1693fb79f
SHA1

39042770e0fa6d074c57a3aecca66a0f158f019d
SHA256

7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558
SHA512

30a2c6b232b2f38cbd830530cebabef4d12610dc69b5f242aeb98ea242023448c78e780894b80d5f6aff6fae2e57a662f2d89b40ee8c9f610c11e9cc6c8d1022
SSDEEP

12288:1Y0ukcHj/50WRfx0Bg4xR0VKuWfeopJzByb5m:1YGcD/2QfuB1xmnWrJmA

Score

10^/10

formbook xloader poub loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1972-139-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/1972-144-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/1164-147-0x00000000001B0000-0x00000000001DC000-memory.dmp	xloader
behavioral2/memory/1164-149-0x00000000001B0000-0x00000000001DC000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tgmli.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation tgmli.exe
Executes dropped EXE 2 IoCs

Processes:

tgmli.exetgmli.exe

pid process

3568 tgmli.exe
1972 tgmli.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	tgmli.exe

pid	process
3568	tgmli.exe
1972	tgmli.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tgmli.exetgmli.exesystray.exe

description	pid	process	target process
PID 3568 set thread context of 1972	3568	tgmli.exe	tgmli.exe
PID 1972 set thread context of 2696	1972	tgmli.exe	Explorer.EXE
PID 1164 set thread context of 2696	1164	systray.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

tgmli.exesystray.exe

pid	process
1972	tgmli.exe
1972	tgmli.exe
1972	tgmli.exe
1972	tgmli.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2696 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

tgmli.exetgmli.exesystray.exe

pid process

3568 tgmli.exe
1972 tgmli.exe
1972 tgmli.exe
1972 tgmli.exe
1164 systray.exe
1164 systray.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tgmli.exesystray.exe

description pid process

Token: SeDebugPrivilege 1972 tgmli.exe
Token: SeDebugPrivilege 1164 systray.exe

pid	process
2696	Explorer.EXE

pid	process
3568	tgmli.exe
1972	tgmli.exe
1972	tgmli.exe
1972	tgmli.exe
1164	systray.exe
1164	systray.exe

description	pid	process
Token: SeDebugPrivilege	1972	tgmli.exe
Token: SeDebugPrivilege	1164	systray.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exetgmli.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 3928 wrote to memory of 3568	3928	7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe	tgmli.exe
PID 3928 wrote to memory of 3568	3928	7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe	tgmli.exe
PID 3928 wrote to memory of 3568	3928	7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe	tgmli.exe
PID 3568 wrote to memory of 1972	3568	tgmli.exe	tgmli.exe
PID 3568 wrote to memory of 1972	3568	tgmli.exe	tgmli.exe
PID 3568 wrote to memory of 1972	3568	tgmli.exe	tgmli.exe
PID 3568 wrote to memory of 1972	3568	tgmli.exe	tgmli.exe
PID 2696 wrote to memory of 1164	2696	Explorer.EXE	systray.exe
PID 2696 wrote to memory of 1164	2696	Explorer.EXE	systray.exe
PID 2696 wrote to memory of 1164	2696	Explorer.EXE	systray.exe
PID 1164 wrote to memory of 3456	1164	systray.exe	cmd.exe
PID 1164 wrote to memory of 3456	1164	systray.exe	cmd.exe
PID 1164 wrote to memory of 3456	1164	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Temp\7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe
"C:\Users\Admin\AppData\Local\Temp\7cc9e9b1b2094c17d806dfba5b9852c1446a1eff34b4c6fb9440c7bf9a224558.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Users\Admin\AppData\Local\Temp\tgmli.exe
"C:\Users\Admin\AppData\Local\Temp\tgmli.exe" C:\Users\Admin\AppData\Local\Temp\wvlaizdvps.x
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3568

C:\Users\Admin\AppData\Local\Temp\tgmli.exe
"C:\Users\Admin\AppData\Local\Temp\tgmli.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\tgmli.exe"
3⤵
PID:3456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tgmli.exe
Filesize
49KB

MD5
fed85168d72837338b8ec14ce5dba2bd

SHA1
241a002fe019746728ff8458104ee8b426e5fbeb

SHA256
0d17eefa2d2dc7815593aff4131d64ab13570f5dfdb5f444e8a934a7d4b87eec

SHA512
5cbd4b07eb445f5e53e2abf77be354e5faf6bc851ec905f524dc1e8be36d16deed4ce0efaddaa4cd8e14be02a37d68d3fb059aedcb97fc63c34557e420008383

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgmli.exe
Filesize
49KB

MD5
fed85168d72837338b8ec14ce5dba2bd

SHA1
241a002fe019746728ff8458104ee8b426e5fbeb

SHA256
0d17eefa2d2dc7815593aff4131d64ab13570f5dfdb5f444e8a934a7d4b87eec

SHA512
5cbd4b07eb445f5e53e2abf77be354e5faf6bc851ec905f524dc1e8be36d16deed4ce0efaddaa4cd8e14be02a37d68d3fb059aedcb97fc63c34557e420008383

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgmli.exe
Filesize
49KB

MD5
fed85168d72837338b8ec14ce5dba2bd

SHA1
241a002fe019746728ff8458104ee8b426e5fbeb

SHA256
0d17eefa2d2dc7815593aff4131d64ab13570f5dfdb5f444e8a934a7d4b87eec

SHA512
5cbd4b07eb445f5e53e2abf77be354e5faf6bc851ec905f524dc1e8be36d16deed4ce0efaddaa4cd8e14be02a37d68d3fb059aedcb97fc63c34557e420008383

Download Submit
C:\Users\Admin\AppData\Local\Temp\wryyfbf.lci
Filesize
196KB

MD5
98b5c3cc507feb63fbb12b323d0efca0

SHA1
19e8a61b7f7341a469e9e722fe6fa69614ab34bf

SHA256
fc5ec7ad28f780035bee10ea5f37598b4a3e8a0d0778a52900b26e297b30660a

SHA512
f496a5fadc931a42999815d28a54eed4fd93ddd68ccf8662e5b8309cd4d243ab15c929a369dd4448b8d69cd05083a3b7d11a3fe46fc77e7413fc2a8eb8f185a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvlaizdvps.x
Filesize
5KB

MD5
54258cdc368536ec81a8a8e1fd173c8d

SHA1
9e5ca83a5b449389fa324b6f0ca50fad84466cbc

SHA256
4b533846065415a52517c37b9f47861117deede01b1db95b869d4b67dfa45203

SHA512
ad60b4ee218a14e0259619534c4a603c8f5f741f2ed7fd61af1e9f8bb1005773b9d94a509390d99a51f085697e9ad10b4142bf18f3fc1541ee0733c33729d8b7

Download Submit
memory/1164-143-0x0000000000000000-mapping.dmp

Download
memory/1164-150-0x00000000020D0000-0x0000000002160000-memory.dmp

Filesize
576KB

Download
memory/1164-149-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/1164-147-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/1164-146-0x0000000002270000-0x00000000025BA000-memory.dmp

Filesize
3.3MB

Download
memory/1164-145-0x0000000000AB0000-0x0000000000AB6000-memory.dmp

Filesize
24KB

Download
memory/1972-137-0x0000000000000000-mapping.dmp

Download
memory/1972-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1972-141-0x00000000009E0000-0x00000000009F1000-memory.dmp

Filesize
68KB

Download
memory/1972-140-0x0000000000A30000-0x0000000000D7A000-memory.dmp

Filesize
3.3MB

Download
memory/1972-139-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2696-142-0x0000000008610000-0x000000000873C000-memory.dmp

Filesize
1.2MB

Download
memory/2696-151-0x0000000008920000-0x0000000008A9F000-memory.dmp

Filesize
1.5MB

Download
memory/2696-152-0x0000000008920000-0x0000000008A9F000-memory.dmp

Filesize
1.5MB

Download
memory/3456-148-0x0000000000000000-mapping.dmp

Download
memory/3568-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads