formbook | 537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-03-2023 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exe
Size

274KB
MD5

a67b9455e07da0e206e388aadfce24ee
SHA1

ae4726f82b0a392b91655f91fdd634f810722027
SHA256

537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961
SHA512

a086bcc0ff5789d780aee0aa64fb09053fb1736a0dc70bd3b6321e0c3671b48d1e0d220d6a4e85c8c2ca0ef0122a4a7c3f3ca9d42bbda62b093c54aa73f603f2
SSDEEP

6144:PYa6kSIwjB9pgGrwb35p84UEexcGqBpFtofapRQlJc6QNM:PYiShSGrspYEycnPksQnCK

Score

10^/10

formbook xloader poub loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/296-65-0x0000000000080000-0x00000000000AC000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

dwxrv.exedwxrv.exe

pid process

1724 dwxrv.exe
296 dwxrv.exe
Loads dropped DLL 5 IoCs

Processes:

537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exedwxrv.exeWerFault.exe

pid process

1376 537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exe
1724 dwxrv.exe
840 WerFault.exe
840 WerFault.exe
840 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

dwxrv.exe

description pid process target process

PID 1724 set thread context of 296 1724 dwxrv.exe dwxrv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

840 296 WerFault.exe dwxrv.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

dwxrv.exe

pid process

1724 dwxrv.exe
1724 dwxrv.exe

pid	process
1724	dwxrv.exe
296	dwxrv.exe

pid	process
1376	537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exe
1724	dwxrv.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe

description	pid	process	target process
PID 1724 set thread context of 296	1724	dwxrv.exe	dwxrv.exe

pid	pid_target	process	target process
840	296	WerFault.exe	dwxrv.exe

pid	process
1724	dwxrv.exe
1724	dwxrv.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exedwxrv.exedwxrv.exe

description	pid	process	target process
PID 1376 wrote to memory of 1724	1376	537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exe	dwxrv.exe
PID 1376 wrote to memory of 1724	1376	537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exe	dwxrv.exe
PID 1376 wrote to memory of 1724	1376	537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exe	dwxrv.exe
PID 1376 wrote to memory of 1724	1376	537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exe	dwxrv.exe
PID 1724 wrote to memory of 296	1724	dwxrv.exe	dwxrv.exe
PID 1724 wrote to memory of 296	1724	dwxrv.exe	dwxrv.exe
PID 1724 wrote to memory of 296	1724	dwxrv.exe	dwxrv.exe
PID 1724 wrote to memory of 296	1724	dwxrv.exe	dwxrv.exe
PID 1724 wrote to memory of 296	1724	dwxrv.exe	dwxrv.exe
PID 296 wrote to memory of 840	296	dwxrv.exe	WerFault.exe
PID 296 wrote to memory of 840	296	dwxrv.exe	WerFault.exe
PID 296 wrote to memory of 840	296	dwxrv.exe	WerFault.exe
PID 296 wrote to memory of 840	296	dwxrv.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exe
"C:\Users\Admin\AppData\Local\Temp\537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\dwxrv.exe
"C:\Users\Admin\AppData\Local\Temp\dwxrv.exe" C:\Users\Admin\AppData\Local\Temp\nismj.s
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\dwxrv.exe
"C:\Users\Admin\AppData\Local\Temp\dwxrv.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 296 -s 36
4⤵
- Loads dropped DLL
- Program crash
PID:840

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dwxrv.exe
Filesize
101KB

MD5
1d215b52e2994740c3cd03b1c1574c53

SHA1
675daabaa68a01d0c2ca1b8a97eded39e342084e

SHA256
72866ee7f6d1d1f83658457c1619c3b7db5b3773409eaf86cabc9bb8d5bb1c0d

SHA512
ad7b25924c1656fe7b88eb840ed0608deea600f8b6d6df11261c8a5c1c0939c3630cb949ab549909fab999d9a1860a62d083179ccf56ee5aa26411aa7769c82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwxrv.exe
Filesize
101KB

MD5
1d215b52e2994740c3cd03b1c1574c53

SHA1
675daabaa68a01d0c2ca1b8a97eded39e342084e

SHA256
72866ee7f6d1d1f83658457c1619c3b7db5b3773409eaf86cabc9bb8d5bb1c0d

SHA512
ad7b25924c1656fe7b88eb840ed0608deea600f8b6d6df11261c8a5c1c0939c3630cb949ab549909fab999d9a1860a62d083179ccf56ee5aa26411aa7769c82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwxrv.exe
Filesize
101KB

MD5
1d215b52e2994740c3cd03b1c1574c53

SHA1
675daabaa68a01d0c2ca1b8a97eded39e342084e

SHA256
72866ee7f6d1d1f83658457c1619c3b7db5b3773409eaf86cabc9bb8d5bb1c0d

SHA512
ad7b25924c1656fe7b88eb840ed0608deea600f8b6d6df11261c8a5c1c0939c3630cb949ab549909fab999d9a1860a62d083179ccf56ee5aa26411aa7769c82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jvpje.gd
Filesize
196KB

MD5
cfffdffaa191107af9a0aa5462cd94a5

SHA1
d337083139a26dd67fa3e549c58d25d22a626cf6

SHA256
a21bae4b660fc9be7c86675332961cc2a08e5170612217e5c15456f079b4c99f

SHA512
2a2a1598c642faae7011f35f7e86f5be38195e9a685dda412c5799500f7699bdc87ac4f791c5fe4e3cff9227f0716e2852ab68053706b0b248ccf1bde7f414b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nismj.s
Filesize
5KB

MD5
1a26d491632d01552e871920c75c91ec

SHA1
86aa68d6928221cb58e40838841fb9fa0de0dca4

SHA256
8d5d5dec473e49e1388c10c2d36d16930efb10143978e098769f1f3f680f41da

SHA512
094b7a5241b53ecc28ecb86c9d8588cb32fe104d6e4809ccf13fa78639ecfd9819ffac52073d7e1b9bc3c46468273bab4c5bdc26e46814690945f1e219526af8

Download Submit
\Users\Admin\AppData\Local\Temp\dwxrv.exe
Filesize
101KB

MD5
1d215b52e2994740c3cd03b1c1574c53

SHA1
675daabaa68a01d0c2ca1b8a97eded39e342084e

SHA256
72866ee7f6d1d1f83658457c1619c3b7db5b3773409eaf86cabc9bb8d5bb1c0d

SHA512
ad7b25924c1656fe7b88eb840ed0608deea600f8b6d6df11261c8a5c1c0939c3630cb949ab549909fab999d9a1860a62d083179ccf56ee5aa26411aa7769c82b

Download Submit
\Users\Admin\AppData\Local\Temp\dwxrv.exe
Filesize
101KB

MD5
1d215b52e2994740c3cd03b1c1574c53

SHA1
675daabaa68a01d0c2ca1b8a97eded39e342084e

SHA256
72866ee7f6d1d1f83658457c1619c3b7db5b3773409eaf86cabc9bb8d5bb1c0d

SHA512
ad7b25924c1656fe7b88eb840ed0608deea600f8b6d6df11261c8a5c1c0939c3630cb949ab549909fab999d9a1860a62d083179ccf56ee5aa26411aa7769c82b

Download Submit
\Users\Admin\AppData\Local\Temp\dwxrv.exe
Filesize
101KB

MD5
1d215b52e2994740c3cd03b1c1574c53

SHA1
675daabaa68a01d0c2ca1b8a97eded39e342084e

SHA256
72866ee7f6d1d1f83658457c1619c3b7db5b3773409eaf86cabc9bb8d5bb1c0d

SHA512
ad7b25924c1656fe7b88eb840ed0608deea600f8b6d6df11261c8a5c1c0939c3630cb949ab549909fab999d9a1860a62d083179ccf56ee5aa26411aa7769c82b

Download Submit
\Users\Admin\AppData\Local\Temp\dwxrv.exe
Filesize
101KB

MD5
1d215b52e2994740c3cd03b1c1574c53

SHA1
675daabaa68a01d0c2ca1b8a97eded39e342084e

SHA256
72866ee7f6d1d1f83658457c1619c3b7db5b3773409eaf86cabc9bb8d5bb1c0d

SHA512
ad7b25924c1656fe7b88eb840ed0608deea600f8b6d6df11261c8a5c1c0939c3630cb949ab549909fab999d9a1860a62d083179ccf56ee5aa26411aa7769c82b

Download Submit
\Users\Admin\AppData\Local\Temp\dwxrv.exe
Filesize
101KB

MD5
1d215b52e2994740c3cd03b1c1574c53

SHA1
675daabaa68a01d0c2ca1b8a97eded39e342084e

SHA256
72866ee7f6d1d1f83658457c1619c3b7db5b3773409eaf86cabc9bb8d5bb1c0d

SHA512
ad7b25924c1656fe7b88eb840ed0608deea600f8b6d6df11261c8a5c1c0939c3630cb949ab549909fab999d9a1860a62d083179ccf56ee5aa26411aa7769c82b

Download Submit
memory/296-65-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download