formbook | 537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961

General

Target

537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exe
Size

274KB
MD5

a67b9455e07da0e206e388aadfce24ee
SHA1

ae4726f82b0a392b91655f91fdd634f810722027
SHA256

537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961
SHA512

a086bcc0ff5789d780aee0aa64fb09053fb1736a0dc70bd3b6321e0c3671b48d1e0d220d6a4e85c8c2ca0ef0122a4a7c3f3ca9d42bbda62b093c54aa73f603f2
SSDEEP

6144:PYa6kSIwjB9pgGrwb35p84UEexcGqBpFtofapRQlJc6QNM:PYiShSGrspYEycnPksQnCK

Score

10^/10

formbook xloader poub loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/736-141-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/736-148-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/736-152-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/2692-155-0x00000000001A0000-0x00000000001CC000-memory.dmp	xloader
behavioral2/memory/2692-157-0x00000000001A0000-0x00000000001CC000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

dwxrv.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation dwxrv.exe
Executes dropped EXE 2 IoCs

Processes:

dwxrv.exedwxrv.exe

pid process

1652 dwxrv.exe
736 dwxrv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	dwxrv.exe

pid	process
1652	dwxrv.exe
736	dwxrv.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

dwxrv.exedwxrv.exemstsc.exe

description	pid	process	target process
PID 1652 set thread context of 736	1652	dwxrv.exe	dwxrv.exe
PID 736 set thread context of 3184	736	dwxrv.exe	Explorer.EXE
PID 736 set thread context of 3184	736	dwxrv.exe	Explorer.EXE
PID 2692 set thread context of 3184	2692	mstsc.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 61 IoCs

Processes:

dwxrv.exemstsc.exe

pid	process
736	dwxrv.exe
736	dwxrv.exe
736	dwxrv.exe
736	dwxrv.exe
736	dwxrv.exe
736	dwxrv.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe
2692	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3184 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

dwxrv.exedwxrv.exemstsc.exe

pid process

1652 dwxrv.exe
736 dwxrv.exe
736 dwxrv.exe
736 dwxrv.exe
736 dwxrv.exe
2692 mstsc.exe
2692 mstsc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dwxrv.exemstsc.exe

description pid process

Token: SeDebugPrivilege 736 dwxrv.exe
Token: SeDebugPrivilege 2692 mstsc.exe

pid	process
3184	Explorer.EXE

pid	process
1652	dwxrv.exe
736	dwxrv.exe
736	dwxrv.exe
736	dwxrv.exe
736	dwxrv.exe
2692	mstsc.exe
2692	mstsc.exe

description	pid	process
Token: SeDebugPrivilege	736	dwxrv.exe
Token: SeDebugPrivilege	2692	mstsc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exedwxrv.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 2096 wrote to memory of 1652	2096	537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exe	dwxrv.exe
PID 2096 wrote to memory of 1652	2096	537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exe	dwxrv.exe
PID 2096 wrote to memory of 1652	2096	537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exe	dwxrv.exe
PID 1652 wrote to memory of 736	1652	dwxrv.exe	dwxrv.exe
PID 1652 wrote to memory of 736	1652	dwxrv.exe	dwxrv.exe
PID 1652 wrote to memory of 736	1652	dwxrv.exe	dwxrv.exe
PID 1652 wrote to memory of 736	1652	dwxrv.exe	dwxrv.exe
PID 3184 wrote to memory of 2692	3184	Explorer.EXE	mstsc.exe
PID 3184 wrote to memory of 2692	3184	Explorer.EXE	mstsc.exe
PID 3184 wrote to memory of 2692	3184	Explorer.EXE	mstsc.exe
PID 2692 wrote to memory of 2540	2692	mstsc.exe	cmd.exe
PID 2692 wrote to memory of 2540	2692	mstsc.exe	cmd.exe
PID 2692 wrote to memory of 2540	2692	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3184

C:\Users\Admin\AppData\Local\Temp\537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exe
"C:\Users\Admin\AppData\Local\Temp\537ca83e58dfc0da3a87d09b50fcbf04ec5ba736c19c9f7cec9733a58c57a961.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Admin\AppData\Local\Temp\dwxrv.exe
"C:\Users\Admin\AppData\Local\Temp\dwxrv.exe" C:\Users\Admin\AppData\Local\Temp\nismj.s
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\dwxrv.exe
"C:\Users\Admin\AppData\Local\Temp\dwxrv.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4760

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\dwxrv.exe"
3⤵
PID:2540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dwxrv.exe
Filesize
101KB

MD5
1d215b52e2994740c3cd03b1c1574c53

SHA1
675daabaa68a01d0c2ca1b8a97eded39e342084e

SHA256
72866ee7f6d1d1f83658457c1619c3b7db5b3773409eaf86cabc9bb8d5bb1c0d

SHA512
ad7b25924c1656fe7b88eb840ed0608deea600f8b6d6df11261c8a5c1c0939c3630cb949ab549909fab999d9a1860a62d083179ccf56ee5aa26411aa7769c82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwxrv.exe
Filesize
101KB

MD5
1d215b52e2994740c3cd03b1c1574c53

SHA1
675daabaa68a01d0c2ca1b8a97eded39e342084e

SHA256
72866ee7f6d1d1f83658457c1619c3b7db5b3773409eaf86cabc9bb8d5bb1c0d

SHA512
ad7b25924c1656fe7b88eb840ed0608deea600f8b6d6df11261c8a5c1c0939c3630cb949ab549909fab999d9a1860a62d083179ccf56ee5aa26411aa7769c82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwxrv.exe
Filesize
101KB

MD5
1d215b52e2994740c3cd03b1c1574c53

SHA1
675daabaa68a01d0c2ca1b8a97eded39e342084e

SHA256
72866ee7f6d1d1f83658457c1619c3b7db5b3773409eaf86cabc9bb8d5bb1c0d

SHA512
ad7b25924c1656fe7b88eb840ed0608deea600f8b6d6df11261c8a5c1c0939c3630cb949ab549909fab999d9a1860a62d083179ccf56ee5aa26411aa7769c82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jvpje.gd
Filesize
196KB

MD5
cfffdffaa191107af9a0aa5462cd94a5

SHA1
d337083139a26dd67fa3e549c58d25d22a626cf6

SHA256
a21bae4b660fc9be7c86675332961cc2a08e5170612217e5c15456f079b4c99f

SHA512
2a2a1598c642faae7011f35f7e86f5be38195e9a685dda412c5799500f7699bdc87ac4f791c5fe4e3cff9227f0716e2852ab68053706b0b248ccf1bde7f414b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nismj.s
Filesize
5KB

MD5
1a26d491632d01552e871920c75c91ec

SHA1
86aa68d6928221cb58e40838841fb9fa0de0dca4

SHA256
8d5d5dec473e49e1388c10c2d36d16930efb10143978e098769f1f3f680f41da

SHA512
094b7a5241b53ecc28ecb86c9d8588cb32fe104d6e4809ccf13fa78639ecfd9819ffac52073d7e1b9bc3c46468273bab4c5bdc26e46814690945f1e219526af8

Download Submit
memory/736-149-0x0000000000FE0000-0x0000000000FF1000-memory.dmp

Filesize
68KB

Download
memory/736-152-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/736-146-0x0000000000F70000-0x0000000000F81000-memory.dmp

Filesize
68KB

Download
memory/736-145-0x00000000014B0000-0x00000000017FA000-memory.dmp

Filesize
3.3MB

Download
memory/736-148-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/736-141-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2692-151-0x0000000000BF0000-0x0000000000D2A000-memory.dmp

Filesize
1.2MB

Download
memory/2692-154-0x0000000000BF0000-0x0000000000D2A000-memory.dmp

Filesize
1.2MB

Download
memory/2692-155-0x00000000001A0000-0x00000000001CC000-memory.dmp

Filesize
176KB

Download
memory/2692-156-0x0000000002630000-0x000000000297A000-memory.dmp

Filesize
3.3MB

Download
memory/2692-157-0x00000000001A0000-0x00000000001CC000-memory.dmp

Filesize
176KB

Download
memory/2692-159-0x00000000022D0000-0x0000000002360000-memory.dmp

Filesize
576KB

Download
memory/3184-150-0x000000000ACE0000-0x000000000AE19000-memory.dmp

Filesize
1.2MB

Download
memory/3184-147-0x0000000009460000-0x00000000095A4000-memory.dmp

Filesize
1.3MB

Download
memory/3184-160-0x0000000002E40000-0x0000000002F43000-memory.dmp

Filesize
1.0MB

Download
memory/3184-161-0x0000000002E40000-0x0000000002F43000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads