formbook | 2de208696a07b8792d8fb3625771c71363988c0c2f5980ee4339030cf7626b11

General

Target

mon.exe
Size

605KB
MD5

5d9ab26afef221bca7293659356756ac
SHA1

4c7f919c34b300dc432ac70565aec533fc8cd76c
SHA256

2de208696a07b8792d8fb3625771c71363988c0c2f5980ee4339030cf7626b11
SHA512

9d1d8067287c5bb15dc5b28a71606022d7b3da3ecab77dc126e7a6b4d5faff58175e328a6425ccf528be226a42290c28dbce4952e66147f81dc770a0a9f33845
SSDEEP

12288:vYIcAqSSAx6tx2nFh6Fg1UlnlqGvBH4KewELMg0Xk+v4u:vYIcAqSStt8nFhwnksRTk04u

Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1580-144-0x0000000000810000-0x000000000083C000-memory.dmp	xloader
behavioral2/memory/4020-154-0x0000000000160000-0x000000000018C000-memory.dmp	xloader
behavioral2/memory/4020-157-0x0000000000160000-0x000000000018C000-memory.dmp	xloader

Blocklisted process makes network request 2 IoCs

Processes:

cmstp.exe

flow pid process

76 4020 cmstp.exe
79 4020 cmstp.exe

flow	pid	process
76	4020	cmstp.exe
79	4020	cmstp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wonrcexwi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	wonrcexwi.exe

Executes dropped EXE 2 IoCs

Processes:

wonrcexwi.exewonrcexwi.exe

pid process

4736 wonrcexwi.exe
1580 wonrcexwi.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4736	wonrcexwi.exe
1580	wonrcexwi.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FVJ8BNA8 = "C:\\Program Files (x86)\\Z_rc\\mfcnz7lcr3.exe"	cmstp.exe
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	cmstp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

wonrcexwi.exewonrcexwi.execmstp.exe

description	pid	process	target process
PID 4736 set thread context of 1580	4736	wonrcexwi.exe	wonrcexwi.exe
PID 1580 set thread context of 388	1580	wonrcexwi.exe	Explorer.EXE
PID 4020 set thread context of 388	4020	cmstp.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

cmstp.exe

description ioc process

File opened for modification C:\Program Files (x86)\Z_rc\mfcnz7lcr3.exe cmstp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files (x86)\Z_rc\mfcnz7lcr3.exe	cmstp.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

wonrcexwi.execmstp.exe

pid	process
1580	wonrcexwi.exe
1580	wonrcexwi.exe
1580	wonrcexwi.exe
1580	wonrcexwi.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

388 Explorer.EXE
Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

wonrcexwi.exewonrcexwi.execmstp.exe

pid process

4736 wonrcexwi.exe
4736 wonrcexwi.exe
1580 wonrcexwi.exe
1580 wonrcexwi.exe
1580 wonrcexwi.exe
4020 cmstp.exe
4020 cmstp.exe
4020 cmstp.exe
4020 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wonrcexwi.execmstp.exe

description pid process

Token: SeDebugPrivilege 1580 wonrcexwi.exe
Token: SeDebugPrivilege 4020 cmstp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

wonrcexwi.exe

pid process

4736 wonrcexwi.exe
4736 wonrcexwi.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

wonrcexwi.exe

pid process

4736 wonrcexwi.exe
4736 wonrcexwi.exe

pid	process
388	Explorer.EXE

pid	process
4736	wonrcexwi.exe
4736	wonrcexwi.exe
1580	wonrcexwi.exe
1580	wonrcexwi.exe
1580	wonrcexwi.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe
4020	cmstp.exe

description	pid	process
Token: SeDebugPrivilege	1580	wonrcexwi.exe
Token: SeDebugPrivilege	4020	cmstp.exe

pid	process
4736	wonrcexwi.exe
4736	wonrcexwi.exe

pid	process
4736	wonrcexwi.exe
4736	wonrcexwi.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

mon.exewonrcexwi.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1680 wrote to memory of 4736	1680	mon.exe	wonrcexwi.exe
PID 1680 wrote to memory of 4736	1680	mon.exe	wonrcexwi.exe
PID 1680 wrote to memory of 4736	1680	mon.exe	wonrcexwi.exe
PID 4736 wrote to memory of 1580	4736	wonrcexwi.exe	wonrcexwi.exe
PID 4736 wrote to memory of 1580	4736	wonrcexwi.exe	wonrcexwi.exe
PID 4736 wrote to memory of 1580	4736	wonrcexwi.exe	wonrcexwi.exe
PID 4736 wrote to memory of 1580	4736	wonrcexwi.exe	wonrcexwi.exe
PID 388 wrote to memory of 4020	388	Explorer.EXE	cmstp.exe
PID 388 wrote to memory of 4020	388	Explorer.EXE	cmstp.exe
PID 388 wrote to memory of 4020	388	Explorer.EXE	cmstp.exe
PID 4020 wrote to memory of 1516	4020	cmstp.exe	cmd.exe
PID 4020 wrote to memory of 1516	4020	cmstp.exe	cmd.exe
PID 4020 wrote to memory of 1516	4020	cmstp.exe	cmd.exe
PID 4020 wrote to memory of 3308	4020	cmstp.exe	cmd.exe
PID 4020 wrote to memory of 3308	4020	cmstp.exe	cmd.exe
PID 4020 wrote to memory of 3308	4020	cmstp.exe	cmd.exe
PID 4020 wrote to memory of 3772	4020	cmstp.exe	cmd.exe
PID 4020 wrote to memory of 3772	4020	cmstp.exe	cmd.exe
PID 4020 wrote to memory of 3772	4020	cmstp.exe	cmd.exe
PID 4020 wrote to memory of 4832	4020	cmstp.exe	Firefox.exe
PID 4020 wrote to memory of 4832	4020	cmstp.exe	Firefox.exe
PID 4020 wrote to memory of 4832	4020	cmstp.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\mon.exe
"C:\Users\Admin\AppData\Local\Temp\mon.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\wonrcexwi.exe
"C:\Users\Admin\AppData\Local\Temp\wonrcexwi.exe" "C:\Users\Admin\AppData\Local\Temp\srgsn.au3"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4736

C:\Users\Admin\AppData\Local\Temp\wonrcexwi.exe
"C:\Users\Admin\AppData\Local\Temp\wonrcexwi.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\wonrcexwi.exe"
3⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3772

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\bilmsvxqo.sbo
Filesize
49KB

MD5
bfc4e759cb05e092cccc610961341cd2

SHA1
ebc6f83d4cb546ca8e19db458f4b74f3c97e276f

SHA256
27e82a3b5b77d11bb846e4822a80d73d5363c9b9c9f87553511efd3450e7cc0a

SHA512
5b4dab622c6f0125837abaaf1b5d87c277b287590eb204ee81168f7d75f8f4cad61b0d39c8da94adb064cdc38958b00c749be7707df35a46d122e15859d2225a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hafbnf.e
Filesize
196KB

MD5
4cae5264891bbf349576f7594b04e186

SHA1
d122c8fb4c91a4e22b6cea14dcf82d2326ebbc5e

SHA256
86ff7d05a5430df90a6f7fce2aa660bc4fbfc33643caeb078e0e1081d175cead

SHA512
0760edebc903d32ef8bfe8e0741dc0f06637362038a7d6ba40f224f9071922891f0fc8419d307be833e6b1ce878dabb2db7bda6e3e079ee30a678779cf8a0199

Download Submit
C:\Users\Admin\AppData\Local\Temp\srgsn.au3
Filesize
4KB

MD5
f65d384b8c913f32a034047f96174897

SHA1
d7dc4253a021e380ce2be56d66450218cc3b907f

SHA256
3a1421940505bbafa53c322734430112120144ce675fe14bac60dfbe250b6aed

SHA512
2615c159b32b51ff666aba10cac6caa0253eee204cf90e748b7c5d1a20cdba086e98d2f04457e6673141894618261707f2ed3d6e26fe22fa25dc7791de1d1fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wonrcexwi.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wonrcexwi.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wonrcexwi.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/388-151-0x0000000003010000-0x00000000030C6000-memory.dmp

Filesize
728KB

Download
memory/388-160-0x0000000008560000-0x0000000008616000-memory.dmp

Filesize
728KB

Download
memory/388-161-0x0000000008560000-0x0000000008616000-memory.dmp

Filesize
728KB

Download
memory/1580-149-0x0000000001060000-0x00000000013AA000-memory.dmp

Filesize
3.3MB

Download
memory/1580-150-0x0000000000AE0000-0x0000000000AF1000-memory.dmp

Filesize
68KB

Download
memory/1580-144-0x0000000000810000-0x000000000083C000-memory.dmp

Filesize
176KB

Download
memory/4020-152-0x0000000000560000-0x0000000000576000-memory.dmp

Filesize
88KB

Download
memory/4020-157-0x0000000000160000-0x000000000018C000-memory.dmp

Filesize
176KB

Download
memory/4020-159-0x00000000021B0000-0x0000000002240000-memory.dmp

Filesize
576KB

Download
memory/4020-155-0x00000000022A0000-0x00000000025EA000-memory.dmp

Filesize
3.3MB

Download
memory/4020-154-0x0000000000160000-0x000000000018C000-memory.dmp

Filesize
176KB

Download
memory/4020-153-0x0000000000560000-0x0000000000576000-memory.dmp

Filesize
88KB

Download
memory/4736-141-0x0000000000B00000-0x0000000000B02000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads