formbook | 0771366a1d11998297453153ee79c4a50f6112a55110e016a9b192a87e2d7254

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-03-2023 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

270KB
MD5

5ab5545135d685cb4ae66a6a7b8665ab
SHA1

3cb0b92bae266e6ee90928f72d2678386cb591dc
SHA256

0771366a1d11998297453153ee79c4a50f6112a55110e016a9b192a87e2d7254
SHA512

35f2097ff89e75ca2b4a6cb6b3a80cf048c8aa1ea5c627c863bd28d369ef5c29df4ac49691362fd8988795b9531b6c0389684b041e4244613678a571fab28245
SSDEEP

6144:/Ya6CjcaFIEPRRpQEBsrbt3BToqaXRud7+QS26cTV+mWDoriw8tFi6aEmL:/YUjcabP3jBst3Roq0Rut4FcTVhWQYVo

Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1516-68-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/1516-73-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/580-81-0x0000000000080000-0x00000000000AC000-memory.dmp	xloader
behavioral1/memory/580-82-0x0000000000080000-0x00000000000AC000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YHLXCLC8H = "C:\\Program Files (x86)\\Nzv14x\\config7nj88v.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lgntaqvrla.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Control Panel\International\Geo\Nation	lgntaqvrla.exe

Executes dropped EXE 2 IoCs

Processes:

lgntaqvrla.exelgntaqvrla.exe

pid process

1236 lgntaqvrla.exe
1516 lgntaqvrla.exe
Loads dropped DLL 3 IoCs

Processes:

tmp.exelgntaqvrla.exe

pid process

1928 tmp.exe
1928 tmp.exe
1236 lgntaqvrla.exe

pid	process
1236	lgntaqvrla.exe
1516	lgntaqvrla.exe

pid	process
1928	tmp.exe
1928	tmp.exe
1236	lgntaqvrla.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

lgntaqvrla.exelgntaqvrla.exesvchost.exe

description	pid	process	target process
PID 1236 set thread context of 1516	1236	lgntaqvrla.exe	lgntaqvrla.exe
PID 1516 set thread context of 1312	1516	lgntaqvrla.exe	Explorer.EXE
PID 580 set thread context of 1312	580	svchost.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Program Files (x86)\Nzv14x\config7nj88v.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files (x86)\Nzv14x\config7nj88v.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3948302646-268491222-1934009652-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

lgntaqvrla.exesvchost.exe

pid	process
1516	lgntaqvrla.exe
1516	lgntaqvrla.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1312 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

lgntaqvrla.exelgntaqvrla.exesvchost.exe

pid process

1236 lgntaqvrla.exe
1516 lgntaqvrla.exe
1516 lgntaqvrla.exe
1516 lgntaqvrla.exe
580 svchost.exe
580 svchost.exe
580 svchost.exe
580 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

lgntaqvrla.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1516 lgntaqvrla.exe
Token: SeDebugPrivilege 580 svchost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1312 Explorer.EXE
1312 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1312 Explorer.EXE
1312 Explorer.EXE

pid	process
1312	Explorer.EXE

pid	process
1236	lgntaqvrla.exe
1516	lgntaqvrla.exe
1516	lgntaqvrla.exe
1516	lgntaqvrla.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1516	lgntaqvrla.exe
Token: SeDebugPrivilege	580	svchost.exe

pid	process
1312	Explorer.EXE
1312	Explorer.EXE

pid	process
1312	Explorer.EXE
1312	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

tmp.exelgntaqvrla.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 1928 wrote to memory of 1236	1928	tmp.exe	lgntaqvrla.exe
PID 1928 wrote to memory of 1236	1928	tmp.exe	lgntaqvrla.exe
PID 1928 wrote to memory of 1236	1928	tmp.exe	lgntaqvrla.exe
PID 1928 wrote to memory of 1236	1928	tmp.exe	lgntaqvrla.exe
PID 1236 wrote to memory of 1516	1236	lgntaqvrla.exe	lgntaqvrla.exe
PID 1236 wrote to memory of 1516	1236	lgntaqvrla.exe	lgntaqvrla.exe
PID 1236 wrote to memory of 1516	1236	lgntaqvrla.exe	lgntaqvrla.exe
PID 1236 wrote to memory of 1516	1236	lgntaqvrla.exe	lgntaqvrla.exe
PID 1236 wrote to memory of 1516	1236	lgntaqvrla.exe	lgntaqvrla.exe
PID 1312 wrote to memory of 580	1312	Explorer.EXE	svchost.exe
PID 1312 wrote to memory of 580	1312	Explorer.EXE	svchost.exe
PID 1312 wrote to memory of 580	1312	Explorer.EXE	svchost.exe
PID 1312 wrote to memory of 580	1312	Explorer.EXE	svchost.exe
PID 580 wrote to memory of 588	580	svchost.exe	cmd.exe
PID 580 wrote to memory of 588	580	svchost.exe	cmd.exe
PID 580 wrote to memory of 588	580	svchost.exe	cmd.exe
PID 580 wrote to memory of 588	580	svchost.exe	cmd.exe
PID 580 wrote to memory of 1756	580	svchost.exe	Firefox.exe
PID 580 wrote to memory of 1756	580	svchost.exe	Firefox.exe
PID 580 wrote to memory of 1756	580	svchost.exe	Firefox.exe
PID 580 wrote to memory of 1756	580	svchost.exe	Firefox.exe
PID 580 wrote to memory of 1756	580	svchost.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe
"C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe" C:\Users\Admin\AppData\Local\Temp\hqfcsgiflon.e
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe
"C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe"
3⤵
PID:588

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hqfcsgiflon.e
Filesize
5KB

MD5
c2b06d8fa0aa765e80eab24f065b884b

SHA1
ffa2ab27331f3d88aa5bb6ad6f8a5a5b36640a36

SHA256
e43e3dc2553a07fbd99a41313985ff637f7e01805c6c740b1cc2af15228da4d7

SHA512
1dffb1c0af95211f2be3f2b5676ec73483b0ad49fd56e155a8ebb8f7d95b00502013a9748fa901b786e768f3645d2985856d4952d4c69f8d348556ff2c77d215

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe
Filesize
93KB

MD5
e14702f06986cdc62fdd4bb716747ee6

SHA1
2ae39cf6bf7f056356db53ca4fde43107d842ebd

SHA256
5b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f

SHA512
b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe
Filesize
93KB

MD5
e14702f06986cdc62fdd4bb716747ee6

SHA1
2ae39cf6bf7f056356db53ca4fde43107d842ebd

SHA256
5b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f

SHA512
b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe
Filesize
93KB

MD5
e14702f06986cdc62fdd4bb716747ee6

SHA1
2ae39cf6bf7f056356db53ca4fde43107d842ebd

SHA256
5b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f

SHA512
b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe
Filesize
93KB

MD5
e14702f06986cdc62fdd4bb716747ee6

SHA1
2ae39cf6bf7f056356db53ca4fde43107d842ebd

SHA256
5b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f

SHA512
b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjrdrgggzeb.b
Filesize
196KB

MD5
2e70354390d5ad4ce1cfb9f4404b1b86

SHA1
81274614b0eac6349fb6e65ea498c45461253267

SHA256
846a7111ab3880a2ca9ff88f4ebce95e51659a62b063fdde3972295f7651f1da

SHA512
f57246ef8972e1d3780d5291cdb406b3f685bdf22e6e8acdb79887284da7382322e047a15db2aa7f847631f9c4b368cb156fd0ded5f0cdc7da69ad1f73043061

Download Submit
\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe
Filesize
93KB

MD5
e14702f06986cdc62fdd4bb716747ee6

SHA1
2ae39cf6bf7f056356db53ca4fde43107d842ebd

SHA256
5b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f

SHA512
b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce

Download Submit
\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe
Filesize
93KB

MD5
e14702f06986cdc62fdd4bb716747ee6

SHA1
2ae39cf6bf7f056356db53ca4fde43107d842ebd

SHA256
5b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f

SHA512
b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce

Download Submit
\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe
Filesize
93KB

MD5
e14702f06986cdc62fdd4bb716747ee6

SHA1
2ae39cf6bf7f056356db53ca4fde43107d842ebd

SHA256
5b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f

SHA512
b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce

Download Submit
memory/580-82-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/580-84-0x00000000004C0000-0x0000000000550000-memory.dmp

Filesize
576KB

Download
memory/580-81-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/580-80-0x0000000000790000-0x0000000000A93000-memory.dmp

Filesize
3.0MB

Download
memory/580-79-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/580-77-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/1312-75-0x0000000004AD0000-0x0000000004BAB000-memory.dmp

Filesize
876KB

Download
memory/1312-85-0x0000000004F70000-0x0000000005078000-memory.dmp

Filesize
1.0MB

Download
memory/1312-86-0x0000000004F70000-0x0000000005078000-memory.dmp

Filesize
1.0MB

Download
memory/1312-88-0x0000000004F70000-0x0000000005078000-memory.dmp

Filesize
1.0MB

Download
memory/1312-89-0x000007FF3F520000-0x000007FF3F52A000-memory.dmp

Filesize
40KB

Download
memory/1516-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1516-74-0x0000000000250000-0x0000000000261000-memory.dmp

Filesize
68KB

Download
memory/1516-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1516-72-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download