formbook | 0771366a1d11998297453153ee79c4a50f6112a55110e016a9b192a87e2d7254

General

Target

tmp.exe
Size

270KB
MD5

5ab5545135d685cb4ae66a6a7b8665ab
SHA1

3cb0b92bae266e6ee90928f72d2678386cb591dc
SHA256

0771366a1d11998297453153ee79c4a50f6112a55110e016a9b192a87e2d7254
SHA512

35f2097ff89e75ca2b4a6cb6b3a80cf048c8aa1ea5c627c863bd28d369ef5c29df4ac49691362fd8988795b9531b6c0389684b041e4244613678a571fab28245
SSDEEP

6144:/Ya6CjcaFIEPRRpQEBsrbt3BToqaXRud7+QS26cTV+mWDoriw8tFi6aEmL:/YUjcabP3jBst3Roq0Rut4FcTVhWQYVo

Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4588-141-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/4588-150-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/3876-154-0x0000000000E00000-0x0000000000E2C000-memory.dmp	xloader
behavioral2/memory/3876-156-0x0000000000E00000-0x0000000000E2C000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lgntaqvrla.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	lgntaqvrla.exe

Executes dropped EXE 2 IoCs

Processes:

lgntaqvrla.exelgntaqvrla.exe

pid process

2124 lgntaqvrla.exe
4588 lgntaqvrla.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2124	lgntaqvrla.exe
4588	lgntaqvrla.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OFYL5VXXCN = "C:\\Program Files (x86)\\Iqlqhzlph\\tz7l-1b7pv.exe"	svchost.exe
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

lgntaqvrla.exelgntaqvrla.exesvchost.exe

description	pid	process	target process
PID 2124 set thread context of 4588	2124	lgntaqvrla.exe	lgntaqvrla.exe
PID 4588 set thread context of 3160	4588	lgntaqvrla.exe	Explorer.EXE
PID 3876 set thread context of 3160	3876	svchost.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Program Files (x86)\Iqlqhzlph\tz7l-1b7pv.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files (x86)\Iqlqhzlph\tz7l-1b7pv.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

lgntaqvrla.exesvchost.exe

pid	process
4588	lgntaqvrla.exe
4588	lgntaqvrla.exe
4588	lgntaqvrla.exe
4588	lgntaqvrla.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3160 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

lgntaqvrla.exelgntaqvrla.exesvchost.exe

pid process

2124 lgntaqvrla.exe
4588 lgntaqvrla.exe
4588 lgntaqvrla.exe
4588 lgntaqvrla.exe
3876 svchost.exe
3876 svchost.exe
3876 svchost.exe
3876 svchost.exe

pid	process
3160	Explorer.EXE

pid	process
2124	lgntaqvrla.exe
4588	lgntaqvrla.exe
4588	lgntaqvrla.exe
4588	lgntaqvrla.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe
3876	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

lgntaqvrla.exesvchost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4588	lgntaqvrla.exe
Token: SeDebugPrivilege	3876	svchost.exe
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3160 Explorer.EXE
3160 Explorer.EXE

pid	process
3160	Explorer.EXE
3160	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

tmp.exelgntaqvrla.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 1608 wrote to memory of 2124	1608	tmp.exe	lgntaqvrla.exe
PID 1608 wrote to memory of 2124	1608	tmp.exe	lgntaqvrla.exe
PID 1608 wrote to memory of 2124	1608	tmp.exe	lgntaqvrla.exe
PID 2124 wrote to memory of 4588	2124	lgntaqvrla.exe	lgntaqvrla.exe
PID 2124 wrote to memory of 4588	2124	lgntaqvrla.exe	lgntaqvrla.exe
PID 2124 wrote to memory of 4588	2124	lgntaqvrla.exe	lgntaqvrla.exe
PID 2124 wrote to memory of 4588	2124	lgntaqvrla.exe	lgntaqvrla.exe
PID 3160 wrote to memory of 3876	3160	Explorer.EXE	svchost.exe
PID 3160 wrote to memory of 3876	3160	Explorer.EXE	svchost.exe
PID 3160 wrote to memory of 3876	3160	Explorer.EXE	svchost.exe
PID 3876 wrote to memory of 208	3876	svchost.exe	cmd.exe
PID 3876 wrote to memory of 208	3876	svchost.exe	cmd.exe
PID 3876 wrote to memory of 208	3876	svchost.exe	cmd.exe
PID 3876 wrote to memory of 1588	3876	svchost.exe	cmd.exe
PID 3876 wrote to memory of 1588	3876	svchost.exe	cmd.exe
PID 3876 wrote to memory of 1588	3876	svchost.exe	cmd.exe
PID 3876 wrote to memory of 3320	3876	svchost.exe	cmd.exe
PID 3876 wrote to memory of 3320	3876	svchost.exe	cmd.exe
PID 3876 wrote to memory of 3320	3876	svchost.exe	cmd.exe
PID 3876 wrote to memory of 3324	3876	svchost.exe	Firefox.exe
PID 3876 wrote to memory of 3324	3876	svchost.exe	Firefox.exe
PID 3876 wrote to memory of 3324	3876	svchost.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe
"C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe" C:\Users\Admin\AppData\Local\Temp\hqfcsgiflon.e
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe
"C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe"
3⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3320

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqfcsgiflon.e
Filesize
5KB

MD5
c2b06d8fa0aa765e80eab24f065b884b

SHA1
ffa2ab27331f3d88aa5bb6ad6f8a5a5b36640a36

SHA256
e43e3dc2553a07fbd99a41313985ff637f7e01805c6c740b1cc2af15228da4d7

SHA512
1dffb1c0af95211f2be3f2b5676ec73483b0ad49fd56e155a8ebb8f7d95b00502013a9748fa901b786e768f3645d2985856d4952d4c69f8d348556ff2c77d215

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe
Filesize
93KB

MD5
e14702f06986cdc62fdd4bb716747ee6

SHA1
2ae39cf6bf7f056356db53ca4fde43107d842ebd

SHA256
5b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f

SHA512
b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe
Filesize
93KB

MD5
e14702f06986cdc62fdd4bb716747ee6

SHA1
2ae39cf6bf7f056356db53ca4fde43107d842ebd

SHA256
5b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f

SHA512
b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgntaqvrla.exe
Filesize
93KB

MD5
e14702f06986cdc62fdd4bb716747ee6

SHA1
2ae39cf6bf7f056356db53ca4fde43107d842ebd

SHA256
5b58d41d5293bb045909ef9dae5b1fe8464db60165b84b7af85dba4a2790b10f

SHA512
b6072f71be5e80748f37ec36d4c418aad6b2bd61185d456119cde4095d44eae05939b5affb276232d171ee33338decf9eaf95747582a916aa9d09d5e64047bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjrdrgggzeb.b
Filesize
196KB

MD5
2e70354390d5ad4ce1cfb9f4404b1b86

SHA1
81274614b0eac6349fb6e65ea498c45461253267

SHA256
846a7111ab3880a2ca9ff88f4ebce95e51659a62b063fdde3972295f7651f1da

SHA512
f57246ef8972e1d3780d5291cdb406b3f685bdf22e6e8acdb79887284da7382322e047a15db2aa7f847631f9c4b368cb156fd0ded5f0cdc7da69ad1f73043061

Download Submit
memory/2124-143-0x0000000002180000-0x0000000002182000-memory.dmp

Filesize
8KB

Download
memory/3160-162-0x0000000007440000-0x0000000007505000-memory.dmp

Filesize
788KB

Download
memory/3160-148-0x00000000097C0000-0x000000000993A000-memory.dmp

Filesize
1.5MB

Download
memory/3160-160-0x0000000007440000-0x0000000007505000-memory.dmp

Filesize
788KB

Download
memory/3160-159-0x0000000007440000-0x0000000007505000-memory.dmp

Filesize
788KB

Download
memory/3876-156-0x0000000000E00000-0x0000000000E2C000-memory.dmp

Filesize
176KB

Download
memory/3876-154-0x0000000000E00000-0x0000000000E2C000-memory.dmp

Filesize
176KB

Download
memory/3876-155-0x0000000001900000-0x0000000001C4A000-memory.dmp

Filesize
3.3MB

Download
memory/3876-153-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3876-158-0x0000000001500000-0x0000000001590000-memory.dmp

Filesize
576KB

Download
memory/3876-149-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4588-150-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4588-147-0x00000000006C0000-0x00000000006D1000-memory.dmp

Filesize
68KB

Download
memory/4588-146-0x0000000000B50000-0x0000000000E9A000-memory.dmp

Filesize
3.3MB

Download
memory/4588-141-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads