formbook | e88f33997f0017e4263bf7b7eff4bc6c15d8d9aa3357e9dd75af0ca80f945050

General

Target

tmp.exe
Size

605KB
MD5

fae868e1e5cfc5b1ad62e21c2201893b
SHA1

6469b546f298cdd2265902acfc1e57ac14177915
SHA256

e88f33997f0017e4263bf7b7eff4bc6c15d8d9aa3357e9dd75af0ca80f945050
SHA512

659b92bca49e8cfcef29aa6451748ceaa69165e01df8f96781d479dc9a96611718b0fc6839b1d03f794be8ccc579ebb82de52294d522a9f93a46a2f22e43a12c
SSDEEP

12288:/YhX7MMHiMZ/D2cSLEGZuuXxHooRwfWz+ji/pD:/YhX7vCyD2f/yX+KjcpD

Score

10^/10

formbook xloader poub loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3016-144-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/3016-149-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/4356-155-0x0000000000E50000-0x0000000000E7C000-memory.dmp	xloader
behavioral2/memory/4356-157-0x0000000000E50000-0x0000000000E7C000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

zkozagrkac.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	zkozagrkac.exe

Executes dropped EXE 2 IoCs

Processes:

zkozagrkac.exezkozagrkac.exe

pid process

1272 zkozagrkac.exe
3016 zkozagrkac.exe

pid	process
1272	zkozagrkac.exe
3016	zkozagrkac.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

zkozagrkac.exezkozagrkac.exesystray.exe

description	pid	process	target process
PID 1272 set thread context of 3016	1272	zkozagrkac.exe	zkozagrkac.exe
PID 3016 set thread context of 748	3016	zkozagrkac.exe	Explorer.EXE
PID 4356 set thread context of 748	4356	systray.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

zkozagrkac.exesystray.exe

pid	process
3016	zkozagrkac.exe
3016	zkozagrkac.exe
3016	zkozagrkac.exe
3016	zkozagrkac.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe
4356	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

748 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

zkozagrkac.exezkozagrkac.exesystray.exe

pid process

1272 zkozagrkac.exe
3016 zkozagrkac.exe
3016 zkozagrkac.exe
3016 zkozagrkac.exe
4356 systray.exe
4356 systray.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

zkozagrkac.exesystray.exe

description pid process

Token: SeDebugPrivilege 3016 zkozagrkac.exe
Token: SeDebugPrivilege 4356 systray.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

zkozagrkac.exe

pid process

1272 zkozagrkac.exe
1272 zkozagrkac.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

zkozagrkac.exe

pid process

1272 zkozagrkac.exe
1272 zkozagrkac.exe

pid	process
748	Explorer.EXE

pid	process
1272	zkozagrkac.exe
3016	zkozagrkac.exe
3016	zkozagrkac.exe
3016	zkozagrkac.exe
4356	systray.exe
4356	systray.exe

description	pid	process
Token: SeDebugPrivilege	3016	zkozagrkac.exe
Token: SeDebugPrivilege	4356	systray.exe

pid	process
1272	zkozagrkac.exe
1272	zkozagrkac.exe

pid	process
1272	zkozagrkac.exe
1272	zkozagrkac.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

tmp.exezkozagrkac.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 1772 wrote to memory of 1272	1772	tmp.exe	zkozagrkac.exe
PID 1772 wrote to memory of 1272	1772	tmp.exe	zkozagrkac.exe
PID 1772 wrote to memory of 1272	1772	tmp.exe	zkozagrkac.exe
PID 1272 wrote to memory of 3016	1272	zkozagrkac.exe	zkozagrkac.exe
PID 1272 wrote to memory of 3016	1272	zkozagrkac.exe	zkozagrkac.exe
PID 1272 wrote to memory of 3016	1272	zkozagrkac.exe	zkozagrkac.exe
PID 1272 wrote to memory of 3016	1272	zkozagrkac.exe	zkozagrkac.exe
PID 748 wrote to memory of 4356	748	Explorer.EXE	systray.exe
PID 748 wrote to memory of 4356	748	Explorer.EXE	systray.exe
PID 748 wrote to memory of 4356	748	Explorer.EXE	systray.exe
PID 4356 wrote to memory of 1572	4356	systray.exe	cmd.exe
PID 4356 wrote to memory of 1572	4356	systray.exe	cmd.exe
PID 4356 wrote to memory of 1572	4356	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\zkozagrkac.exe
"C:\Users\Admin\AppData\Local\Temp\zkozagrkac.exe" "C:\Users\Admin\AppData\Local\Temp\iotriknymm.au3"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\zkozagrkac.exe
"C:\Users\Admin\AppData\Local\Temp\zkozagrkac.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\zkozagrkac.exe"
3⤵
PID:1572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iotriknymm.au3
Filesize
3KB

MD5
1adf412812f453fbff138af1ef1d14c6

SHA1
e6c95ede41fa9e226874be6093ed654d5fb7272d

SHA256
7bd7b67c3c47ee35aea15072f9a7caa8d3d866275f08b84bb3732a2bc53b36da

SHA512
b16216bbe7e3d7e426055115dc9cf06d7a5b409c1594b3bf2c97644bc0f440b3a79f691690129634263d4ec4f565ae895dfb8126cc41c5040ef5e4f402a6b1e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yiuxi.t
Filesize
50KB

MD5
eef5710a3ffe25919588c0344e4a24a7

SHA1
9e97eb93b36cb1cee4bcb71d17d035aada86812d

SHA256
cdcc51db7f0a4c644fcf97ec9c42bee82d1a6b617cf64ac12b55e559bff29f2e

SHA512
604c328432a030beb2d91023206c546577d8c243e77f0c747cd04808375417f84b13aeb254eae0bda1394207ca1291aa2313936d45abe660e8546942b30cbfaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysoxzjueeaw.qgv
Filesize
196KB

MD5
4128c01597bb4f7bab1536acd9dab137

SHA1
e15d675cfd5caf081dd8cf18af516c8d4844e116

SHA256
84bc6477375743180c6b50e1550ee4747e817b66a498e0e47483802146d3e961

SHA512
72774b4dfa6f3eb7098d6eba99e91f21f8578d14e77f01daf0fe515b46b893c4bdfc5aded380dcc1491d83ed2a66d9315ec67dd44277ce0e80ff11057e5fb6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkozagrkac.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkozagrkac.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkozagrkac.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/748-163-0x0000000003280000-0x000000000335D000-memory.dmp

Filesize
884KB

Download
memory/748-161-0x0000000003280000-0x000000000335D000-memory.dmp

Filesize
884KB

Download
memory/748-160-0x0000000003280000-0x000000000335D000-memory.dmp

Filesize
884KB

Download
memory/748-151-0x0000000008F20000-0x00000000090CC000-memory.dmp

Filesize
1.7MB

Download
memory/1272-143-0x0000000000F50000-0x0000000000F52000-memory.dmp

Filesize
8KB

Download
memory/3016-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3016-149-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3016-150-0x0000000000F40000-0x0000000000F51000-memory.dmp

Filesize
68KB

Download
memory/3016-148-0x00000000013B0000-0x00000000016FA000-memory.dmp

Filesize
3.3MB

Download
memory/4356-152-0x0000000000EB0000-0x0000000000EB6000-memory.dmp

Filesize
24KB

Download
memory/4356-153-0x0000000000EB0000-0x0000000000EB6000-memory.dmp

Filesize
24KB

Download
memory/4356-155-0x0000000000E50000-0x0000000000E7C000-memory.dmp

Filesize
176KB

Download
memory/4356-156-0x0000000002DC0000-0x000000000310A000-memory.dmp

Filesize
3.3MB

Download
memory/4356-157-0x0000000000E50000-0x0000000000E7C000-memory.dmp

Filesize
176KB

Download
memory/4356-159-0x0000000002C30000-0x0000000002CC0000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads