formbook | 0c66e7fdb1a85f846710e16c7cc76cbd56e8190f64385c4fb79ce1d2c0830d92

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-04-2023 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

276KB
MD5

05c5ca1133b8921a42a2479d5f671bd8
SHA1

d7a88788f6728c1601d5c4f5fd5b496329b7394c
SHA256

0c66e7fdb1a85f846710e16c7cc76cbd56e8190f64385c4fb79ce1d2c0830d92
SHA512

fdb37c7effee6e890f5d409a6e483e86b6739c381ceeb2ce060dd7d644dbd7144f3509e4fa36e93fbae30a87d87ae97296dc6a856093a44e68ec3287f8ec1343
SSDEEP

6144:/Ya6Xw/YxJi1m3eXjJrs5goHrgfyieTfreSIIloKbW0gs:/Y14YDmmcFs5gSgfvkFIhKbN

Score

10^/10

formbook xloader poub loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1980-68-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/1980-73-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/588-82-0x0000000000090000-0x00000000000BC000-memory.dmp	xloader
behavioral1/memory/588-84-0x0000000000090000-0x00000000000BC000-memory.dmp	xloader

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

10 588 rundll32.exe
20 588 rundll32.exe
24 588 rundll32.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

moogmt.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation moogmt.exe
Executes dropped EXE 2 IoCs

Processes:

moogmt.exemoogmt.exe

pid process

2024 moogmt.exe
1980 moogmt.exe
Loads dropped DLL 3 IoCs

Processes:

tmp.exemoogmt.exe

pid process

1376 tmp.exe
1376 tmp.exe
2024 moogmt.exe

flow	pid	process
10	588	rundll32.exe
20	588	rundll32.exe
24	588	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation	moogmt.exe

pid	process
2024	moogmt.exe
1980	moogmt.exe

pid	process
1376	tmp.exe
1376	tmp.exe
2024	moogmt.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

moogmt.exemoogmt.exerundll32.exe

description	pid	process	target process
PID 2024 set thread context of 1980	2024	moogmt.exe	moogmt.exe
PID 1980 set thread context of 1240	1980	moogmt.exe	Explorer.EXE
PID 588 set thread context of 1240	588	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

moogmt.exerundll32.exe

pid	process
1980	moogmt.exe
1980	moogmt.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe
588	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1240 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

moogmt.exemoogmt.exerundll32.exe

pid process

2024 moogmt.exe
1980 moogmt.exe
1980 moogmt.exe
1980 moogmt.exe
588 rundll32.exe
588 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

moogmt.exerundll32.exe

description pid process

Token: SeDebugPrivilege 1980 moogmt.exe
Token: SeDebugPrivilege 588 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1240 Explorer.EXE
1240 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1240 Explorer.EXE
1240 Explorer.EXE

pid	process
1240	Explorer.EXE

pid	process
2024	moogmt.exe
1980	moogmt.exe
1980	moogmt.exe
1980	moogmt.exe
588	rundll32.exe
588	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1980	moogmt.exe
Token: SeDebugPrivilege	588	rundll32.exe

pid	process
1240	Explorer.EXE
1240	Explorer.EXE

pid	process
1240	Explorer.EXE
1240	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

tmp.exemoogmt.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1376 wrote to memory of 2024	1376	tmp.exe	moogmt.exe
PID 1376 wrote to memory of 2024	1376	tmp.exe	moogmt.exe
PID 1376 wrote to memory of 2024	1376	tmp.exe	moogmt.exe
PID 1376 wrote to memory of 2024	1376	tmp.exe	moogmt.exe
PID 2024 wrote to memory of 1980	2024	moogmt.exe	moogmt.exe
PID 2024 wrote to memory of 1980	2024	moogmt.exe	moogmt.exe
PID 2024 wrote to memory of 1980	2024	moogmt.exe	moogmt.exe
PID 2024 wrote to memory of 1980	2024	moogmt.exe	moogmt.exe
PID 2024 wrote to memory of 1980	2024	moogmt.exe	moogmt.exe
PID 1240 wrote to memory of 588	1240	Explorer.EXE	rundll32.exe
PID 1240 wrote to memory of 588	1240	Explorer.EXE	rundll32.exe
PID 1240 wrote to memory of 588	1240	Explorer.EXE	rundll32.exe
PID 1240 wrote to memory of 588	1240	Explorer.EXE	rundll32.exe
PID 1240 wrote to memory of 588	1240	Explorer.EXE	rundll32.exe
PID 1240 wrote to memory of 588	1240	Explorer.EXE	rundll32.exe
PID 1240 wrote to memory of 588	1240	Explorer.EXE	rundll32.exe
PID 588 wrote to memory of 1496	588	rundll32.exe	cmd.exe
PID 588 wrote to memory of 1496	588	rundll32.exe	cmd.exe
PID 588 wrote to memory of 1496	588	rundll32.exe	cmd.exe
PID 588 wrote to memory of 1496	588	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\moogmt.exe
"C:\Users\Admin\AppData\Local\Temp\moogmt.exe" C:\Users\Admin\AppData\Local\Temp\ucbhwwtdw.a
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\moogmt.exe
"C:\Users\Admin\AppData\Local\Temp\moogmt.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\moogmt.exe"
3⤵
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\moogmt.exe
Filesize
103KB

MD5
3dd86c8afb984e4fd975da72e715fabd

SHA1
647cdcaead1ee42466b2c1b5a201b0b7bb90c799

SHA256
db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732

SHA512
110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\moogmt.exe
Filesize
103KB

MD5
3dd86c8afb984e4fd975da72e715fabd

SHA1
647cdcaead1ee42466b2c1b5a201b0b7bb90c799

SHA256
db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732

SHA512
110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\moogmt.exe
Filesize
103KB

MD5
3dd86c8afb984e4fd975da72e715fabd

SHA1
647cdcaead1ee42466b2c1b5a201b0b7bb90c799

SHA256
db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732

SHA512
110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\moogmt.exe
Filesize
103KB

MD5
3dd86c8afb984e4fd975da72e715fabd

SHA1
647cdcaead1ee42466b2c1b5a201b0b7bb90c799

SHA256
db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732

SHA512
110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgclmiz.jf
Filesize
196KB

MD5
3be9ea20f41cba593fa84afb965991d3

SHA1
95e5e029a74061ee98a7a8e384ef11d13eb1e339

SHA256
11789024fb8611d18b8c2f07afed6a4e84ec5aa13b08d100ebbc07ab15aa286c

SHA512
351b97d85800f4da92f9c7b73cb1f9f017d1ca36bbbc6b34f6f8d152acaacf080f7fd8008827f6ffc7fab6c51f6400f9364b255b6b9fee7bb908548c7f442238

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucbhwwtdw.a
Filesize
5KB

MD5
c77f4e8b160b5fbdafe09c061a0830d9

SHA1
31338d049e5aa51310643fceb7e44b9c5d48475e

SHA256
b75cf5157538cc9f430d0a1f2f64ac4539f6f748ac6fe48955acce5af33ffccc

SHA512
9ac243df3b7c6079b5e9cc8fdb4690421e304e35f686b68d10ffd76ceeaf27a9308c19f92ffaeb379240fcbf839c6029ff2bc6597cc0e8798b285872ea1afbea

Download Submit
\Users\Admin\AppData\Local\Temp\moogmt.exe
Filesize
103KB

MD5
3dd86c8afb984e4fd975da72e715fabd

SHA1
647cdcaead1ee42466b2c1b5a201b0b7bb90c799

SHA256
db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732

SHA512
110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4

Download Submit
\Users\Admin\AppData\Local\Temp\moogmt.exe
Filesize
103KB

MD5
3dd86c8afb984e4fd975da72e715fabd

SHA1
647cdcaead1ee42466b2c1b5a201b0b7bb90c799

SHA256
db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732

SHA512
110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4

Download Submit
\Users\Admin\AppData\Local\Temp\moogmt.exe
Filesize
103KB

MD5
3dd86c8afb984e4fd975da72e715fabd

SHA1
647cdcaead1ee42466b2c1b5a201b0b7bb90c799

SHA256
db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732

SHA512
110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4

Download Submit
memory/588-83-0x0000000002050000-0x0000000002353000-memory.dmp

Filesize
3.0MB

Download
memory/588-84-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/588-87-0x0000000000860000-0x00000000008F0000-memory.dmp

Filesize
576KB

Download
memory/588-82-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/588-81-0x00000000001A0000-0x00000000001AE000-memory.dmp

Filesize
56KB

Download
memory/588-77-0x00000000001A0000-0x00000000001AE000-memory.dmp

Filesize
56KB

Download
memory/588-79-0x00000000001A0000-0x00000000001AE000-memory.dmp

Filesize
56KB

Download
memory/1240-75-0x0000000007120000-0x0000000007279000-memory.dmp

Filesize
1.3MB

Download
memory/1240-88-0x0000000007530000-0x0000000007694000-memory.dmp

Filesize
1.4MB

Download
memory/1240-89-0x0000000007530000-0x0000000007694000-memory.dmp

Filesize
1.4MB

Download
memory/1240-91-0x0000000007530000-0x0000000007694000-memory.dmp

Filesize
1.4MB

Download
memory/1980-74-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/1980-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1980-72-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1980-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download