formbook | 0c66e7fdb1a85f846710e16c7cc76cbd56e8190f64385c4fb79ce1d2c0830d92

General

Target

tmp.exe
Size

276KB
MD5

05c5ca1133b8921a42a2479d5f671bd8
SHA1

d7a88788f6728c1601d5c4f5fd5b496329b7394c
SHA256

0c66e7fdb1a85f846710e16c7cc76cbd56e8190f64385c4fb79ce1d2c0830d92
SHA512

fdb37c7effee6e890f5d409a6e483e86b6739c381ceeb2ce060dd7d644dbd7144f3509e4fa36e93fbae30a87d87ae97296dc6a856093a44e68ec3287f8ec1343
SSDEEP

6144:/Ya6Xw/YxJi1m3eXjJrs5goHrgfyieTfreSIIloKbW0gs:/Y14YDmmcFs5gSgfvkFIhKbN

Score

10^/10

formbook xloader poub loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5048-141-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/5048-148-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/2012-153-0x0000000000F90000-0x0000000000FBC000-memory.dmp	xloader
behavioral2/memory/2012-155-0x0000000000F90000-0x0000000000FBC000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

moogmt.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation moogmt.exe
Executes dropped EXE 2 IoCs

Processes:

moogmt.exemoogmt.exe

pid process

3572 moogmt.exe
5048 moogmt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	moogmt.exe

pid	process
3572	moogmt.exe
5048	moogmt.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

moogmt.exemoogmt.exeexplorer.exe

description	pid	process	target process
PID 3572 set thread context of 5048	3572	moogmt.exe	moogmt.exe
PID 5048 set thread context of 3168	5048	moogmt.exe	Explorer.EXE
PID 2012 set thread context of 3168	2012	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

moogmt.exeexplorer.exe

pid	process
5048	moogmt.exe
5048	moogmt.exe
5048	moogmt.exe
5048	moogmt.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3168 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

moogmt.exemoogmt.exeexplorer.exe

pid process

3572 moogmt.exe
5048 moogmt.exe
5048 moogmt.exe
5048 moogmt.exe
2012 explorer.exe
2012 explorer.exe

pid	process
3168	Explorer.EXE

pid	process
3572	moogmt.exe
5048	moogmt.exe
5048	moogmt.exe
5048	moogmt.exe
2012	explorer.exe
2012	explorer.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

moogmt.exeexplorer.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	5048	moogmt.exe
Token: SeDebugPrivilege	2012	explorer.exe
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE
Token: SeShutdownPrivilege	3168	Explorer.EXE
Token: SeCreatePagefilePrivilege	3168	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

tmp.exemoogmt.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 1828 wrote to memory of 3572	1828	tmp.exe	moogmt.exe
PID 1828 wrote to memory of 3572	1828	tmp.exe	moogmt.exe
PID 1828 wrote to memory of 3572	1828	tmp.exe	moogmt.exe
PID 3572 wrote to memory of 5048	3572	moogmt.exe	moogmt.exe
PID 3572 wrote to memory of 5048	3572	moogmt.exe	moogmt.exe
PID 3572 wrote to memory of 5048	3572	moogmt.exe	moogmt.exe
PID 3572 wrote to memory of 5048	3572	moogmt.exe	moogmt.exe
PID 3168 wrote to memory of 2012	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 2012	3168	Explorer.EXE	explorer.exe
PID 3168 wrote to memory of 2012	3168	Explorer.EXE	explorer.exe
PID 2012 wrote to memory of 4676	2012	explorer.exe	cmd.exe
PID 2012 wrote to memory of 4676	2012	explorer.exe	cmd.exe
PID 2012 wrote to memory of 4676	2012	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\moogmt.exe
"C:\Users\Admin\AppData\Local\Temp\moogmt.exe" C:\Users\Admin\AppData\Local\Temp\ucbhwwtdw.a
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Local\Temp\moogmt.exe
"C:\Users\Admin\AppData\Local\Temp\moogmt.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\moogmt.exe"
3⤵
PID:4676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\moogmt.exe
Filesize
103KB

MD5
3dd86c8afb984e4fd975da72e715fabd

SHA1
647cdcaead1ee42466b2c1b5a201b0b7bb90c799

SHA256
db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732

SHA512
110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\moogmt.exe
Filesize
103KB

MD5
3dd86c8afb984e4fd975da72e715fabd

SHA1
647cdcaead1ee42466b2c1b5a201b0b7bb90c799

SHA256
db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732

SHA512
110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\moogmt.exe
Filesize
103KB

MD5
3dd86c8afb984e4fd975da72e715fabd

SHA1
647cdcaead1ee42466b2c1b5a201b0b7bb90c799

SHA256
db754a7d2881085ab564b7939f6c3e9f3ca81df84b550d87ebc0bd72fd176732

SHA512
110e0fd9535c4fed31d653dba88029ece5f972bfbb702133d7f24062e1ea9db63219240ef50e39c5f56abdfd50c909deb9f616abe20c29b30b849fa74920c6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgclmiz.jf
Filesize
196KB

MD5
3be9ea20f41cba593fa84afb965991d3

SHA1
95e5e029a74061ee98a7a8e384ef11d13eb1e339

SHA256
11789024fb8611d18b8c2f07afed6a4e84ec5aa13b08d100ebbc07ab15aa286c

SHA512
351b97d85800f4da92f9c7b73cb1f9f017d1ca36bbbc6b34f6f8d152acaacf080f7fd8008827f6ffc7fab6c51f6400f9364b255b6b9fee7bb908548c7f442238

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucbhwwtdw.a
Filesize
5KB

MD5
c77f4e8b160b5fbdafe09c061a0830d9

SHA1
31338d049e5aa51310643fceb7e44b9c5d48475e

SHA256
b75cf5157538cc9f430d0a1f2f64ac4539f6f748ac6fe48955acce5af33ffccc

SHA512
9ac243df3b7c6079b5e9cc8fdb4690421e304e35f686b68d10ffd76ceeaf27a9308c19f92ffaeb379240fcbf839c6029ff2bc6597cc0e8798b285872ea1afbea

Download Submit
memory/2012-152-0x0000000000110000-0x0000000000543000-memory.dmp

Filesize
4.2MB

Download
memory/2012-149-0x0000000000110000-0x0000000000543000-memory.dmp

Filesize
4.2MB

Download
memory/2012-157-0x0000000002F40000-0x0000000002FD0000-memory.dmp

Filesize
576KB

Download
memory/2012-155-0x0000000000F90000-0x0000000000FBC000-memory.dmp

Filesize
176KB

Download
memory/2012-154-0x00000000031B0000-0x00000000034FA000-memory.dmp

Filesize
3.3MB

Download
memory/2012-153-0x0000000000F90000-0x0000000000FBC000-memory.dmp

Filesize
176KB

Download
memory/3168-174-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-180-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/3168-212-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/3168-210-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/3168-209-0x0000000002520000-0x0000000002522000-memory.dmp

Filesize
8KB

Download
memory/3168-158-0x00000000082C0000-0x0000000008387000-memory.dmp

Filesize
796KB

Download
memory/3168-159-0x00000000082C0000-0x0000000008387000-memory.dmp

Filesize
796KB

Download
memory/3168-161-0x00000000082C0000-0x0000000008387000-memory.dmp

Filesize
796KB

Download
memory/3168-163-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-164-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/3168-165-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-166-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-167-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-168-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-169-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-170-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-172-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-171-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-173-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-147-0x0000000008690000-0x00000000087ED000-memory.dmp

Filesize
1.4MB

Download
memory/3168-175-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-176-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-177-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-178-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-179-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-208-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-181-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/3168-182-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/3168-184-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/3168-185-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/3168-186-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/3168-187-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/3168-193-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-194-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-195-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-196-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-197-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-198-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-199-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-200-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-201-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-202-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-203-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-204-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-205-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-206-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/3168-207-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/5048-148-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5048-141-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5048-144-0x0000000000980000-0x0000000000CCA000-memory.dmp

Filesize
3.3MB

Download
memory/5048-146-0x00000000008D0000-0x00000000008E1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads