formbook | e7f86bbfa56f8c4c2751260d5084b6896c40dbd9976f292828912a700f1042da

General

Target

tmp.exe
Size

264KB
MD5

f45c92927e94a2d19a1096122bcaf1fd
SHA1

9887b3edbfaa5737911ae3883517087b34c8b11c
SHA256

e7f86bbfa56f8c4c2751260d5084b6896c40dbd9976f292828912a700f1042da
SHA512

0ea77012b26abd6927dca4afb0eae405906141efec2eb6e6b9773cb60fa3e36375345332e4bde699dba592f1c69b937ffbdab594d5efa67ec563d9a4c69c4d8e
SSDEEP

6144:/Ya68OD5y2TAsWI4JTPGX152WGZi4fLPikivmWEaAjkhVt1:/Y6u5y2U849eF5zv4jPpcm0AMVf

Score

10^/10

formbook xloader poub loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/832-65-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/832-72-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/1304-76-0x0000000000100000-0x000000000012C000-memory.dmp	xloader
behavioral1/memory/1304-78-0x0000000000100000-0x000000000012C000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

lhblug.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\International\Geo\Nation lhblug.exe
Executes dropped EXE 2 IoCs

Processes:

lhblug.exelhblug.exe

pid process

1624 lhblug.exe
832 lhblug.exe
Loads dropped DLL 2 IoCs

Processes:

tmp.exelhblug.exe

pid process

1736 tmp.exe
1624 lhblug.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\International\Geo\Nation	lhblug.exe

pid	process
1624	lhblug.exe
832	lhblug.exe

pid	process
1736	tmp.exe
1624	lhblug.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

colorcpl.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	colorcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4H-X6TWHWZ = "C:\\Program Files (x86)\\F2d9l_r\\vganz7.exe"	colorcpl.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

lhblug.exelhblug.execolorcpl.exe

description	pid	process	target process
PID 1624 set thread context of 832	1624	lhblug.exe	lhblug.exe
PID 832 set thread context of 1372	832	lhblug.exe	Explorer.EXE
PID 1304 set thread context of 1372	1304	colorcpl.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

colorcpl.exe

description ioc process

File opened for modification C:\Program Files (x86)\F2d9l_r\vganz7.exe colorcpl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files (x86)\F2d9l_r\vganz7.exe	colorcpl.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

colorcpl.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1563773381-2037468142-1146002597-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	colorcpl.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

lhblug.execolorcpl.exe

pid	process
832	lhblug.exe
832	lhblug.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

lhblug.exelhblug.execolorcpl.exe

pid process

1624 lhblug.exe
832 lhblug.exe
832 lhblug.exe
832 lhblug.exe
1304 colorcpl.exe
1304 colorcpl.exe
1304 colorcpl.exe
1304 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

lhblug.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 832 lhblug.exe
Token: SeDebugPrivilege 1304 colorcpl.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE

pid	process
1372	Explorer.EXE

pid	process
1624	lhblug.exe
832	lhblug.exe
832	lhblug.exe
832	lhblug.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe
1304	colorcpl.exe

description	pid	process
Token: SeDebugPrivilege	832	lhblug.exe
Token: SeDebugPrivilege	1304	colorcpl.exe

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

tmp.exelhblug.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 1736 wrote to memory of 1624	1736	tmp.exe	lhblug.exe
PID 1736 wrote to memory of 1624	1736	tmp.exe	lhblug.exe
PID 1736 wrote to memory of 1624	1736	tmp.exe	lhblug.exe
PID 1736 wrote to memory of 1624	1736	tmp.exe	lhblug.exe
PID 1624 wrote to memory of 832	1624	lhblug.exe	lhblug.exe
PID 1624 wrote to memory of 832	1624	lhblug.exe	lhblug.exe
PID 1624 wrote to memory of 832	1624	lhblug.exe	lhblug.exe
PID 1624 wrote to memory of 832	1624	lhblug.exe	lhblug.exe
PID 1624 wrote to memory of 832	1624	lhblug.exe	lhblug.exe
PID 1372 wrote to memory of 1304	1372	Explorer.EXE	colorcpl.exe
PID 1372 wrote to memory of 1304	1372	Explorer.EXE	colorcpl.exe
PID 1372 wrote to memory of 1304	1372	Explorer.EXE	colorcpl.exe
PID 1372 wrote to memory of 1304	1372	Explorer.EXE	colorcpl.exe
PID 1304 wrote to memory of 756	1304	colorcpl.exe	cmd.exe
PID 1304 wrote to memory of 756	1304	colorcpl.exe	cmd.exe
PID 1304 wrote to memory of 756	1304	colorcpl.exe	cmd.exe
PID 1304 wrote to memory of 756	1304	colorcpl.exe	cmd.exe
PID 1304 wrote to memory of 1728	1304	colorcpl.exe	Firefox.exe
PID 1304 wrote to memory of 1728	1304	colorcpl.exe	Firefox.exe
PID 1304 wrote to memory of 1728	1304	colorcpl.exe	Firefox.exe
PID 1304 wrote to memory of 1728	1304	colorcpl.exe	Firefox.exe
PID 1304 wrote to memory of 1728	1304	colorcpl.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\lhblug.exe
"C:\Users\Admin\AppData\Local\Temp\lhblug.exe" C:\Users\Admin\AppData\Local\Temp\eublbmjt.q
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\lhblug.exe
"C:\Users\Admin\AppData\Local\Temp\lhblug.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\lhblug.exe"
3⤵
PID:756

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eublbmjt.q
Filesize
5KB

MD5
2ee1d9c55c43f5beb7e3286162bb508a

SHA1
a1589bcd997bf299782d6f10c0bcc56b3119ee1f

SHA256
af7fa0bd8adc5e3720890a1af8a4f397a5d474abfa8908463ec2dde31283a634

SHA512
841863b1387473404ed9fdde003b404e11aabb0d7caae4263b0ae965b347061421276dd9e18a4250d2ae72dffeb30f9cd69cc46e92f16537dbea25d99487dcae

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhblug.exe
Filesize
85KB

MD5
7db397f547de47ba7b50fa2256c97686

SHA1
93fa9a0c9976d44a24c63bdcc76a1fb5fb190c69

SHA256
6ca9caa0e7e3c7d7663b0854decebc27d183abd427e5a07f1db72183c7659574

SHA512
2668c06739cfbb270df39bdbde3e046e02a7267aadef104feca197c109de734f74069f66e24114c288336f67c0f6aa40446e85c88b8db503bca30e53af00eb31

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhblug.exe
Filesize
85KB

MD5
7db397f547de47ba7b50fa2256c97686

SHA1
93fa9a0c9976d44a24c63bdcc76a1fb5fb190c69

SHA256
6ca9caa0e7e3c7d7663b0854decebc27d183abd427e5a07f1db72183c7659574

SHA512
2668c06739cfbb270df39bdbde3e046e02a7267aadef104feca197c109de734f74069f66e24114c288336f67c0f6aa40446e85c88b8db503bca30e53af00eb31

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhblug.exe
Filesize
85KB

MD5
7db397f547de47ba7b50fa2256c97686

SHA1
93fa9a0c9976d44a24c63bdcc76a1fb5fb190c69

SHA256
6ca9caa0e7e3c7d7663b0854decebc27d183abd427e5a07f1db72183c7659574

SHA512
2668c06739cfbb270df39bdbde3e046e02a7267aadef104feca197c109de734f74069f66e24114c288336f67c0f6aa40446e85c88b8db503bca30e53af00eb31

Download Submit
C:\Users\Admin\AppData\Local\Temp\twjnycti.znw
Filesize
196KB

MD5
6ea8e7368b5562271d022833ae3433fa

SHA1
f335e11efd09cacfd40d6761a1d2b340b9d55b8e

SHA256
ad209e6922772376eb700c829b51bd3d0268d59a7fd51080007d63010fdec086

SHA512
8ad80a05298aa676f42d27a405fc9b8e28193c540d54d93924c1388e05351819471bb1ecc21d7761691ff6b1a8269aacd17b28fc1b2239e6c462eb0c54968aa5

Download Submit
\Users\Admin\AppData\Local\Temp\lhblug.exe
Filesize
85KB

MD5
7db397f547de47ba7b50fa2256c97686

SHA1
93fa9a0c9976d44a24c63bdcc76a1fb5fb190c69

SHA256
6ca9caa0e7e3c7d7663b0854decebc27d183abd427e5a07f1db72183c7659574

SHA512
2668c06739cfbb270df39bdbde3e046e02a7267aadef104feca197c109de734f74069f66e24114c288336f67c0f6aa40446e85c88b8db503bca30e53af00eb31

Download Submit
\Users\Admin\AppData\Local\Temp\lhblug.exe
Filesize
85KB

MD5
7db397f547de47ba7b50fa2256c97686

SHA1
93fa9a0c9976d44a24c63bdcc76a1fb5fb190c69

SHA256
6ca9caa0e7e3c7d7663b0854decebc27d183abd427e5a07f1db72183c7659574

SHA512
2668c06739cfbb270df39bdbde3e046e02a7267aadef104feca197c109de734f74069f66e24114c288336f67c0f6aa40446e85c88b8db503bca30e53af00eb31

Download Submit
memory/832-72-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/832-65-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/832-69-0x00000000006E0000-0x00000000009E3000-memory.dmp

Filesize
3.0MB

Download
memory/832-70-0x0000000000A10000-0x0000000000A21000-memory.dmp

Filesize
68KB

Download
memory/1304-77-0x0000000002210000-0x0000000002513000-memory.dmp

Filesize
3.0MB

Download
memory/1304-73-0x0000000000850000-0x0000000000868000-memory.dmp

Filesize
96KB

Download
memory/1304-75-0x0000000000850000-0x0000000000868000-memory.dmp

Filesize
96KB

Download
memory/1304-76-0x0000000000100000-0x000000000012C000-memory.dmp

Filesize
176KB

Download
memory/1304-78-0x0000000000100000-0x000000000012C000-memory.dmp

Filesize
176KB

Download
memory/1304-81-0x0000000001E00000-0x0000000001E90000-memory.dmp

Filesize
576KB

Download
memory/1372-71-0x0000000006E30000-0x0000000006FA1000-memory.dmp

Filesize
1.4MB

Download
memory/1372-82-0x0000000004E80000-0x0000000004F8B000-memory.dmp

Filesize
1.0MB

Download
memory/1372-83-0x0000000004E80000-0x0000000004F8B000-memory.dmp

Filesize
1.0MB

Download
memory/1372-85-0x0000000004E80000-0x0000000004F8B000-memory.dmp

Filesize
1.0MB

Download
memory/1372-86-0x000007FE76990000-0x000007FE7699A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads