Analysis
-
max time kernel
152s -
max time network
165s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 16:58
General
-
Target
31.exe
Malware Config
Extracted
formbook
4.0
http://www.worstig.com/w9z/
crazzysex.com
hanferd.com
gteesrd.com
bayfrontbabyplace.com
jicuiquan.net
relationshiplink.net
ohchacyberphoto.com
kauegimenes.com
powerful-seldom.com
ketotoken.com
make-money-online-success.com
redgoldcollection.com
hannan-football.com
hamptondc.com
vllii.com
aa8520.com
platform35markethall.com
larozeimmo.com
oligopoly.net
llhak.info
Extracted
gozi_rm3
-
exe_type
loader
Extracted
gozi_rm3
86920224
https://sibelikinciel.xyz
-
build
300869
-
exe_type
loader
-
server_id
12
-
url_path
index.htm
Extracted
danabot
92.204.160.54
2.56.213.179
45.153.186.47
93.115.21.29
185.45.193.50
193.34.166.247
Extracted
formbook
4.1
http://www.joomlas123.com/i0qi/
http://www.norjax.com/app/
mytakeawaybox.com
goutaihuo.com
kuzey.site
uppertenpiercings.amsterdam
honeygrandpa.com
jenniferabramslaw.com
ncarian.com
heavilymeditatedhouston.com
gsbjyzx.com
akisanblog.com
taoyuanreed.com
jasperrvservices.com
yabbanet.com
myhealthfuldiet.com
flipdigitalcoins.com
toes.photos
shoottillyoumiss.com
maserental.com
smarteacher.net
hamdimagdeco.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Danabot x86 payload 5 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Gozi RM3
A heavily modified version of Gozi using RM3 loader.
-
AgentTesla Payload 12 IoCs
-
CryptOne packer 5 IoCs
Detects CryptOne packer defined in NCC blogpost.
-
Formbook Payload 9 IoCs
-
ReZer0 packer 3 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Executes dropped EXE 11 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\31.exe"C:\Users\Admin\AppData\Local\Temp\31.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ADD9.tmp\ADDA.tmp\ADDB.bat C:\Users\Admin\AppData\Local\Temp\31.exe"3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\1.jar"4⤵
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\3.exeC:\Users\Admin\AppData\Roaming\3.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\4.exeC:\Users\Admin\AppData\Roaming\4.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\5.exeC:\Users\Admin\AppData\Roaming\5.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\6.exeC:\Users\Admin\AppData\Roaming\6.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\7.exeC:\Users\Admin\AppData\Roaming\7.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\8.exeC:\Users\Admin\AppData\Roaming\8.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Roaming\9.exeC:\Users\Admin\AppData\Roaming\9.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\10.exeC:\Users\Admin\AppData\Roaming\10.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\11.exeC:\Users\Admin\AppData\Roaming\11.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\2.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
60KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
6.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
1.4MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
332KB
-
Filesize
64KB
-
Filesize
180KB
-
Filesize
312KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
372KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
324KB
-
Filesize
180KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
328KB
-
Filesize
332KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
328KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
308KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
232KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
328KB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
888KB