Overview

overview

10

Static

static

JdtN8nIcLi8RQOi.exe

windows7_x64

10

JdtN8nIcLi8RQOi.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    9s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 20:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JdtN8nIcLi8RQOi.exe

  • Size

    822KB

  • MD5

    aee550440966b0bd34d9ccb2b1f7f146

  • SHA1

    14125d61fbcf4b63cb9c9ad82a60be3ad9aa2a3d

  • SHA256

    d31340f14a66b43a1f5cf461cf48278bb97bfc33ef5a8bd0b29d0a3e6f315895

  • SHA512

    7a81e4fec8c21339eb051205ad5a84fd3db07b4e330b9911b740d1382f4a084b812217312ec3e97a63ffc22ea260a7f2a2d9c8fc463881cabf7d2392e038d894

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.allismd.com/ur06/

Decoy

philippebrooksdesign.com

cmoorestudio.com

profille-sarina23tammara.club

dqulxe.com

uiffinger.com

nolarapper.com

maconanimalexterminator.com

bisovka.com

loveisloveent.com

datication.com

spxo66.com

drhelpnow.com

ladybug-cle.com

macocome.com

thepoppysocks.com

eldritchparadox.com

mercadolibre.company

ismartfarm.com

kansascarlot.com

kevinld.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Users\Admin\AppData\Local\Temp\JdtN8nIcLi8RQOi.exe
      "C:\Users\Admin\AppData\Local\Temp\JdtN8nIcLi8RQOi.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Users\Admin\AppData\Local\Temp\JdtN8nIcLi8RQOi.exe
        "C:\Users\Admin\AppData\Local\Temp\JdtN8nIcLi8RQOi.exe"
        3⤵
          PID:1600
        • C:\Users\Admin\AppData\Local\Temp\JdtN8nIcLi8RQOi.exe
          "C:\Users\Admin\AppData\Local\Temp\JdtN8nIcLi8RQOi.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:776
      • C:\Windows\SysWOW64\colorcpl.exe
        "C:\Windows\SysWOW64\colorcpl.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:292
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\JdtN8nIcLi8RQOi.exe"
          3⤵
          • Deletes itself
          PID:1820

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/292-4-0x0000000000000000-mapping.dmp
      Download
    • memory/292-5-0x0000000000DB0000-0x0000000000DC8000-memory.dmp
      Filesize

      96KB

      Download
    • memory/292-7-0x0000000004340000-0x0000000004492000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/776-3-0x000000000041D000-mapping.dmp
      Download
    • memory/776-2-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1820-6-0x0000000000000000-mapping.dmp
      Download