Overview

overview

10

Static

static

FtLroeD5Kmr6rNC.exe

windows7_x64

10

FtLroeD5Kmr6rNC.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 07:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FtLroeD5Kmr6rNC.exe

  • Size

    734KB

  • MD5

    c8208e09703f024933544517fb4db4a3

  • SHA1

    0f6b53720c7556d04c5fed4b07084f86fd115480

  • SHA256

    ee4b567e9ec4039e3494f812a70c14c02865b600a2356e3f5906ac520242839f

  • SHA512

    637668d98a88d73b496fb5c3fb928ab018ece33947cacf8ca7cb42d3874967d07cc995357b8710bc451d1301bb0e41e5000cdfa4f56548f7b983313fd49b358e

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.asicprominer.com/umSa/

Decoy

lessensations.com

growcerybank.com

rvworkforce.com

djangosports.com

jgrosinger.com

tongjiash.com

rianebrady.com

xiaoxu.info

allwaysautism.com

couturev.com

dantedikhali.com

sagamoreca.com

sandisyardsale.com

happizi.com

moonchildboxco.store

maquillajembp.com

sojubythebay.com

verdexwellness.com

authenticperiod.cloud

bitpreserve.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe
      "C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:60
      • C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe
        "C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe"
        3⤵
          PID:2384
        • C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe
          "C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe"
          3⤵
            PID:2216
          • C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe
            "C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:3056
        • C:\Windows\SysWOW64\colorcpl.exe
          "C:\Windows\SysWOW64\colorcpl.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\FtLroeD5Kmr6rNC.exe"
            3⤵
              PID:512

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/60-11-0x0000000000CF0000-0x0000000000D57000-memory.dmp
          Filesize

          412KB

          Download
        • memory/60-9-0x0000000005050000-0x0000000005051000-memory.dmp
          Filesize

          4KB

          Download
        • memory/60-5-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/60-6-0x0000000005350000-0x0000000005351000-memory.dmp
          Filesize

          4KB

          Download
        • memory/60-2-0x0000000073AD0000-0x00000000741BE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/60-8-0x0000000004E50000-0x0000000004E51000-memory.dmp
          Filesize

          4KB

          Download
        • memory/60-3-0x00000000004D0000-0x00000000004D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/60-10-0x0000000004E90000-0x0000000004EA2000-memory.dmp
          Filesize

          72KB

          Download
        • memory/60-7-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/512-18-0x0000000000000000-mapping.dmp
          Download
        • memory/2688-15-0x0000000000000000-mapping.dmp
          Download
        • memory/2688-16-0x0000000000B90000-0x0000000000BA9000-memory.dmp
          Filesize

          100KB

          Download
        • memory/2688-17-0x0000000000B90000-0x0000000000BA9000-memory.dmp
          Filesize

          100KB

          Download
        • memory/2688-19-0x0000000006A60000-0x0000000006B35000-memory.dmp
          Filesize

          852KB

          Download
        • memory/3056-12-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

          Download
        • memory/3056-13-0x000000000041D060-mapping.dmp
          Download