Overview

overview

10

Static

static

8fb76e6c9b...bd.exe

windows7_x64

10

8fb76e6c9b...bd.exe

windows10_x64

10

Analysis

  • max time kernel
    39s
  • max time network
    8s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8fb76e6c9b652646d7c1f7f377c97cbd.exe

  • Size

    1.0MB

  • MD5

    8fb76e6c9b652646d7c1f7f377c97cbd

  • SHA1

    087721c9ad24c3895e66186c208512706b64f025

  • SHA256

    81e7927ab5ca518d06687dc18d5c4df22198011494322486e562136344d2513b

  • SHA512

    cfb1aa684ea4be725ec7c63cb6477404f7a591b017743866e77afea9f39fd1c117af614b3654d21652f43ffcad31ad63bd93981ef17dc37157e3b4be1f6bdb8b

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.h-v-biz.com/c8so/

Decoy

floeperformancegear.com

youtubeincreaser.com

cbb-is.com

bullsbikeusa.com

mama-asobitai.com

parkdaleliving.com

kinneintl.com

byrondramos.com

topangashaman.com

channel1057.com

nuancedigitalsolutions.com

kumheekim.com

erikating.com

ulinekorea.com

giftoes.com

blacknation.info

eventsdonevirtually.com

mx190501.com

bingent.info

seronofertilitymeds.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fb76e6c9b652646d7c1f7f377c97cbd.exe
    "C:\Users\Admin\AppData\Local\Temp\8fb76e6c9b652646d7c1f7f377c97cbd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dromkeG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBCBA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1568
    • C:\Users\Admin\AppData\Local\Temp\8fb76e6c9b652646d7c1f7f377c97cbd.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1672

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpBCBA.tmp
    MD5

    e6e78bcb755da84d63120cc0203780d9

    SHA1

    979807ba32c675f18e50df2a4c195d482ce87ff9

    SHA256

    309ee738ed0710b085da765b4f9fe50b4dc72d709814ce6478edff35bd57c7ba

    SHA512

    5c50f5b32470748e420f6bab20246501911439cc7d17c39528368cb4e67508983c921ddfc3ca9df147bd4445a9440a30ea450a297f994ded4a6da6d25882a262

    Download Submit
  • memory/1096-2-0x0000000074840000-0x0000000074F2E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1096-3-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1096-5-0x0000000000560000-0x000000000056E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1096-6-0x0000000004100000-0x000000000417B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1568-8-0x0000000000000000-mapping.dmp
    Download
  • memory/1672-10-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1672-11-0x000000000041CFE0-mapping.dmp
    Download