Overview

overview

10

Static

static

8fb76e6c9b...bd.exe

windows7_x64

10

8fb76e6c9b...bd.exe

windows10_x64

10

Analysis

  • max time kernel
    41s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8fb76e6c9b652646d7c1f7f377c97cbd.exe

  • Size

    1.0MB

  • MD5

    8fb76e6c9b652646d7c1f7f377c97cbd

  • SHA1

    087721c9ad24c3895e66186c208512706b64f025

  • SHA256

    81e7927ab5ca518d06687dc18d5c4df22198011494322486e562136344d2513b

  • SHA512

    cfb1aa684ea4be725ec7c63cb6477404f7a591b017743866e77afea9f39fd1c117af614b3654d21652f43ffcad31ad63bd93981ef17dc37157e3b4be1f6bdb8b

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.h-v-biz.com/c8so/

Decoy

floeperformancegear.com

youtubeincreaser.com

cbb-is.com

bullsbikeusa.com

mama-asobitai.com

parkdaleliving.com

kinneintl.com

byrondramos.com

topangashaman.com

channel1057.com

nuancedigitalsolutions.com

kumheekim.com

erikating.com

ulinekorea.com

giftoes.com

blacknation.info

eventsdonevirtually.com

mx190501.com

bingent.info

seronofertilitymeds.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fb76e6c9b652646d7c1f7f377c97cbd.exe
    "C:\Users\Admin\AppData\Local\Temp\8fb76e6c9b652646d7c1f7f377c97cbd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dromkeG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1677.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:200
    • C:\Users\Admin\AppData\Local\Temp\8fb76e6c9b652646d7c1f7f377c97cbd.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1988

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1677.tmp
    MD5

    e67ffd4ac29d4a519d94f93bb12986ec

    SHA1

    a014c541816cd7779038d89830063d19d9ab0423

    SHA256

    761468ed28a1dcc5c1db1c467bb45b59c3e5a4b3890c9f9a1b8eda0c23c380fb

    SHA512

    97b98cfb26a6821fc4327f6d794cffde34caf2d99cf68dc14429ef67556583da4cd2f982f01d21ef8a3ea9bb7fd42605dab737fca16860dfb8a0f05ccb5762cb

    Download Submit
  • memory/200-11-0x0000000000000000-mapping.dmp
    Download
  • memory/1924-2-0x0000000073900000-0x0000000073FEE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1924-3-0x0000000000A60000-0x0000000000A61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-5-0x0000000007DD0000-0x0000000007DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-6-0x00000000079B0000-0x00000000079B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-7-0x0000000007B20000-0x0000000007B21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-8-0x0000000007C00000-0x0000000007C0E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1924-9-0x0000000002DB0000-0x0000000002E2B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1924-10-0x000000000A010000-0x000000000A011000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1988-13-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1988-14-0x000000000041CFE0-mapping.dmp
    Download