Overview

overview

10

Static

static

Consignmen...ft.exe

windows7_x64

10

Consignmen...ft.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 07:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Consignment Document PL&BL Draft.exe

  • Size

    318KB

  • MD5

    ef20635d931f69c41175aa8f1d81d60c

  • SHA1

    3e00db6de337ef48f82ed1af80ca998ea86c5601

  • SHA256

    444e72d12e85dffc1b247b29e7789022b251237f56ea83bf72e3c09fcb628874

  • SHA512

    d9131029f0dbf8f59fa761031f0962c75dbbf138a97344e242434b324110fda7b7e9507b93bbd2224f5bd5cc654e7accce1e9994ddad499e386086d93ded5f13

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.elevatedenterprizes.com/h3qo/

Decoy

dhflow.com

jyindex.com

ezcleanhandle.com

trungtamcongdong.online

simsprotectionagency.com

easylivemeet.com

blackvikingfashionhouse.com

52banxue.com

girlsinit.com

drhemo.com

freethefarmers.com

velvetrosephotography.com

geometricbotaniclas.com

skyandspirit.com

deltacomunicacao.com

mucademy.com

jaboilfieldsolutions.net

howtowinatblackjacknow.com

anytimegrowth.com

simranluthra.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\Consignment Document PL&BL Draft.exe
      "C:\Users\Admin\AppData\Local\Temp\Consignment Document PL&BL Draft.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3992
      • C:\Users\Admin\AppData\Local\Temp\Consignment Document PL&BL Draft.exe
        "C:\Users\Admin\AppData\Local\Temp\Consignment Document PL&BL Draft.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2008
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Consignment Document PL&BL Draft.exe"
        3⤵
          PID:4032

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2008-2-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2008-3-0x000000000041D0E0-mapping.dmp
      Download
    • memory/2280-6-0x0000000000000000-mapping.dmp
      Download
    • memory/2280-7-0x0000000001000000-0x000000000100C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2280-8-0x0000000001000000-0x000000000100C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/4032-9-0x0000000000000000-mapping.dmp
      Download