Overview

overview

10

Static

static

3e3d35afbf...6f.exe

windows7_x64

10

3e3d35afbf...6f.exe

windows10_x64

10

Analysis

  • max time kernel
    38s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-01-2021 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e3d35afbf473c5ed5aec39aba52346f.exe

  • Size

    827KB

  • MD5

    3e3d35afbf473c5ed5aec39aba52346f

  • SHA1

    4b47ee201ab67fd115667b0d061a282ed5ffb2f4

  • SHA256

    1d2cf0287f43172cf4b7e250574319fa36b733e98878622e2ea016f5c0437679

  • SHA512

    2c5620c3866a7e8e065e9fb48196236d2e6e7a24e1a23fe241c20d8ae7b3d15be36d8ee5adc5faf1989138a46734cfc9572334dc8a5906f4e9a2b5c668549778

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.stonescapes1.com/de92/

Decoy

zindaginews.com

tyelevator.com

schustermaninterests.com

algemixdelchef.com

doubscollectivites.com

e-butchery.com

hellbentmask.com

jumbpprivacy.com

teeniestiedye.com

playfulartwork.com

desertvacahs.com

w5470-hed.net

nepalearningpods.com

smoothandsleek.com

thecannaglow.com

torrentkittyla.com

industrytoyou.com

raquelvargas.net

rlc-nc.net

cryptoprises.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e3d35afbf473c5ed5aec39aba52346f.exe
    "C:\Users\Admin\AppData\Local\Temp\3e3d35afbf473c5ed5aec39aba52346f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:476
    • C:\Users\Admin\AppData\Local\Temp\3e3d35afbf473c5ed5aec39aba52346f.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/476-2-0x0000000073F20000-0x000000007460E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/476-3-0x0000000000C10000-0x0000000000C11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/476-5-0x0000000000580000-0x000000000058E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/476-6-0x0000000005690000-0x000000000571A000-memory.dmp
    Filesize

    552KB

    Download
  • memory/1592-7-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1592-8-0x000000000041D010-mapping.dmp
    Download