Overview

overview

10

Static

static

Shipping D...ft.exe

windows7_x64

10

Shipping D...ft.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    15-01-2021 15:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipping Document PL&BL Draft.exe

  • Size

    329KB

  • MD5

    9a35a8f3f77ce5b039c3a8c2763270cd

  • SHA1

    b72765fb0cc02184cfe77401addef4305315e50c

  • SHA256

    58b012a7c77564704af9bc88d272f1aa68c6789c84a146d0f566304c370bc89a

  • SHA512

    91897cdbeda39e71b588ca38a22c58fecbbb95d791886df668f57a5f31db0d9fe0e9c610a5a4b2817df1bbe69c43639ba376402d898fc6125866efe654643b99

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.elevatedenterprizes.com/h3qo/

Decoy

dhflow.com

jyindex.com

ezcleanhandle.com

trungtamcongdong.online

simsprotectionagency.com

easylivemeet.com

blackvikingfashionhouse.com

52banxue.com

girlsinit.com

drhemo.com

freethefarmers.com

velvetrosephotography.com

geometricbotaniclas.com

skyandspirit.com

deltacomunicacao.com

mucademy.com

jaboilfieldsolutions.net

howtowinatblackjacknow.com

anytimegrowth.com

simranluthra.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        3⤵
          PID:3924
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          3⤵
            PID:736
          • C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe
            "C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:3596
        • C:\Windows\SysWOW64\chkdsk.exe
          "C:\Windows\SysWOW64\chkdsk.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3768
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"
            3⤵
              PID:2316

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/736-3-0x0000000000000000-mapping.dmp
          Download
        • memory/2316-11-0x0000000000000000-mapping.dmp
          Download
        • memory/3596-4-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

          Download
        • memory/3596-5-0x000000000041D0E0-mapping.dmp
          Download
        • memory/3768-8-0x0000000000000000-mapping.dmp
          Download
        • memory/3768-9-0x00000000002E0000-0x00000000002EA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/3768-10-0x00000000002E0000-0x00000000002EA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/3768-12-0x0000000006EF0000-0x000000000706E000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/3924-2-0x0000000000000000-mapping.dmp
          Download