Analysis
-
max time kernel
42s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-01-2021 07:26
General
-
Target
eaae6c96269eff1ba5834ce343a2d1bf.exe
-
Size
395KB
-
MD5
eaae6c96269eff1ba5834ce343a2d1bf
-
SHA1
23917bba7902c5c54f36f863b374795ac5615324
-
SHA256
57fcc02e839d4ae0b8965ed55738960a952006f5e70ee1317f2bfacb97a43a5f
-
SHA512
c494c998ff4997e72265db49d13e6ed6d5db05d36ac9ed3b19a65664b11f79f7c99ea8ad442e053eed97b14cb5cf4c329202781522de97a1ab35a143e2d5c243
Malware Config
Extracted
formbook
http://www.herbmedia.net/csv8/
slgacha.com
oohdough.com
6983ylc.com
aykassociate.com
latin-hotspot.com
starrockindia.com
beamsubway.com
queensboutique1000.com
madbaddie.com
bhoomimart.com
ankitparivar.com
aldanasanchezmx.com
citest1597669833.com
cristianofreitas.com
myplantus.com
counterfeitmilk.com
8xf39.com
pregnantwomens.com
yyyut6.com
stnanguo.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader Payload 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eaae6c96269eff1ba5834ce343a2d1bf.exe"C:\Users\Admin\AppData\Local\Temp\eaae6c96269eff1ba5834ce343a2d1bf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CmpmdTAj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB4FE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\eaae6c96269eff1ba5834ce343a2d1bf.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB4FE.tmpMD5
63fa6b9044e883bcc95209c3a7a7dee0
SHA120381fd4a7062f0b9c9c4c3f88fb1f1e90ba983a
SHA256754ab38386338502ad7474e341488dc4312f637bd95080b1cce89c6c02c2f61c
SHA5121b5857a773a8e6b8b740036c1838789ba7eb229cd267ff148323586e13e212746bc202be182e9fbf4aeb44226b2ab3a06f613ff2a2413bab71384abf878f9104
-
memory/2136-12-0x0000000000000000-mapping.dmp
-
memory/2652-15-0x000000000041D0C0-mapping.dmp
-
memory/2652-14-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4052-6-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/4052-8-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/4052-9-0x0000000004D70000-0x0000000004D7E000-memory.dmpFilesize
56KB
-
memory/4052-10-0x0000000008440000-0x0000000008488000-memory.dmpFilesize
288KB
-
memory/4052-11-0x0000000008530000-0x0000000008531000-memory.dmpFilesize
4KB
-
memory/4052-7-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/4052-2-0x0000000073820000-0x0000000073F0E000-memory.dmpFilesize
6.9MB
-
memory/4052-5-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/4052-3-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB