Analysis
-
max time kernel
47s -
max time network
99s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-01-2021 17:37
General
-
Target
eaae6c96269eff1ba5834ce343a2d1bf.exe
-
Size
395KB
-
MD5
eaae6c96269eff1ba5834ce343a2d1bf
-
SHA1
23917bba7902c5c54f36f863b374795ac5615324
-
SHA256
57fcc02e839d4ae0b8965ed55738960a952006f5e70ee1317f2bfacb97a43a5f
-
SHA512
c494c998ff4997e72265db49d13e6ed6d5db05d36ac9ed3b19a65664b11f79f7c99ea8ad442e053eed97b14cb5cf4c329202781522de97a1ab35a143e2d5c243
Malware Config
Extracted
formbook
http://www.herbmedia.net/csv8/
slgacha.com
oohdough.com
6983ylc.com
aykassociate.com
latin-hotspot.com
starrockindia.com
beamsubway.com
queensboutique1000.com
madbaddie.com
bhoomimart.com
ankitparivar.com
aldanasanchezmx.com
citest1597669833.com
cristianofreitas.com
myplantus.com
counterfeitmilk.com
8xf39.com
pregnantwomens.com
yyyut6.com
stnanguo.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader Payload 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eaae6c96269eff1ba5834ce343a2d1bf.exe"C:\Users\Admin\AppData\Local\Temp\eaae6c96269eff1ba5834ce343a2d1bf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CmpmdTAj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF65C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\eaae6c96269eff1ba5834ce343a2d1bf.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF65C.tmpMD5
d3a37327647cdbccaf59338aa3e3e3f6
SHA1026bcaff53f3a1b55ced0587342bce4792b6ac7a
SHA25662daeb42e41bb4f9d0876476641ae1c8439b6054f8c4a4b91cc7453d1030b66e
SHA5120cb01de1d2a48d2a23b84a73c3697780d8d7d7792dadee85e03b7aad9669f7a0b2753d276e60cf49a4efaed189e9e699289e2f9ac76e43f246b36389bb612a18
-
memory/60-13-0x0000000000000000-mapping.dmp
-
memory/836-18-0x0000000000F50000-0x0000000001270000-memory.dmpFilesize
3.1MB
-
memory/836-16-0x000000000041D0C0-mapping.dmp
-
memory/836-15-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1232-9-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/1232-2-0x0000000073CB0000-0x000000007439E000-memory.dmpFilesize
6.9MB
-
memory/1232-10-0x00000000052C0000-0x00000000052CE000-memory.dmpFilesize
56KB
-
memory/1232-11-0x00000000088A0000-0x00000000088E8000-memory.dmpFilesize
288KB
-
memory/1232-12-0x0000000008990000-0x0000000008991000-memory.dmpFilesize
4KB
-
memory/1232-8-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/1232-7-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/1232-6-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/1232-5-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/1232-3-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB