Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 09:05
General
-
Target
Shipping Document PL&BL Draft.exe
-
Size
467KB
-
MD5
dd56b21e6b3a1a0958885059d6a395d2
-
SHA1
01ba3635bb6776ef50ad57c206cf674d69e8e61c
-
SHA256
e7091e7da366f0b1d4acbc1295841c6f7d1ab9412a9fe3fd9341c9d94274c457
-
SHA512
dccf3a92be410b7a0f20342c73c2e935975eecf3bb23c3dac69aaa91ff4e944593c3f4cfd2dc8e751c9c042089028affa9bfbacc4474c5adc0b19622232ed1b5
Malware Config
Extracted
formbook
http://www.elevatedenterprizes.com/h3qo/
dhflow.com
jyindex.com
ezcleanhandle.com
trungtamcongdong.online
simsprotectionagency.com
easylivemeet.com
blackvikingfashionhouse.com
52banxue.com
girlsinit.com
drhemo.com
freethefarmers.com
velvetrosephotography.com
geometricbotaniclas.com
skyandspirit.com
deltacomunicacao.com
mucademy.com
jaboilfieldsolutions.net
howtowinatblackjacknow.com
anytimegrowth.com
simranluthra.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader Payload 2 IoCs
-
Deletes itself 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1028-7-0x0000000000290000-0x00000000002A0000-memory.dmpFilesize
64KB
-
memory/1028-2-0x000000000041D0E0-mapping.dmp
-
memory/1028-3-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1028-5-0x0000000000110000-0x0000000000120000-memory.dmpFilesize
64KB
-
memory/1028-4-0x00000000008E0000-0x0000000000BE3000-memory.dmpFilesize
3.0MB
-
memory/1272-6-0x0000000002B20000-0x0000000002BD3000-memory.dmpFilesize
716KB
-
memory/1272-8-0x0000000006480000-0x00000000065F8000-memory.dmpFilesize
1.5MB
-
memory/1272-16-0x0000000006A70000-0x0000000006BF9000-memory.dmpFilesize
1.5MB
-
memory/1528-10-0x0000000076341000-0x0000000076343000-memory.dmpFilesize
8KB
-
memory/1528-12-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1528-11-0x00000000002E0000-0x00000000003E4000-memory.dmpFilesize
1.0MB
-
memory/1528-14-0x0000000002170000-0x0000000002473000-memory.dmpFilesize
3.0MB
-
memory/1528-15-0x0000000001FC0000-0x000000000204F000-memory.dmpFilesize
572KB
-
memory/1528-9-0x0000000000000000-mapping.dmp
-
memory/1664-13-0x0000000000000000-mapping.dmp