Overview

overview

10

Static

static

7nMMSdGgCXAfKsb.exe

windows7_x64

1

7nMMSdGgCXAfKsb.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-01-2021 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7nMMSdGgCXAfKsb.exe

  • Size

    931KB

  • MD5

    50439fc35eaebb32f1fdeba8ef12e7c2

  • SHA1

    689a97e2c83d0e84aeca38c1330245149ef5ed0d

  • SHA256

    65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb

  • SHA512

    a80705235bbadac3c1d12d953016ddcb9ada91b28f442e61c5bc24babe7b0a39df9874fdbcc1687f28e594fc959b990a5a20be9ddb3f4540257964a1938ee9f0

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.besteprobioticakopen.online/uszn/

Decoy

animegriptape.com

pcpnetworks.com

putupmybabyforadoption.com

xn--jvrr98g37n88d.com

fertinvitro.doctor

undonethread.com

avoleague.com

sissysundays.com

guilhermeoliveiro.site

catholicon-bespeckle.info

mardesuenosfundacion.com

songkhoe24.site

shoecityindia.com

smallbathroomdecor.info

tskusa.com

prairiespringsllc.com

kegncoffee.com

clicklounge.xyz

catholicendoflifeplanning.com

steelobzee.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Users\Admin\AppData\Local\Temp\7nMMSdGgCXAfKsb.exe
      "C:\Users\Admin\AppData\Local\Temp\7nMMSdGgCXAfKsb.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:492
      • C:\Users\Admin\AppData\Local\Temp\7nMMSdGgCXAfKsb.exe
        "{path}"
        3⤵
          PID:3052
        • C:\Users\Admin\AppData\Local\Temp\7nMMSdGgCXAfKsb.exe
          "{path}"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2876
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\7nMMSdGgCXAfKsb.exe"
          3⤵
            PID:1372

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/492-2-0x0000000073310000-0x00000000739FE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/492-3-0x0000000000B50000-0x0000000000B51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/492-5-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/492-6-0x00000000054B0000-0x00000000054B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/492-7-0x0000000002FC0000-0x0000000002FC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/492-8-0x0000000003030000-0x0000000003031000-memory.dmp
        Filesize

        4KB

        Download
      • memory/492-9-0x00000000055D0000-0x00000000055DE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/492-10-0x00000000072F0000-0x0000000007346000-memory.dmp
        Filesize

        344KB

        Download
      • memory/492-11-0x0000000007920000-0x0000000007921000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1372-21-0x0000000000000000-mapping.dmp
        Download
      • memory/2828-19-0x0000000000FB0000-0x0000000000FD7000-memory.dmp
        Filesize

        156KB

        Download
      • memory/2828-18-0x0000000000000000-mapping.dmp
        Download
      • memory/2828-20-0x0000000000760000-0x0000000000789000-memory.dmp
        Filesize

        164KB

        Download
      • memory/2828-22-0x0000000004920000-0x0000000004C40000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/2828-24-0x0000000004770000-0x00000000047FF000-memory.dmp
        Filesize

        572KB

        Download
      • memory/2876-15-0x00000000014E0000-0x0000000001800000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/2876-16-0x0000000000FF0000-0x0000000001000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2876-13-0x000000000041D0F0-mapping.dmp
        Download
      • memory/2876-12-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/3128-17-0x0000000006CA0000-0x0000000006E39000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3128-25-0x0000000006830000-0x00000000068F6000-memory.dmp
        Filesize

        792KB

        Download