Overview

overview

10

Static

static

dir2.exe

windows7_x64

10

dir2.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    66s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    18-01-2021 18:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dir2.exe

  • Size

    1.5MB

  • MD5

    ac44dce1ac1b90aec13f71bed7a27f14

  • SHA1

    baadfc03a182da09e604235679cdde0feae32e28

  • SHA256

    10d1e607e170563551b4dc8ce160b907067143b8222418cab17620481c3471c9

  • SHA512

    435e10cd48ee663a28912aeb8dc13fb9cb09ee86a92113f2d88f75548b969378881de60eaf72e694f3c49db1cc040c1fa0aea8f8fceeb05cb492c32d0a2ad731

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.rizrvd.com/bw82/

Decoy

fundamentaliemef.com

gallerybrows.com

leadeligey.com

octoberx2.online

climaxnovels.com

gdsjgf.com

curateherstories.com

blacksailus.com

yjpps.com

gmobilet.com

fcoins.club

foreverlive2027.com

healthyfifties.com

wmarquezy.com

housebulb.com

thebabyfriendly.com

primajayaintiperkasa.com

learnplaychess.com

chrisbubser.digital

xn--avenr-wsa.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\dir2.exe
      "C:\Users\Admin\AppData\Local\Temp\dir2.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Users\Admin\AppData\Local\Temp\dir2.exe
        "C:\Users\Admin\AppData\Local\Temp\dir2.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1936
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:292
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\dir2.exe"
        3⤵
        • Deletes itself
        PID:304

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/292-20-0x00000000022E0000-0x000000000236F000-memory.dmp
    Filesize

    572KB

    Download
  • memory/292-19-0x0000000075EA1000-0x0000000075EA3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/292-18-0x0000000001FD0000-0x00000000022D3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/292-16-0x00000000000C0000-0x00000000000E8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/292-15-0x0000000000310000-0x0000000000317000-memory.dmp
    Filesize

    28KB

    Download
  • memory/292-14-0x0000000000000000-mapping.dmp
    Download
  • memory/304-17-0x0000000000000000-mapping.dmp
    Download
  • memory/1304-13-0x0000000003A50000-0x0000000003B08000-memory.dmp
    Filesize

    736KB

    Download
  • memory/1936-11-0x0000000000CB0000-0x0000000000FB3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1936-12-0x0000000000080000-0x0000000000090000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1936-9-0x000000000041CFF0-mapping.dmp
    Download
  • memory/1936-8-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/2004-2-0x0000000073AF0000-0x00000000741DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2004-7-0x0000000005480000-0x0000000005524000-memory.dmp
    Filesize

    656KB

    Download
  • memory/2004-6-0x00000000005A0000-0x00000000005B3000-memory.dmp
    Filesize

    76KB

    Download
  • memory/2004-5-0x0000000004BF0000-0x0000000004BF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2004-3-0x0000000000B30000-0x0000000000B31000-memory.dmp
    Filesize

    4KB

    Download