Overview

overview

10

Static

static

786180a514...61.exe

windows7_x64

10

786180a514...61.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    18-01-2021 07:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    786180a5141bf4ea48e26910d2bf9061.exe

  • Size

    889KB

  • MD5

    786180a5141bf4ea48e26910d2bf9061

  • SHA1

    f77224c2ac0c9dd746fc22b102da2a534bf889e2

  • SHA256

    63289870bb6e2bbb13afd47bf630c048e593afacc5c968939855f85ca5022ea4

  • SHA512

    cbdb00fe20e39c52ac736e75bc2c93abecc0d0ecbc9c10d7b62e88f6e574f99ee545a5ca34578dcdc564cd32fe3e9fb1258bc35d09304b094a32c2f89a492d28

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.stonescapes1.com/de92/

Decoy

zindaginews.com

tyelevator.com

schustermaninterests.com

algemixdelchef.com

doubscollectivites.com

e-butchery.com

hellbentmask.com

jumbpprivacy.com

teeniestiedye.com

playfulartwork.com

desertvacahs.com

w5470-hed.net

nepalearningpods.com

smoothandsleek.com

thecannaglow.com

torrentkittyla.com

industrytoyou.com

raquelvargas.net

rlc-nc.net

cryptoprises.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\786180a5141bf4ea48e26910d2bf9061.exe
    "C:\Users\Admin\AppData\Local\Temp\786180a5141bf4ea48e26910d2bf9061.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Users\Admin\AppData\Local\Temp\786180a5141bf4ea48e26910d2bf9061.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/864-8-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/864-9-0x000000000041D010-mapping.dmp
    Download
  • memory/864-11-0x00000000008E0000-0x0000000000BE3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1864-2-0x00000000743D0000-0x0000000074ABE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1864-3-0x00000000010F0000-0x00000000010F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1864-5-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1864-6-0x0000000000450000-0x000000000045E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1864-7-0x0000000004FF0000-0x0000000005047000-memory.dmp
    Filesize

    348KB

    Download