Overview

overview

10

Static

static

Busan Korea.exe

windows7_x64

10

Busan Korea.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-01-2021 08:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Busan Korea.exe

  • Size

    1.1MB

  • MD5

    c463ffa063af5cde7ad2a0aaf726854a

  • SHA1

    64b49f2fbc2bbc943ddfc3515ecb6a3092ebf47c

  • SHA256

    cb791f412d5932e2488323eb036e19c6f495d1e89f6fcbbd0f4b81efba432378

  • SHA512

    076bd2ae39edc6acf501c925d0acb1a38e087fd2cd88e47463c0815bff6947828adffc610b0354fcc87ae43b95471ea4e4773349da1dcb6cd5d7128af8f497ae

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.valiantbranch.com/0wdn/

Decoy

inclusivefamilybookshop.com

hollyjmillsphotography.com

mojavewellnessaz.com

cookies-x.info

trainingkanban.com

tempoborough.life

mayalv.com

mbsgiftstore.com

vanjele.com

serieshaha.com

jlbstructural.com

topkids.asia

thejoyofleather.com

qvujxa.com

anythinginworld.com

danielablason.com

smartphoneloops.com

thisisauckland.com

cityelectricals.com

revati-thenoir.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\Busan Korea.exe
      "C:\Users\Admin\AppData\Local\Temp\Busan Korea.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAqFmidTWJQD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD293.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:732
      • C:\Users\Admin\AppData\Local\Temp\Busan Korea.exe
        "C:\Users\Admin\AppData\Local\Temp\Busan Korea.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2140
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\SysWOW64\netsh.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3920
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Busan Korea.exe"
        3⤵
          PID:1852

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpD293.tmp
      MD5

      cbab395bd39532221e568f52e2c0ce7f

      SHA1

      d75483508695069125e35be72af8640164cacbb5

      SHA256

      fb548f8ea7d71f19806954be97a6f5841ce3eb80ba37d4ccc246ba3495995cc9

      SHA512

      b330610e993d47d3527e822273d0a572a46f166398704f0685944d006102759dfee1e783c7414b9e827966dbd125bf242f283f1471d849c8827277d5f0a0ba46

      Download Submit
    • memory/732-14-0x0000000000000000-mapping.dmp
      Download
    • memory/1852-24-0x0000000000000000-mapping.dmp
      Download
    • memory/2140-21-0x00000000015E0000-0x00000000015F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2140-20-0x0000000001B30000-0x0000000001E50000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2140-17-0x000000000041D110-mapping.dmp
      Download
    • memory/2140-16-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/3008-9-0x00000000059C0000-0x00000000059C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3008-5-0x0000000005530000-0x0000000005531000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3008-12-0x0000000005880000-0x0000000005893000-memory.dmp
      Filesize

      76KB

      Download
    • memory/3008-13-0x0000000001380000-0x0000000001424000-memory.dmp
      Filesize

      656KB

      Download
    • memory/3008-10-0x0000000005FD0000-0x0000000005FD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3008-2-0x0000000073920000-0x000000007400E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3008-8-0x00000000055F0000-0x00000000055F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3008-7-0x0000000005670000-0x0000000005671000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3008-6-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3008-11-0x00000000058B0000-0x00000000058B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3008-3-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3020-22-0x0000000002B20000-0x0000000002C1C000-memory.dmp
      Filesize

      1008KB

      Download
    • memory/3020-30-0x0000000006170000-0x00000000062D2000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3920-23-0x0000000000000000-mapping.dmp
      Download
    • memory/3920-25-0x0000000001010000-0x000000000102E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3920-26-0x0000000003130000-0x0000000003159000-memory.dmp
      Filesize

      164KB

      Download
    • memory/3920-27-0x0000000003940000-0x0000000003C60000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3920-29-0x0000000003CF0000-0x0000000003D7F000-memory.dmp
      Filesize

      572KB

      Download