Overview

overview

10

Static

static

SWIFT Paym...48.exe

windows7_x64

10

SWIFT Paym...48.exe

windows10_x64

10

Analysis

  • max time kernel
    126s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-01-2021 07:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exe

  • Size

    895KB

  • MD5

    b8ead540e40416915bd3f6134f2017bb

  • SHA1

    e74cf3642e4bd4b3f616bc5230edd5312d97ecfc

  • SHA256

    201f068c15e749ce1d3bd1a8e48909a9b0e8e5b0774b0eb2abc9096449fdbe67

  • SHA512

    1e5631249b531d0abf6f3603016ec1e06d3efe55bae91c8db116ab5c94f126473448bf78338163a8cbc526bb168d70933014222150afbb9270a08303f0963002

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.boundlesshealthyliving.com/isub/

Decoy

beeyoubc.net

nimbleangel.com

woninghuurcuracao.com

hair2dye4.academy

affordablebothell.com

maglex.info

jacykretas.com

toushiys.com

gfitzfreetestcloud.com

sisuluzinterior.com

sunshipinvestments.com

lulenahairco.com

shangchen33.com

ocase24.com

shamanicsound.com

newbharatbakery.com

imratingit.net

twinningtreats.com

btzmed.com

bedtimewish.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    PID:2092
    • C:\Users\Admin\AppData\Local\Temp\SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exe
      "C:\Users\Admin\AppData\Local\Temp\SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3888
      • C:\Users\Admin\AppData\Local\Temp\SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exe
        "C:\Users\Admin\AppData\Local\Temp\SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1504
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:752

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1504-13-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1504-20-0x00000000015E0000-0x00000000015F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1504-18-0x0000000000DF0000-0x0000000000E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1504-17-0x00000000016C0000-0x00000000019E0000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1504-14-0x000000000041D050-mapping.dmp

      Download

    • memory/2092-21-0x0000000006C60000-0x0000000006D86000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2092-19-0x0000000006B10000-0x0000000006C5C000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3888-7-0x0000000004D90000-0x0000000004D91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3888-11-0x0000000004F00000-0x0000000004F23000-memory.dmp

      Filesize

      140KB

      Download

    • memory/3888-12-0x0000000005B30000-0x0000000005B91000-memory.dmp

      Filesize

      388KB

      Download

    • memory/3888-10-0x0000000004C90000-0x0000000004C91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3888-9-0x0000000004F60000-0x0000000004F61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3888-8-0x0000000004C80000-0x0000000004C81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3888-2-0x0000000073A20000-0x000000007410E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3888-6-0x0000000005290000-0x0000000005291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3888-5-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3888-3-0x0000000000390000-0x0000000000391000-memory.dmp

      Filesize

      4KB

      Download