Analysis
-
max time kernel
126s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 07:55
General
-
Target
SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exe
-
Size
895KB
-
MD5
b8ead540e40416915bd3f6134f2017bb
-
SHA1
e74cf3642e4bd4b3f616bc5230edd5312d97ecfc
-
SHA256
201f068c15e749ce1d3bd1a8e48909a9b0e8e5b0774b0eb2abc9096449fdbe67
-
SHA512
1e5631249b531d0abf6f3603016ec1e06d3efe55bae91c8db116ab5c94f126473448bf78338163a8cbc526bb168d70933014222150afbb9270a08303f0963002
Malware Config
Extracted
formbook
http://www.boundlesshealthyliving.com/isub/
beeyoubc.net
nimbleangel.com
woninghuurcuracao.com
hair2dye4.academy
affordablebothell.com
maglex.info
jacykretas.com
toushiys.com
gfitzfreetestcloud.com
sisuluzinterior.com
sunshipinvestments.com
lulenahairco.com
shangchen33.com
ocase24.com
shamanicsound.com
newbharatbakery.com
imratingit.net
twinningtreats.com
btzmed.com
bedtimewish.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader Payload 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT Payment DOOEL EUR 74,246.41 20210101950848.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1504-13-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1504-20-0x00000000015E0000-0x00000000015F0000-memory.dmpFilesize
64KB
-
memory/1504-18-0x0000000000DF0000-0x0000000000E00000-memory.dmpFilesize
64KB
-
memory/1504-17-0x00000000016C0000-0x00000000019E0000-memory.dmpFilesize
3.1MB
-
memory/1504-14-0x000000000041D050-mapping.dmp
-
memory/2092-21-0x0000000006C60000-0x0000000006D86000-memory.dmpFilesize
1.1MB
-
memory/2092-19-0x0000000006B10000-0x0000000006C5C000-memory.dmpFilesize
1.3MB
-
memory/3888-7-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/3888-11-0x0000000004F00000-0x0000000004F23000-memory.dmpFilesize
140KB
-
memory/3888-12-0x0000000005B30000-0x0000000005B91000-memory.dmpFilesize
388KB
-
memory/3888-10-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/3888-9-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/3888-8-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/3888-2-0x0000000073A20000-0x000000007410E000-memory.dmpFilesize
6.9MB
-
memory/3888-6-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/3888-5-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/3888-3-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB