Overview

overview

10

Static

static

5c09424878...fe.exe

windows7_x64

10

5c09424878...fe.exe

windows10_x64

10

Analysis

  • max time kernel
    57s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-01-2021 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c0942487820e14219794f029a64e1fe.exe

  • Size

    872KB

  • MD5

    5c0942487820e14219794f029a64e1fe

  • SHA1

    40b9b174db8a89f4c81f5ad66f6528f1bd9e8efb

  • SHA256

    f991818096935708b00e812a9700a0215a1583047f2721552a9d6375abf0db75

  • SHA512

    0cb1095c2349389b3aab75451cde102008771e8bb42565534501afc4c838193b834ad97e72f380d491bdded84075ce9fecd58b34b37ebd29751958aac9497849

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.kaiyuansu.pro/incn/

Decoy

1bovvfk93jd.com

enlightenedhealthcoaching.com

findthatsmartphone.com

intelligentsystemsus.com

xn--lmsealamientos-tnb.com

eot0luh5ia.men

babanewshop.com

beyond-bit.com

meritane.com

buythinsecret.com

c2ornot.com

twelvesband.com

rktlends.com

bourseandish.com

happyshop88.com

topangacanyonvintage.com

epersonalloansonline.com

roofers-anaheim.com

shanghaiys.net

bickel.wtf

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c0942487820e14219794f029a64e1fe.exe
    "C:\Users\Admin\AppData\Local\Temp\5c0942487820e14219794f029a64e1fe.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Users\Admin\AppData\Local\Temp\5c0942487820e14219794f029a64e1fe.exe
      "C:\Users\Admin\AppData\Local\Temp\5c0942487820e14219794f029a64e1fe.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/384-8-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/384-9-0x000000000041D060-mapping.dmp
    Download
  • memory/384-11-0x0000000000770000-0x0000000000A73000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1656-2-0x0000000074000000-0x00000000746EE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1656-3-0x0000000001010000-0x0000000001011000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1656-5-0x0000000000690000-0x0000000000691000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1656-6-0x0000000000490000-0x00000000004B3000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1656-7-0x0000000004940000-0x00000000049A1000-memory.dmp
    Filesize

    388KB

    Download