Overview

overview

10

Static

static

5c09424878...fe.exe

windows7_x64

10

5c09424878...fe.exe

windows10_x64

10

Analysis

  • max time kernel
    68s
  • max time network
    96s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-01-2021 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c0942487820e14219794f029a64e1fe.exe

  • Size

    872KB

  • MD5

    5c0942487820e14219794f029a64e1fe

  • SHA1

    40b9b174db8a89f4c81f5ad66f6528f1bd9e8efb

  • SHA256

    f991818096935708b00e812a9700a0215a1583047f2721552a9d6375abf0db75

  • SHA512

    0cb1095c2349389b3aab75451cde102008771e8bb42565534501afc4c838193b834ad97e72f380d491bdded84075ce9fecd58b34b37ebd29751958aac9497849

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.kaiyuansu.pro/incn/

Decoy

1bovvfk93jd.com

enlightenedhealthcoaching.com

findthatsmartphone.com

intelligentsystemsus.com

xn--lmsealamientos-tnb.com

eot0luh5ia.men

babanewshop.com

beyond-bit.com

meritane.com

buythinsecret.com

c2ornot.com

twelvesband.com

rktlends.com

bourseandish.com

happyshop88.com

topangacanyonvintage.com

epersonalloansonline.com

roofers-anaheim.com

shanghaiys.net

bickel.wtf

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c0942487820e14219794f029a64e1fe.exe
    "C:\Users\Admin\AppData\Local\Temp\5c0942487820e14219794f029a64e1fe.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Users\Admin\AppData\Local\Temp\5c0942487820e14219794f029a64e1fe.exe
      "C:\Users\Admin\AppData\Local\Temp\5c0942487820e14219794f029a64e1fe.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1048-13-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1048-16-0x0000000001330000-0x0000000001650000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/1048-14-0x000000000041D060-mapping.dmp
    Download
  • memory/1308-9-0x0000000005940000-0x0000000005941000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1308-7-0x00000000057E0000-0x00000000057E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1308-8-0x0000000005660000-0x0000000005661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1308-2-0x0000000073C50000-0x000000007433E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1308-10-0x0000000005A50000-0x0000000005A51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1308-11-0x00000000059A0000-0x00000000059C3000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1308-12-0x0000000006510000-0x0000000006571000-memory.dmp
    Filesize

    388KB

    Download
  • memory/1308-6-0x0000000005C40000-0x0000000005C41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1308-5-0x0000000005680000-0x0000000005681000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1308-3-0x0000000000D80000-0x0000000000D81000-memory.dmp
    Filesize

    4KB

    Download