Overview

overview

10

Static

static

8

SecuriteIn...25.exe

windows7_x64

10

SecuriteIn...25.exe

windows10_x64

10

Analysis

  • max time kernel
    17s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-01-2021 09:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.BehavesLike.Win32.Trojan.dc.925.exe

  • Size

    276KB

  • MD5

    4755bdfa1fb87c626856b33c48419201

  • SHA1

    c174cf847aa3e0a06128626c13608a3a5421e0f4

  • SHA256

    d81f4b6a0b8650415e2c2acfe4ee223f6826b3b6849393f4de2db4f3a814beaf

  • SHA512

    d7e982eb367ee0813dcdb92604f3f444c88603dc1aa6c5c14d397d7a43dfbedc7ee9280b3674a8715c4cab8c24176f4efa24d5cf206596b5e21cdc40c467c5ca

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.hitchhikerfab.com/qjnt/

Decoy

silverlakesfootball.com

drivebymovie.com

precisedirections.com

xn--01-mlcpq1abi.xn--p1acf

landhubturkey.com

andronomicon.com

kindlyhomecare.com

tyequip.com

planfra.com

wy1197.com

blackcatbaker.com

ddhhynjy.com

sales-altigen.com

valerielimozin.com

walmamall.com

quishkambalito.com

gnbsuvm.icu

milanostorear.com

olympiaopen.com

zradydlyazhinok-ua.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Trojan.dc.925.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Trojan.dc.925.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Trojan.dc.925.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Trojan.dc.925.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3480-3-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/3480-4-0x000000000041D030-mapping.dmp
    Download
  • memory/3480-8-0x0000000000B70000-0x0000000000E90000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/4776-2-0x0000000005150000-0x0000000005151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4776-5-0x0000000004DA0000-0x0000000004DC0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4776-6-0x0000000004DC0000-0x0000000004DEA000-memory.dmp
    Filesize

    168KB

    Download