Analysis
-
max time kernel
40s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 07:10
General
-
Target
53f49109a1c5fa77ec3c4557011a50cd.exe
-
Size
1.4MB
-
MD5
53f49109a1c5fa77ec3c4557011a50cd
-
SHA1
ca395941866606ea268b1f3d6382c773f24f7ac3
-
SHA256
2d876129c69f0f4be0c87aeb20cdc38ae8f5db29bea6f87807946b89e0b61a50
-
SHA512
c1d2431c060ea7297e9c1491b88f738a9bba77e402110274b5464d0cb8a65470f212444d0bbb80fd70d23cccefbe7ba52fd1d79a68e48e908f0c41a848f5cbb5
Malware Config
Extracted
formbook
http://www.herbmedia.net/csv8/
slgacha.com
oohdough.com
6983ylc.com
aykassociate.com
latin-hotspot.com
starrockindia.com
beamsubway.com
queensboutique1000.com
madbaddie.com
bhoomimart.com
ankitparivar.com
aldanasanchezmx.com
citest1597669833.com
cristianofreitas.com
myplantus.com
counterfeitmilk.com
8xf39.com
pregnantwomens.com
yyyut6.com
stnanguo.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader Payload 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\53f49109a1c5fa77ec3c4557011a50cd.exe"C:\Users\Admin\AppData\Local\Temp\53f49109a1c5fa77ec3c4557011a50cd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RpminmFsh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9888.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\53f49109a1c5fa77ec3c4557011a50cd.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\53f49109a1c5fa77ec3c4557011a50cd.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9888.tmpMD5
0987c4bc7f8a7a48e16931e2ecf721e1
SHA19f50ddc61bc8477c2e439109a041ca8f1ad962cb
SHA256399313ee3912823f1482e7a1b8ad0499ad8e83ed002965301798ce3a3a1c3cb0
SHA5126db7c6853fffcbb1023268e976177729e7593beb227207b1754aed83ed4da66428bbbdffeb394eee7c6caa9221c20a06a01042cf68a62734039b951cd33b1184
-
memory/308-9-0x0000000000000000-mapping.dmp
-
memory/432-11-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/432-12-0x000000000041D0C0-mapping.dmp
-
memory/432-14-0x0000000000870000-0x0000000000B73000-memory.dmpFilesize
3.0MB
-
memory/1832-2-0x0000000073980000-0x000000007406E000-memory.dmpFilesize
6.9MB
-
memory/1832-3-0x00000000011A0000-0x00000000011A1000-memory.dmpFilesize
4KB
-
memory/1832-5-0x0000000000470000-0x00000000004E8000-memory.dmpFilesize
480KB
-
memory/1832-6-0x00000000010A0000-0x00000000010A1000-memory.dmpFilesize
4KB
-
memory/1832-7-0x0000000000550000-0x000000000055E000-memory.dmpFilesize
56KB
-
memory/1832-8-0x0000000000C60000-0x0000000000CB6000-memory.dmpFilesize
344KB