Analysis
-
max time kernel
40s -
max time network
63s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 07:10
General
-
Target
53f49109a1c5fa77ec3c4557011a50cd.exe
-
Size
1.4MB
-
MD5
53f49109a1c5fa77ec3c4557011a50cd
-
SHA1
ca395941866606ea268b1f3d6382c773f24f7ac3
-
SHA256
2d876129c69f0f4be0c87aeb20cdc38ae8f5db29bea6f87807946b89e0b61a50
-
SHA512
c1d2431c060ea7297e9c1491b88f738a9bba77e402110274b5464d0cb8a65470f212444d0bbb80fd70d23cccefbe7ba52fd1d79a68e48e908f0c41a848f5cbb5
Malware Config
Extracted
formbook
http://www.herbmedia.net/csv8/
slgacha.com
oohdough.com
6983ylc.com
aykassociate.com
latin-hotspot.com
starrockindia.com
beamsubway.com
queensboutique1000.com
madbaddie.com
bhoomimart.com
ankitparivar.com
aldanasanchezmx.com
citest1597669833.com
cristianofreitas.com
myplantus.com
counterfeitmilk.com
8xf39.com
pregnantwomens.com
yyyut6.com
stnanguo.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader Payload 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\53f49109a1c5fa77ec3c4557011a50cd.exe"C:\Users\Admin\AppData\Local\Temp\53f49109a1c5fa77ec3c4557011a50cd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RpminmFsh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp13B8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\53f49109a1c5fa77ec3c4557011a50cd.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\53f49109a1c5fa77ec3c4557011a50cd.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp13B8.tmpMD5
859007b5ce7ca38227f8107105d09469
SHA12fcf7f00e3fabfc223ed57e50844ec59e11780dd
SHA25690514f05493b618e613f896f1014421b4ba9fc2f21e110ed14aab63152429124
SHA512efe56773f07347422dad6ad2440f3d5924825fb1bbcd970ebfbbadbcfbfe1f80cbcd28ae6bb128878d61f0f42b18b930b540e6839601698fec7b6d624d1aca70
-
memory/636-13-0x0000000000000000-mapping.dmp
-
memory/648-9-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/648-6-0x000000000ABD0000-0x000000000ABD1000-memory.dmpFilesize
4KB
-
memory/648-7-0x000000000A8B0000-0x000000000A8B1000-memory.dmpFilesize
4KB
-
memory/648-8-0x000000000A890000-0x000000000A891000-memory.dmpFilesize
4KB
-
memory/648-2-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/648-10-0x00000000050D0000-0x00000000050DE000-memory.dmpFilesize
56KB
-
memory/648-11-0x0000000005370000-0x00000000053C6000-memory.dmpFilesize
344KB
-
memory/648-12-0x0000000005480000-0x0000000005481000-memory.dmpFilesize
4KB
-
memory/648-5-0x0000000007450000-0x00000000074C8000-memory.dmpFilesize
480KB
-
memory/648-3-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/3348-15-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3348-16-0x000000000041D0C0-mapping.dmp
-
memory/3348-18-0x0000000001690000-0x00000000019B0000-memory.dmpFilesize
3.1MB