Overview

overview

10

Static

static

SecuriteIn...56.exe

windows7_x64

10

SecuriteIn...56.exe

windows10_x64

10

Analysis

  • max time kernel
    39s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-01-2021 09:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Artemis9384F39577D5.29456.exe

  • Size

    1.4MB

  • MD5

    9384f39577d50f51a122e2f3d1d875c0

  • SHA1

    0628101eede7f441ec56217d0acee716b24a3ba0

  • SHA256

    9787e886d7536b9343db7b8b78a9f87f5177b5d11460130d2aced11ccb44de8f

  • SHA512

    882944adbe708490b28c4f15f43597e4760b819c040728f9dced69f9063cc08dd2e6b5bd45e00416a4f503cdfa3c994a9710f7a72eaf4735df18c14f893d05f9

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.learnhour.net/eaud/

Decoy

modshiro.com

mademarketingoss.com

austinjourls.info

wayupteam.com

crossingfinger.com

interseptors.com

gigashit.com

livetigo.com

halamankuningindonesia.com

windhammills.com

aylinahmet.com

mbacexonan.website

shopboxbarcelona.com

youyeslive.com

coonlinesportsbooks.com

guorunme.com

putlocker2.site

pencueaidnetwork.com

likevector.com

vulcanudachi-proclub.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Artemis9384F39577D5.29456.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Artemis9384F39577D5.29456.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Artemis9384F39577D5.29456.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1596-14-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1596-15-0x000000000041D030-mapping.dmp
    Download
  • memory/1596-17-0x0000000000970000-0x0000000000C73000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1684-2-0x0000000074670000-0x0000000074D5E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1684-3-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1684-5-0x00000000009D0000-0x0000000000A45000-memory.dmp
    Filesize

    468KB

    Download
  • memory/1684-6-0x0000000000580000-0x0000000000591000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1684-11-0x0000000004E90000-0x0000000004E91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1684-12-0x0000000000500000-0x000000000050E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1684-13-0x0000000004780000-0x00000000047D5000-memory.dmp
    Filesize

    340KB

    Download