Overview

overview

10

Static

static

SecuriteIn...56.exe

windows7_x64

10

SecuriteIn...56.exe

windows10_x64

10

Analysis

  • max time kernel
    41s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-01-2021 09:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Artemis9384F39577D5.29456.exe

  • Size

    1.4MB

  • MD5

    9384f39577d50f51a122e2f3d1d875c0

  • SHA1

    0628101eede7f441ec56217d0acee716b24a3ba0

  • SHA256

    9787e886d7536b9343db7b8b78a9f87f5177b5d11460130d2aced11ccb44de8f

  • SHA512

    882944adbe708490b28c4f15f43597e4760b819c040728f9dced69f9063cc08dd2e6b5bd45e00416a4f503cdfa3c994a9710f7a72eaf4735df18c14f893d05f9

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.learnhour.net/eaud/

Decoy

modshiro.com

mademarketingoss.com

austinjourls.info

wayupteam.com

crossingfinger.com

interseptors.com

gigashit.com

livetigo.com

halamankuningindonesia.com

windhammills.com

aylinahmet.com

mbacexonan.website

shopboxbarcelona.com

youyeslive.com

coonlinesportsbooks.com

guorunme.com

putlocker2.site

pencueaidnetwork.com

likevector.com

vulcanudachi-proclub.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Artemis9384F39577D5.29456.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Artemis9384F39577D5.29456.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:424
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Artemis9384F39577D5.29456.exe
      "{path}"
      2⤵
        PID:208
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Artemis9384F39577D5.29456.exe
        "{path}"
        2⤵
          PID:196
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Artemis9384F39577D5.29456.exe
          "{path}"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3472

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/424-2-0x0000000073D50000-0x000000007443E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/424-3-0x0000000000040000-0x0000000000041000-memory.dmp

        Filesize

        4KB

        Download

      • memory/424-5-0x0000000006F10000-0x0000000006F85000-memory.dmp

        Filesize

        468KB

        Download

      • memory/424-6-0x000000000A790000-0x000000000A791000-memory.dmp

        Filesize

        4KB

        Download

      • memory/424-7-0x0000000002530000-0x0000000002531000-memory.dmp

        Filesize

        4KB

        Download

      • memory/424-8-0x000000000A330000-0x000000000A331000-memory.dmp

        Filesize

        4KB

        Download

      • memory/424-9-0x000000000A490000-0x000000000A491000-memory.dmp

        Filesize

        4KB

        Download

      • memory/424-10-0x0000000004B90000-0x0000000004B9E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/424-11-0x0000000004E30000-0x0000000004E85000-memory.dmp

        Filesize

        340KB

        Download

      • memory/424-12-0x0000000004F40000-0x0000000004F41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3472-13-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/3472-14-0x000000000041D030-mapping.dmp

        Download

      • memory/3472-16-0x00000000012E0000-0x0000000001600000-memory.dmp

        Filesize

        3.1MB

        Download