Overview

overview

10

Static

static

SecuriteIn...48.exe

windows7_x64

3

SecuriteIn...48.exe

windows10_x64

10

Analysis

  • max time kernel
    16s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-01-2021 11:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.PackedNET.507.549.448.exe

  • Size

    432KB

  • MD5

    528c0afa9442eb19e7d109832366432c

  • SHA1

    5c523cd2a67ed3e1e7cb8820f46cc6c9677ae505

  • SHA256

    d433e7ca5197ed83d851161b45aa94ae8b469a2c711b7a327d749c32279785f5

  • SHA512

    e1e3ded8f77568156a5410c3d03df0875d92071e5a744fe7bad7d15662e141317efc9a3e64c8a7532f2053c18d660945f5de059be15f9ae622a0af5297340140

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.learnhour.net/eaud/

Decoy

modshiro.com

mademarketingoss.com

austinjourls.info

wayupteam.com

crossingfinger.com

interseptors.com

gigashit.com

livetigo.com

halamankuningindonesia.com

windhammills.com

aylinahmet.com

mbacexonan.website

shopboxbarcelona.com

youyeslive.com

coonlinesportsbooks.com

guorunme.com

putlocker2.site

pencueaidnetwork.com

likevector.com

vulcanudachi-proclub.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.507.549.448.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.507.549.448.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.507.549.448.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.507.549.448.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3884
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1172
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2712-17-0x0000000004EC0000-0x0000000004EC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3152-9-0x0000000005780000-0x0000000005781000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3152-5-0x00000000059C0000-0x00000000059C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3152-6-0x00000000055A0000-0x00000000055A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3152-7-0x0000000005640000-0x0000000005696000-memory.dmp
    Filesize

    344KB

    Download
  • memory/3152-8-0x0000000005EC0000-0x0000000005EC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3152-2-0x0000000073820000-0x0000000073F0E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3152-10-0x0000000005700000-0x000000000570F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/3152-13-0x00000000056C0000-0x00000000056C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3152-15-0x0000000005850000-0x0000000005851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3152-3-0x0000000000CF0000-0x0000000000CF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3884-12-0x000000000041D030-mapping.dmp
    Download
  • memory/3884-11-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/3884-16-0x00000000012D0000-0x00000000015F0000-memory.dmp
    Filesize

    3.1MB

    Download