Overview

overview

10

Static

static

BEF20201801.exe

windows7_x64

10

BEF20201801.exe

windows10_x64

1

Analysis

  • max time kernel
    151s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-01-2021 07:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BEF20201801.exe

  • Size

    1.2MB

  • MD5

    06e4d811d6a0234e3c4ef9eba38fd5a1

  • SHA1

    bbbd38280ad7fa5e36ba27a16873941613ae6e52

  • SHA256

    337be490c64d6bf931577dd90ea28277392a46ea541b61f1574dcd75aab02b0f

  • SHA512

    52223bef10103e10d56b3054c67baf088f70b6a88c13ac525d79f11ff385680288d1184c89da92a7aa9c9bcbdf1f8eb23881df1e9a9c3439236f77809953e209

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.a-emeservice.com/m8ec/

Decoy

thomascraigwealth.com

melbournemedicalhealth.net

tdxcoin.com

lukassbprojects.net

aldemallc.com

moqawalat-kuwait.com

txcsco.com

jobcarepro.com

sedotwcmedanmurah.com

niconthenine.com

radliffrehab.com

infiniteechogroup.com

stellantis-luxury-rent.com

ibusehat.info

resellerauctions.com

softwarexprogrammers.com

bumpnlifestyle.com

mintmacher.com

partapprintercare.com

justrightinsurance.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Local\Temp\BEF20201801.exe
      "C:\Users\Admin\AppData\Local\Temp\BEF20201801.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Users\Admin\AppData\Local\Temp\BEF20201801.exe
        "C:\Users\Admin\AppData\Local\Temp\BEF20201801.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1660
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:284
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\BEF20201801.exe"
        3⤵
        • Deletes itself
        PID:528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/284-17-0x0000000000B80000-0x0000000000C10000-memory.dmp
    Filesize

    576KB

    Download
  • memory/284-15-0x00000000000F0000-0x0000000000119000-memory.dmp
    Filesize

    164KB

    Download
  • memory/284-16-0x0000000002360000-0x0000000002663000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/284-14-0x0000000000F40000-0x0000000000F54000-memory.dmp
    Filesize

    80KB

    Download
  • memory/284-11-0x0000000000000000-mapping.dmp
    Download
  • memory/528-13-0x0000000000000000-mapping.dmp
    Download
  • memory/1276-10-0x0000000003C40000-0x0000000003D85000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1660-6-0x000000000041D0A0-mapping.dmp
    Download
  • memory/1660-9-0x0000000000140000-0x0000000000151000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1660-8-0x00000000008E0000-0x0000000000BE3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1660-5-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1924-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1924-4-0x0000000000C01000-0x0000000000C02000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1924-3-0x0000000000C00000-0x0000000000C01000-memory.dmp
    Filesize

    4KB

    Download