Overview

overview

10

Static

static

SecuriteIn...69.exe

windows7_x64

10

SecuriteIn...69.exe

windows10_x64

5

Analysis

  • max time kernel
    8s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    21-01-2021 10:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe

  • Size

    297KB

  • MD5

    2d435a73a52785b8912a447e4e205e50

  • SHA1

    082edf778cbf0a7af0994d2a0b7d397b6a820f33

  • SHA256

    1d87d74fe3b493880a672905108416227b6a2996eae2da3d8226cf65ae8ade26

  • SHA512

    288063c4fe25cba62a24a9cb074c0362fd137a54f378e18eb537569750f3c7c26bd1a6343ca95ab805e02cc6b789e3d5b8ecc6e3f877eecfb4fda8c5a89aa7be

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.chuanxingtong.com/j5an/

Decoy

xwwgj.com

release-paypal.com

investorshighway.com

maglex.info

chenangopistolpermit.com

thebihareye.com

sanjosemasks.com

foremanmotors.com

stadtstreicherin.com

9247pf.com

erenvincplatform.xyz

cushcaps.com

flatisteam.com

kojyouibennto.com

rahmatsuparman.com

vallyfades.online

metropitstop.com

shopasha.com

windycitycreditsolutions.com

uproxysite.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1924-2-0x000000000041D070-mapping.dmp
    Download
  • memory/1924-3-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1924-4-0x00000000008D0000-0x0000000000BD3000-memory.dmp
    Filesize

    3.0MB

    Download