Analysis
-
max time kernel
8s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-01-2021 10:16
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe
-
Size
297KB
-
MD5
2d435a73a52785b8912a447e4e205e50
-
SHA1
082edf778cbf0a7af0994d2a0b7d397b6a820f33
-
SHA256
1d87d74fe3b493880a672905108416227b6a2996eae2da3d8226cf65ae8ade26
-
SHA512
288063c4fe25cba62a24a9cb074c0362fd137a54f378e18eb537569750f3c7c26bd1a6343ca95ab805e02cc6b789e3d5b8ecc6e3f877eecfb4fda8c5a89aa7be
Malware Config
Extracted
formbook
http://www.chuanxingtong.com/j5an/
xwwgj.com
release-paypal.com
investorshighway.com
maglex.info
chenangopistolpermit.com
thebihareye.com
sanjosemasks.com
foremanmotors.com
stadtstreicherin.com
9247pf.com
erenvincplatform.xyz
cushcaps.com
flatisteam.com
kojyouibennto.com
rahmatsuparman.com
vallyfades.online
metropitstop.com
shopasha.com
windycitycreditsolutions.com
uproxysite.com
californiabilling.com
theexgirlfriendpics.com
arnoldnaturalresources.com
gfeets.com
streamelemeants.com
academiadacocriacao.com
nselife.com
maratinsaat.info
deviurg.com
mrbalumba.com
joyfinancialservices.com
retriever-home.com
paydayonlineloanapplication.com
dchasers.net
mct.ltd
geisshaven.com
mdejgqbp.icu
mercifulhandshc.com
bmtxm.com
aulbalu.com
globuswarming.com
wolfpacktowingrecovery.com
empireofconsciousness.com
yosyoshop.com
l7zexitam.xyz
lendtitle.com
charmedlifeinteriors.com
aimtopshop.com
teramareprime.com
muenker.world
just-embrace.com
amazon-co-jp.world
fsjinhua.net
lungi.cloud
mysinglecam.com
hortenserolland.com
grouptripinsurance.com
aspiringeyephotos.com
shoesiin.com
oodi.club
shakhriyarmamedyarov.com
musiklotteriet.com
germanystablecoin.com
land-il.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1924-3-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exedescription pid process target process PID 792 set thread context of 1924 792 SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exepid process 1924 SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exepid process 792 SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exedescription pid process target process PID 792 wrote to memory of 1924 792 SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe PID 792 wrote to memory of 1924 792 SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe PID 792 wrote to memory of 1924 792 SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe PID 792 wrote to memory of 1924 792 SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe PID 792 wrote to memory of 1924 792 SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Stealer.29819.13214.25469.exe"2⤵
- Suspicious behavior: EnumeratesProcesses