Overview

overview

10

Static

static

Booking an...ls.exe

windows7_x64

10

Booking an...ls.exe

windows10_x64

10

Analysis

  • max time kernel
    1205s
  • max time network
    1207s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    29-08-2021 02:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Booking and Shipping Reference Details.exe

  • Size

    764KB

  • MD5

    261e1d3d96af2d57fabdf9295a6ad987

  • SHA1

    4be2f141e6862bbf8a79bac4900a211008ac6e68

  • SHA256

    468169b4fe61a81e910c9b820d46694ad3e089e7d276831e690f86012db80195

  • SHA512

    0307ea1169f2193c513af63aadb10fa3a3f0c9bae5767997e940085572150e0db8480cbf4a72dc8795e78570250f0342eec768d8eb63c731519f3091ddec9a05

Score
10/10
formbookxloaderu86gloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

u86g

C2

http://www.99356a.com/u86g/

Decoy

agenciaplim.com

fastpage.info

tiantianbd.com

hanedanpirlanta.com

project1accessories.com

rebeccadoumet.com

vrdnfz.com

jeaninesatl.com

isaakwallihconstruction.com

aegis.cloud

tigerandsnow.com

thehappyadventurer.com

ahhazu.com

hiveplushoney.com

k-plan-ning.com

peresvet.one

darkworkcustoms.com

deathbok.com

blackinkswizz.com

077sb.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 4 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\Booking and Shipping Reference Details.exe
      "C:\Users\Admin\AppData\Local\Temp\Booking and Shipping Reference Details.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Users\Admin\AppData\Local\Temp\Booking and Shipping Reference Details.exe
        "C:\Users\Admin\AppData\Local\Temp\Booking and Shipping Reference Details.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1676
        • C:\Windows\SysWOW64\cscript.exe
          "C:\Windows\SysWOW64\cscript.exe"
          4⤵
          • Adds policy Run key to start application
          • Suspicious use of SetThreadContext
          • Drops file in Program Files directory
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:792
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\Booking and Shipping Reference Details.exe"
            5⤵
            • Deletes itself
            PID:1692
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            5⤵
              PID:1020
            • C:\Program Files\Mozilla Firefox\Firefox.exe
              "C:\Program Files\Mozilla Firefox\Firefox.exe"
              5⤵
                PID:1880
        • C:\Program Files (x86)\Dnlr0\windfj8f.exe
          "C:\Program Files (x86)\Dnlr0\windfj8f.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1728
          • C:\Program Files (x86)\Dnlr0\windfj8f.exe
            "C:\Program Files (x86)\Dnlr0\windfj8f.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1764

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Dnlr0\windfj8f.exe
        MD5

        261e1d3d96af2d57fabdf9295a6ad987

        SHA1

        4be2f141e6862bbf8a79bac4900a211008ac6e68

        SHA256

        468169b4fe61a81e910c9b820d46694ad3e089e7d276831e690f86012db80195

        SHA512

        0307ea1169f2193c513af63aadb10fa3a3f0c9bae5767997e940085572150e0db8480cbf4a72dc8795e78570250f0342eec768d8eb63c731519f3091ddec9a05

        Download Submit
      • C:\Program Files (x86)\Dnlr0\windfj8f.exe
        MD5

        261e1d3d96af2d57fabdf9295a6ad987

        SHA1

        4be2f141e6862bbf8a79bac4900a211008ac6e68

        SHA256

        468169b4fe61a81e910c9b820d46694ad3e089e7d276831e690f86012db80195

        SHA512

        0307ea1169f2193c513af63aadb10fa3a3f0c9bae5767997e940085572150e0db8480cbf4a72dc8795e78570250f0342eec768d8eb63c731519f3091ddec9a05

        Download Submit
      • C:\Program Files (x86)\Dnlr0\windfj8f.exe
        MD5

        261e1d3d96af2d57fabdf9295a6ad987

        SHA1

        4be2f141e6862bbf8a79bac4900a211008ac6e68

        SHA256

        468169b4fe61a81e910c9b820d46694ad3e089e7d276831e690f86012db80195

        SHA512

        0307ea1169f2193c513af63aadb10fa3a3f0c9bae5767997e940085572150e0db8480cbf4a72dc8795e78570250f0342eec768d8eb63c731519f3091ddec9a05

        Download Submit
      • memory/792-79-0x00000000022B0000-0x000000000233F000-memory.dmp
        Filesize

        572KB

        Download
      • memory/792-78-0x0000000001FA0000-0x00000000022A3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/792-76-0x0000000000070000-0x0000000000098000-memory.dmp
        Filesize

        160KB

        Download
      • memory/792-75-0x0000000000710000-0x0000000000732000-memory.dmp
        Filesize

        136KB

        Download
      • memory/792-74-0x0000000000000000-mapping.dmp
        Download
      • memory/1020-82-0x0000000000000000-mapping.dmp
        Download
      • memory/1020-90-0x000000013F780000-0x000000013F813000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1020-91-0x00000000023C0000-0x0000000002535000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1080-66-0x00000000007C0000-0x00000000007F3000-memory.dmp
        Filesize

        204KB

        Download
      • memory/1080-65-0x0000000005380000-0x00000000053E9000-memory.dmp
        Filesize

        420KB

        Download
      • memory/1080-64-0x00000000002E0000-0x00000000002F6000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1080-60-0x0000000001120000-0x0000000001121000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1080-63-0x00000000051D0000-0x00000000051D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1080-62-0x0000000075B31000-0x0000000075B33000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1228-73-0x00000000073C0000-0x0000000007537000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1228-71-0x0000000004220000-0x00000000042FF000-memory.dmp
        Filesize

        892KB

        Download
      • memory/1228-80-0x0000000006470000-0x0000000006564000-memory.dmp
        Filesize

        976KB

        Download
      • memory/1676-67-0x0000000000400000-0x0000000000428000-memory.dmp
        Filesize

        160KB

        Download
      • memory/1676-72-0x0000000000430000-0x0000000000440000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1676-70-0x0000000000160000-0x0000000000170000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1676-69-0x00000000008A0000-0x0000000000BA3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1676-68-0x000000000041D020-mapping.dmp
        Download
      • memory/1692-77-0x0000000000000000-mapping.dmp
        Download
      • memory/1728-89-0x0000000000430000-0x0000000000431000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1728-86-0x0000000000A60000-0x0000000000A61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1728-83-0x0000000000000000-mapping.dmp
        Download
      • memory/1764-95-0x000000000041D020-mapping.dmp
        Download
      • memory/1764-97-0x0000000000B30000-0x0000000000E33000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1880-98-0x0000000000000000-mapping.dmp
        Download
      • memory/1880-99-0x000000013F270000-0x000000013F303000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1880-100-0x0000000000060000-0x00000000001A7000-memory.dmp
        Filesize

        1.3MB

        Download