Overview

overview

10

Static

static

82a7688a62...6b.exe

windows7_x64

10

82a7688a62...6b.exe

windows10_x64

10

Resubmissions

31-01-2022 09:53

220131-lwpgwaghgr 10

31-01-2022 09:09

220131-k4v4ysghcm 10

Analysis

  • max time kernel
    153s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    31-01-2022 09:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82a7688a628cd4b87e6f85206f0e756b.exe

  • Size

    871KB

  • MD5

    82a7688a628cd4b87e6f85206f0e756b

  • SHA1

    13ecd851c121cd69e76628289f300ecfe974bbc8

  • SHA256

    fa88f5241b5c12af593af57b9aad1c1cbd6a2a2f12010ad08b326ba3424832b6

  • SHA512

    9b295d4c3a42eff13a2fa9672ac41f2c36f8df9fae9d3b3cf3090ebe63a1fb3bb927c4b27383a4da47e772e7a942db517a3259dc297d51bb610e76badb186481

Score
10/10
formbookmodiloaderxloadergqvvloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

gqvv

Decoy

the-pumps.com

imagepixo.com

gloriamcarter.com

cedacventures.com

chengxinyuan.online

evesfashion.online

relyoncarlos.com

marinayouth.com

hbsckj.net

jdmnn.com

fedelini.online

barkleysbettermints.com

popierwszezdrowie.net

amelntl.net

oceanic-sauna.online

ksssz.com

aprilrehrig.com

nwzjr.com

manimani1225.com

gstfranchisecenter.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • ModiLoader Second Stage 5 IoCs
  • Xloader Payload 2 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Users\Admin\AppData\Local\Temp\82a7688a628cd4b87e6f85206f0e756b.exe
      "C:\Users\Admin\AppData\Local\Temp\82a7688a628cd4b87e6f85206f0e756b.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Windows\SysWOW64\DpiScaling.exe
        C:\Windows\System32\DpiScaling.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1324
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\DpiScaling.exe"
        3⤵
          PID:1280
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1716
        • C:\Program Files (x86)\Nzv14x\igfx7nj88v.exe
          "C:\Program Files (x86)\Nzv14x\igfx7nj88v.exe"
          2⤵
          • Executes dropped EXE
          PID:1692
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
        1⤵
          PID:728

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Nzv14x\igfx7nj88v.exe
          MD5

          8c9da2e414e713d3daff1f18223ae11b

          SHA1

          9ef90d73fa4d852be9b803a5e990cc908aab8a94

          SHA256

          60b2a9d679f14f92e284ad21395da53652db137e45ec6473d9033e6c3fe6a37f

          SHA512

          adc712d94e8226729b336a348e9376d68f1e006871e7a0151f312e125e96226e74bc75e87efd709e31c5cb322a9ed68e2912c9fd03bd6e6800f5900f712105d7

          Download Submit
        • memory/1284-81-0x0000000000480000-0x0000000000498000-memory.dmp
          Filesize

          96KB

          Download
        • memory/1284-84-0x0000000001DE0000-0x0000000001E70000-memory.dmp
          Filesize

          576KB

          Download
        • memory/1284-83-0x00000000020B0000-0x00000000023B3000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/1284-82-0x0000000000090000-0x00000000000B9000-memory.dmp
          Filesize

          164KB

          Download
        • memory/1324-69-0x0000000072480000-0x00000000724A9000-memory.dmp
          Filesize

          164KB

          Download
        • memory/1324-78-0x0000000000150000-0x0000000000161000-memory.dmp
          Filesize

          68KB

          Download
        • memory/1324-70-0x0000000000080000-0x0000000000081000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1324-77-0x0000000001F60000-0x0000000002263000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/1324-75-0x0000000072480000-0x00000000724A9000-memory.dmp
          Filesize

          164KB

          Download
        • memory/1324-76-0x0000000000090000-0x0000000000091000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1408-79-0x0000000006A40000-0x0000000006BD7000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1408-85-0x0000000004FC0000-0x00000000050F7000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1536-74-0x0000000004240000-0x00000000042C3000-memory.dmp
          Filesize

          524KB

          Download
        • memory/1536-72-0x0000000004240000-0x00000000042C3000-memory.dmp
          Filesize

          524KB

          Download
        • memory/1536-54-0x0000000000220000-0x0000000000221000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1536-64-0x0000000004240000-0x00000000042C3000-memory.dmp
          Filesize

          524KB

          Download
        • memory/1536-65-0x0000000004240000-0x00000000042C3000-memory.dmp
          Filesize

          524KB

          Download
        • memory/1536-63-0x0000000004240000-0x00000000042C3000-memory.dmp
          Filesize

          524KB

          Download
        • memory/1536-55-0x0000000076C91000-0x0000000076C93000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1692-88-0x0000000072FC1000-0x0000000072FC3000-memory.dmp
          Filesize

          8KB

          Download