Overview

overview

10

Static

static

1

fea1c9fccf...e3.exe

windows7_x64

10

fea1c9fccf...e3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    159s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    10-02-2022 11:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fea1c9fccf1292d9fd2c048f0fa767e3.exe

  • Size

    294KB

  • MD5

    fea1c9fccf1292d9fd2c048f0fa767e3

  • SHA1

    790976dfd13d80cc8286fcd5ca60df6e6b3e0fdb

  • SHA256

    1ba84876de166844e415c6287023982232051d97ee776b37cf4a7512666494dd

  • SHA512

    3ef79d18ae784d5bce0348619063696578743c3f2942c5fe1540387e2d4261bcb1baa418d78c91e74912596d7f39db9c1045260bc78f1c8232decf91ee923929

Score
10/10
formbookxloaderahc8loaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Users\Admin\AppData\Local\Temp\fea1c9fccf1292d9fd2c048f0fa767e3.exe
      "C:\Users\Admin\AppData\Local\Temp\fea1c9fccf1292d9fd2c048f0fa767e3.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Users\Admin\AppData\Local\Temp\rwdiyf.exe
        C:\Users\Admin\AppData\Local\Temp\rwdiyf.exe C:\Users\Admin\AppData\Local\Temp\nunhgnm
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Users\Admin\AppData\Local\Temp\rwdiyf.exe
          C:\Users\Admin\AppData\Local\Temp\rwdiyf.exe C:\Users\Admin\AppData\Local\Temp\nunhgnm
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:580
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\rwdiyf.exe"
        3⤵
          PID:3660
        • C:\Windows\SysWOW64\cmd.exe
          /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
          3⤵
            PID:1868
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:3524
          • C:\Program Files (x86)\D04nh9v_\nbbxnr5hitydit.exe
            "C:\Program Files (x86)\D04nh9v_\nbbxnr5hitydit.exe"
            2⤵
            • Executes dropped EXE
            PID:2904
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 488
              3⤵
              • Program crash
              • Checks processor information in registry
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1492
        • C:\Windows\system32\MusNotifyIcon.exe
          %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
          1⤵
          • Checks processor information in registry
          PID:3036
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k NetworkService -p
          1⤵
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          PID:3340
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2904 -ip 2904
          1⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Suspicious use of WriteProcessMemory
          PID:1540

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        System Information Discovery

        3
        T1082

        Query Registry

        2
        T1012

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\D04nh9v_\nbbxnr5hitydit.exe
          MD5

          f61da6d9be169e8012f1776867def6da

          SHA1

          82564a582a671cb220fb66aa75bbed1e7c6d7270

          SHA256

          38f59aa2c8b4d93f9570bcbcc728102ad4375799b1a15de9b2384c27cc4a44ce

          SHA512

          8906aff6e9cd36c5374c3a622f703272c11a3fdf33b4b5b1e07dd0a98244fe61e443f372f84d6456af957024b07e093675acf43a1275b9d15ffdc0afd23d83cc

          Download Submit
        • C:\Program Files (x86)\D04nh9v_\nbbxnr5hitydit.exe
          MD5

          f61da6d9be169e8012f1776867def6da

          SHA1

          82564a582a671cb220fb66aa75bbed1e7c6d7270

          SHA256

          38f59aa2c8b4d93f9570bcbcc728102ad4375799b1a15de9b2384c27cc4a44ce

          SHA512

          8906aff6e9cd36c5374c3a622f703272c11a3fdf33b4b5b1e07dd0a98244fe61e443f372f84d6456af957024b07e093675acf43a1275b9d15ffdc0afd23d83cc

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\DB1
          MD5

          b608d407fc15adea97c26936bc6f03f6

          SHA1

          953e7420801c76393902c0d6bb56148947e41571

          SHA256

          b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

          SHA512

          cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\nunhgnm
          MD5

          cec6479860914540d21176850b1c4b21

          SHA1

          534b76d286f97b9477e7892bb05701172efc1c71

          SHA256

          7b1106f7bf77968581f2db4c06ba833ede929959074eee1ce8f10185e61a05e3

          SHA512

          6503f223f2e70476fd78e2ddf05e71b218900276873af6c41db9ef8f8807ce2f77c423723b794b8a72b0369575c221ecde1060aa9250c2ad49f3795a97f9014c

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\ognhs6i1h2plg3ur68s
          MD5

          798e35236d03021934f922ea41b06c32

          SHA1

          ae4c1656c9d0c4ca6bcc914bd46458688b46ff58

          SHA256

          7c6022ef98927ad13596d6106074f2ef4cab883925e5df6d7ad1c578cc772ab0

          SHA512

          f992596c6a99e540420347d231c7fe2991e7d140677a5d5645209b892385320c69e6729f3b437c56f34f57414562bd80ae9bcf7b52d3c7c9ca44c4f4037fbb8b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\rwdiyf.exe
          MD5

          f61da6d9be169e8012f1776867def6da

          SHA1

          82564a582a671cb220fb66aa75bbed1e7c6d7270

          SHA256

          38f59aa2c8b4d93f9570bcbcc728102ad4375799b1a15de9b2384c27cc4a44ce

          SHA512

          8906aff6e9cd36c5374c3a622f703272c11a3fdf33b4b5b1e07dd0a98244fe61e443f372f84d6456af957024b07e093675acf43a1275b9d15ffdc0afd23d83cc

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\rwdiyf.exe
          MD5

          f61da6d9be169e8012f1776867def6da

          SHA1

          82564a582a671cb220fb66aa75bbed1e7c6d7270

          SHA256

          38f59aa2c8b4d93f9570bcbcc728102ad4375799b1a15de9b2384c27cc4a44ce

          SHA512

          8906aff6e9cd36c5374c3a622f703272c11a3fdf33b4b5b1e07dd0a98244fe61e443f372f84d6456af957024b07e093675acf43a1275b9d15ffdc0afd23d83cc

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\rwdiyf.exe
          MD5

          f61da6d9be169e8012f1776867def6da

          SHA1

          82564a582a671cb220fb66aa75bbed1e7c6d7270

          SHA256

          38f59aa2c8b4d93f9570bcbcc728102ad4375799b1a15de9b2384c27cc4a44ce

          SHA512

          8906aff6e9cd36c5374c3a622f703272c11a3fdf33b4b5b1e07dd0a98244fe61e443f372f84d6456af957024b07e093675acf43a1275b9d15ffdc0afd23d83cc

          Download Submit
        • memory/580-139-0x000000000041D000-0x000000000041E000-memory.dmp
          Filesize

          4KB

          Download
        • memory/580-140-0x0000000001970000-0x0000000001981000-memory.dmp
          Filesize

          68KB

          Download
        • memory/580-138-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

          Download
        • memory/580-137-0x0000000001510000-0x000000000185A000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/580-134-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

          Download
        • memory/1380-145-0x0000000000370000-0x0000000000399000-memory.dmp
          Filesize

          164KB

          Download
        • memory/1380-144-0x0000000000820000-0x0000000000832000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1380-146-0x00000000046B0000-0x00000000049FA000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/1380-147-0x0000000002B00000-0x0000000002B90000-memory.dmp
          Filesize

          576KB

          Download
        • memory/2444-141-0x0000000008740000-0x0000000008848000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2444-148-0x0000000008850000-0x0000000008932000-memory.dmp
          Filesize

          904KB

          Download