General
Target

PO0932083943974.exe

Filesize

351KB

Completed

21-05-2022 00:58

Task

behavioral1

Score
10/10
MD5

1e8d5e2871ef3da902db085c1b5c9e4f

SHA1

a3e42499d53bcf961dfbaceca2c3fb5fc4d54364

SHA256

dee1fa115a3e06310b958baca7bf709144f770de027ab3c615f6937b7544cd75

SHA256

bbba879de92397a2141aaa4e780a99e1434e171d31dd2698e97363518b140635c20adb98718073f7d2b12935a14bde61b70ff7d5d528058c4a50794b865f2446

Malware Config

Extracted

Family

xloader

Version

2.0

Campaign

b6fg

Decoy

multlockmt5.com

mohajrannoor.com

robynhoodofretail.info

belinv.com

hotellasab.com

kibrismosad.com

xn--fxwm39aeb590h.xn--io0a7i

resetbrasil.com

tcsonhvac.com

theresav.net

bohoqi.info

machinafuturae.com

mambavault.com

xn--980am9a.top

yumiang.com

evntmonitor.com

83003kk.com

triterm.com

8800pe.com

silvanstudio.com

taragon-entertainment.com

ahly-live.com

ucpprint.com

betscrum.com

homehit.house

taab3.net

martiswatches.com

cartel-sinaloa.com

flyfuncenter.com

lezhen.top

aiotstairlift.com

selfless-entrepreneur.com

easttaiwansurftrip.com

descubriendonoruega.com

wicoru.com

tacmktg.com

callisterlawgroup.com

khogiaychinhhang.com

hobianak.com

pole-entrepreneur.net

callumjcummings.com

sgknox.com

xn--zuneauspolen-gcb.com

wwwjinsha622.com

everyoneschocolate.com

medlplayground.com

honeynray.com

whackajudge.com

alwarren.com

venglishhouse.com

Signatures 15

Filter: none

Defense Evasion
Persistence
  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1476-60-0x0000000000400000-0x0000000000427000-memory.dmpxloader
    behavioral1/memory/1476-61-0x000000000041C160-mapping.dmpxloader
    behavioral1/memory/1476-66-0x0000000000400000-0x0000000000427000-memory.dmpxloader
    behavioral1/memory/2024-74-0x0000000000080000-0x00000000000A7000-memory.dmpxloader
  • Adds policy Run key to start application
    explorer.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Runexplorer.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JV1HBHX8_ = "C:\\Program Files (x86)\\J_bcl0fwh\\user3f5.exe"explorer.exe
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext
    PO0932083943974.exevbc.exeexplorer.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 956 set thread context of 1476956PO0932083943974.exevbc.exe
    PID 1476 set thread context of 13841476vbc.exeExplorer.EXE
    PID 1476 set thread context of 13841476vbc.exeExplorer.EXE
    PID 2024 set thread context of 13842024explorer.exeExplorer.EXE
  • Drops file in Program Files directory
    explorer.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\J_bcl0fwh\user3f5.exeexplorer.exe
  • Modifies Internet Explorer settings
    explorer.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2explorer.exe
  • Suspicious behavior: EnumeratesProcesses
    vbc.exeexplorer.exe

    Reported IOCs

    pidprocess
    1476vbc.exe
    1476vbc.exe
    1476vbc.exe
    2024explorer.exe
    2024explorer.exe
    2024explorer.exe
    2024explorer.exe
    2024explorer.exe
    2024explorer.exe
    2024explorer.exe
    2024explorer.exe
    2024explorer.exe
    2024explorer.exe
    2024explorer.exe
    2024explorer.exe
    2024explorer.exe
    2024explorer.exe
    2024explorer.exe
  • Suspicious behavior: MapViewOfSection
    vbc.exeexplorer.exe

    Reported IOCs

    pidprocess
    1476vbc.exe
    1476vbc.exe
    1476vbc.exe
    1476vbc.exe
    2024explorer.exe
    2024explorer.exe
    2024explorer.exe
    2024explorer.exe
  • Suspicious use of AdjustPrivilegeToken
    vbc.exeexplorer.exeExplorer.EXE

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1476vbc.exe
    Token: SeDebugPrivilege2024explorer.exe
    Token: SeShutdownPrivilege1384Explorer.EXE
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    1384Explorer.EXE
    1384Explorer.EXE
  • Suspicious use of SendNotifyMessage
    Explorer.EXE

    Reported IOCs

    pidprocess
    1384Explorer.EXE
    1384Explorer.EXE
  • Suspicious use of WriteProcessMemory
    PO0932083943974.exeExplorer.EXEexplorer.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 956 wrote to memory of 1476956PO0932083943974.exevbc.exe
    PID 956 wrote to memory of 1476956PO0932083943974.exevbc.exe
    PID 956 wrote to memory of 1476956PO0932083943974.exevbc.exe
    PID 956 wrote to memory of 1476956PO0932083943974.exevbc.exe
    PID 956 wrote to memory of 1476956PO0932083943974.exevbc.exe
    PID 956 wrote to memory of 1476956PO0932083943974.exevbc.exe
    PID 956 wrote to memory of 1476956PO0932083943974.exevbc.exe
    PID 1384 wrote to memory of 20241384Explorer.EXEexplorer.exe
    PID 1384 wrote to memory of 20241384Explorer.EXEexplorer.exe
    PID 1384 wrote to memory of 20241384Explorer.EXEexplorer.exe
    PID 1384 wrote to memory of 20241384Explorer.EXEexplorer.exe
    PID 2024 wrote to memory of 3002024explorer.execmd.exe
    PID 2024 wrote to memory of 3002024explorer.execmd.exe
    PID 2024 wrote to memory of 3002024explorer.execmd.exe
    PID 2024 wrote to memory of 3002024explorer.execmd.exe
    PID 2024 wrote to memory of 11282024explorer.exeFirefox.exe
    PID 2024 wrote to memory of 11282024explorer.exeFirefox.exe
    PID 2024 wrote to memory of 11282024explorer.exeFirefox.exe
    PID 2024 wrote to memory of 11282024explorer.exeFirefox.exe
    PID 2024 wrote to memory of 11282024explorer.exeFirefox.exe
Processes 6
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\AppData\Local\Temp\PO0932083943974.exe
      "C:\Users\Admin\AppData\Local\Temp\PO0932083943974.exe"
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:956
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "{path}"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:1476
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      Adds policy Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        PID:300
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        PID:1128
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/300-72-0x0000000000000000-mapping.dmp

                      • memory/956-55-0x0000000000200000-0x000000000020A000-memory.dmp

                      • memory/956-56-0x00000000006B0000-0x00000000006E6000-memory.dmp

                      • memory/956-54-0x00000000012C0000-0x000000000131E000-memory.dmp

                      • memory/1384-65-0x00000000046D0000-0x00000000047B2000-memory.dmp

                      • memory/1384-68-0x0000000004AE0000-0x0000000004BC3000-memory.dmp

                      • memory/1384-77-0x0000000004BD0000-0x0000000004CB3000-memory.dmp

                      • memory/1476-63-0x0000000000A80000-0x0000000000D83000-memory.dmp

                      • memory/1476-64-0x00000000001B0000-0x00000000001C0000-memory.dmp

                      • memory/1476-61-0x000000000041C160-mapping.dmp

                      • memory/1476-66-0x0000000000400000-0x0000000000427000-memory.dmp

                      • memory/1476-60-0x0000000000400000-0x0000000000427000-memory.dmp

                      • memory/1476-58-0x0000000000400000-0x0000000000427000-memory.dmp

                      • memory/1476-57-0x0000000000400000-0x0000000000427000-memory.dmp

                      • memory/1476-67-0x00000000003E0000-0x00000000003F0000-memory.dmp

                      • memory/2024-71-0x0000000074BE1000-0x0000000074BE3000-memory.dmp

                      • memory/2024-69-0x0000000000000000-mapping.dmp

                      • memory/2024-73-0x00000000008B0000-0x0000000000B31000-memory.dmp

                      • memory/2024-74-0x0000000000080000-0x00000000000A7000-memory.dmp

                      • memory/2024-75-0x00000000024A0000-0x00000000027A3000-memory.dmp

                      • memory/2024-76-0x0000000000430000-0x00000000004BF000-memory.dmp

                      • memory/2024-70-0x00000000753B1000-0x00000000753B3000-memory.dmp