General
Target

PO0932083943974.exe

Filesize

351KB

Completed

21-05-2022 00:58

Task

behavioral2

Score
10/10
MD5

1e8d5e2871ef3da902db085c1b5c9e4f

SHA1

a3e42499d53bcf961dfbaceca2c3fb5fc4d54364

SHA256

dee1fa115a3e06310b958baca7bf709144f770de027ab3c615f6937b7544cd75

SHA256

bbba879de92397a2141aaa4e780a99e1434e171d31dd2698e97363518b140635c20adb98718073f7d2b12935a14bde61b70ff7d5d528058c4a50794b865f2446

Malware Config

Extracted

Family

xloader

Version

2.0

Campaign

b6fg

Decoy

multlockmt5.com

mohajrannoor.com

robynhoodofretail.info

belinv.com

hotellasab.com

kibrismosad.com

xn--fxwm39aeb590h.xn--io0a7i

resetbrasil.com

tcsonhvac.com

theresav.net

bohoqi.info

machinafuturae.com

mambavault.com

xn--980am9a.top

yumiang.com

evntmonitor.com

83003kk.com

triterm.com

8800pe.com

silvanstudio.com

taragon-entertainment.com

ahly-live.com

ucpprint.com

betscrum.com

homehit.house

taab3.net

martiswatches.com

cartel-sinaloa.com

flyfuncenter.com

lezhen.top

aiotstairlift.com

selfless-entrepreneur.com

easttaiwansurftrip.com

descubriendonoruega.com

wicoru.com

tacmktg.com

callisterlawgroup.com

khogiaychinhhang.com

hobianak.com

pole-entrepreneur.net

callumjcummings.com

sgknox.com

xn--zuneauspolen-gcb.com

wwwjinsha622.com

everyoneschocolate.com

medlplayground.com

honeynray.com

whackajudge.com

alwarren.com

venglishhouse.com

Signatures 17

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Execution
Persistence
  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Description

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Tags

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2248-135-0x0000000000400000-0x0000000000427000-memory.dmpxloader
    behavioral2/memory/2248-137-0x0000000000400000-0x0000000000427000-memory.dmpxloader
    behavioral2/memory/4080-143-0x00000000010F0000-0x0000000001117000-memory.dmpxloader
  • Adds policy Run key to start application
    ipconfig.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Runipconfig.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\4HD0-6D8IR1 = "C:\\Program Files (x86)\\Qovbxn2sh\\1bsxnjxhbc.exe"ipconfig.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext
    PO0932083943974.exevbc.exeipconfig.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4232 set thread context of 22484232PO0932083943974.exevbc.exe
    PID 2248 set thread context of 11242248vbc.exeExplorer.EXE
    PID 4080 set thread context of 11244080ipconfig.exeExplorer.EXE
  • Drops file in Program Files directory
    ipconfig.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Qovbxn2sh\1bsxnjxhbc.exeipconfig.exe
  • Gathers network information
    ipconfig.exe

    Description

    Uses commandline utility to view network configuration.

    TTPs

    System Information DiscoveryCommand-Line Interface

    Reported IOCs

    pidprocess
    4080ipconfig.exe
  • Modifies Internet Explorer settings
    ipconfig.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2ipconfig.exe
  • Suspicious behavior: EnumeratesProcesses
    vbc.exeipconfig.exe

    Reported IOCs

    pidprocess
    2248vbc.exe
    2248vbc.exe
    2248vbc.exe
    2248vbc.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    1124Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    vbc.exeipconfig.exe

    Reported IOCs

    pidprocess
    2248vbc.exe
    2248vbc.exe
    2248vbc.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
    4080ipconfig.exe
  • Suspicious use of AdjustPrivilegeToken
    vbc.exeipconfig.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2248vbc.exe
    Token: SeDebugPrivilege4080ipconfig.exe
  • Suspicious use of WriteProcessMemory
    PO0932083943974.exeExplorer.EXEipconfig.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4232 wrote to memory of 22484232PO0932083943974.exevbc.exe
    PID 4232 wrote to memory of 22484232PO0932083943974.exevbc.exe
    PID 4232 wrote to memory of 22484232PO0932083943974.exevbc.exe
    PID 4232 wrote to memory of 22484232PO0932083943974.exevbc.exe
    PID 4232 wrote to memory of 22484232PO0932083943974.exevbc.exe
    PID 4232 wrote to memory of 22484232PO0932083943974.exevbc.exe
    PID 1124 wrote to memory of 40801124Explorer.EXEipconfig.exe
    PID 1124 wrote to memory of 40801124Explorer.EXEipconfig.exe
    PID 1124 wrote to memory of 40801124Explorer.EXEipconfig.exe
    PID 4080 wrote to memory of 15724080ipconfig.execmd.exe
    PID 4080 wrote to memory of 15724080ipconfig.execmd.exe
    PID 4080 wrote to memory of 15724080ipconfig.execmd.exe
    PID 4080 wrote to memory of 35844080ipconfig.execmd.exe
    PID 4080 wrote to memory of 35844080ipconfig.execmd.exe
    PID 4080 wrote to memory of 35844080ipconfig.execmd.exe
    PID 4080 wrote to memory of 34324080ipconfig.exeFirefox.exe
    PID 4080 wrote to memory of 34324080ipconfig.exeFirefox.exe
    PID 4080 wrote to memory of 34324080ipconfig.exeFirefox.exe
Processes 7
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Users\Admin\AppData\Local\Temp\PO0932083943974.exe
      "C:\Users\Admin\AppData\Local\Temp\PO0932083943974.exe"
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4232
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "{path}"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:2248
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      Adds policy Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Gathers network information
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4080
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        PID:1572
      • C:\Windows\SysWOW64\cmd.exe
        /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
        PID:3584
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        PID:3432
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Exfiltration
      Impact
        Initial Access
          Lateral Movement
            Privilege Escalation
              Replay Monitor
              00:00 00:00
              Downloads
              • C:\Users\Admin\AppData\Local\Temp\DB1

                MD5

                b608d407fc15adea97c26936bc6f03f6

                SHA1

                953e7420801c76393902c0d6bb56148947e41571

                SHA256

                b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

                SHA512

                cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

              • memory/1124-147-0x0000000002B80000-0x0000000002C78000-memory.dmp

              • memory/1124-140-0x0000000007EC0000-0x0000000008064000-memory.dmp

              • memory/1572-144-0x0000000000000000-mapping.dmp

              • memory/2248-134-0x0000000000000000-mapping.dmp

              • memory/2248-135-0x0000000000400000-0x0000000000427000-memory.dmp

              • memory/2248-137-0x0000000000400000-0x0000000000427000-memory.dmp

              • memory/2248-139-0x0000000001550000-0x0000000001560000-memory.dmp

              • memory/2248-138-0x00000000019D0000-0x0000000001D1A000-memory.dmp

              • memory/3584-148-0x0000000000000000-mapping.dmp

              • memory/4080-146-0x0000000001C70000-0x0000000001CFF000-memory.dmp

              • memory/4080-141-0x0000000000000000-mapping.dmp

              • memory/4080-142-0x0000000000B70000-0x0000000000B7B000-memory.dmp

              • memory/4080-143-0x00000000010F0000-0x0000000001117000-memory.dmp

              • memory/4080-145-0x0000000001920000-0x0000000001C6A000-memory.dmp

              • memory/4232-133-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

              • memory/4232-131-0x00000000050F0000-0x0000000005694000-memory.dmp

              • memory/4232-132-0x0000000004A30000-0x0000000004AC2000-memory.dmp

              • memory/4232-130-0x0000000000040000-0x000000000009E000-memory.dmp