Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:07
Static task
static1
Behavioral task
behavioral1
Sample
PO894749745.exe
Resource
win7-20220414-en
General
-
Target
PO894749745.exe
-
Size
720KB
-
MD5
c705b518d1ca69c0443f2f5eb0e655a2
-
SHA1
aab7fb45b724954b382f93a3aebc5109f7fb4138
-
SHA256
371a78d5f848b70de0d716586851eec55e92fc1e4e5898943c62c67a99c9e07a
-
SHA512
fe206b5f73624134eecf339d134384a66d44fc8a890f67e4b2fa1867caa10106b5e715343885f945d4f145b52c944caec9abe4e04126904944d9735766fc8501
Malware Config
Extracted
xloader
2.0
b6fg
multlockmt5.com
mohajrannoor.com
robynhoodofretail.info
belinv.com
hotellasab.com
kibrismosad.com
xn--fxwm39aeb590h.xn--io0a7i
resetbrasil.com
tcsonhvac.com
theresav.net
bohoqi.info
machinafuturae.com
mambavault.com
xn--980am9a.top
yumiang.com
evntmonitor.com
83003kk.com
triterm.com
8800pe.com
silvanstudio.com
taragon-entertainment.com
ahly-live.com
ucpprint.com
betscrum.com
homehit.house
taab3.net
martiswatches.com
cartel-sinaloa.com
flyfuncenter.com
lezhen.top
aiotstairlift.com
selfless-entrepreneur.com
easttaiwansurftrip.com
descubriendonoruega.com
wicoru.com
tacmktg.com
callisterlawgroup.com
khogiaychinhhang.com
hobianak.com
pole-entrepreneur.net
callumjcummings.com
sgknox.com
xn--zuneauspolen-gcb.com
wwwjinsha622.com
everyoneschocolate.com
medlplayground.com
honeynray.com
whackajudge.com
alwarren.com
venglishhouse.com
quantumpearlpoc.com
movie4in.com
vytalhealthcare.com
sportsempires.com
xinhby.com
296djw.info
biblebeater.com
e-jie360.com
lemarcoambar.com
thekoulenresidence.com
iejel.com
sha256.equipment
j12mfg019y.com
clearlyconversing.com
magentos.info
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4580-136-0x0000000000400000-0x0000000000427000-memory.dmp xloader behavioral2/memory/4580-138-0x0000000000400000-0x0000000000427000-memory.dmp xloader behavioral2/memory/4168-144-0x0000000001050000-0x0000000001077000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
NETSTAT.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run NETSTAT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\8P08FTBPF = "C:\\Program Files (x86)\\Nqztpdxxh\\s4vhljox.exe" NETSTAT.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO894749745.exevbc.exeNETSTAT.EXEdescription pid process target process PID 3016 set thread context of 4580 3016 PO894749745.exe vbc.exe PID 4580 set thread context of 2480 4580 vbc.exe Explorer.EXE PID 4168 set thread context of 2480 4168 NETSTAT.EXE Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
NETSTAT.EXEExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Nqztpdxxh\s4vhljox.exe NETSTAT.EXE File opened for modification C:\Program Files (x86)\Nqztpdxxh Explorer.EXE File created C:\Program Files (x86)\Nqztpdxxh\s4vhljox.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Nqztpdxxh\s4vhljox.exe Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 4168 NETSTAT.EXE -
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
vbc.exeNETSTAT.EXEpid process 4580 vbc.exe 4580 vbc.exe 4580 vbc.exe 4580 vbc.exe 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2480 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
vbc.exeNETSTAT.EXEpid process 4580 vbc.exe 4580 vbc.exe 4580 vbc.exe 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE 4168 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 4580 vbc.exe Token: SeDebugPrivilege 4168 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
PO894749745.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 3016 wrote to memory of 4580 3016 PO894749745.exe vbc.exe PID 3016 wrote to memory of 4580 3016 PO894749745.exe vbc.exe PID 3016 wrote to memory of 4580 3016 PO894749745.exe vbc.exe PID 3016 wrote to memory of 4580 3016 PO894749745.exe vbc.exe PID 3016 wrote to memory of 4580 3016 PO894749745.exe vbc.exe PID 3016 wrote to memory of 4580 3016 PO894749745.exe vbc.exe PID 2480 wrote to memory of 4168 2480 Explorer.EXE NETSTAT.EXE PID 2480 wrote to memory of 4168 2480 Explorer.EXE NETSTAT.EXE PID 2480 wrote to memory of 4168 2480 Explorer.EXE NETSTAT.EXE PID 4168 wrote to memory of 1304 4168 NETSTAT.EXE cmd.exe PID 4168 wrote to memory of 1304 4168 NETSTAT.EXE cmd.exe PID 4168 wrote to memory of 1304 4168 NETSTAT.EXE cmd.exe PID 4168 wrote to memory of 5100 4168 NETSTAT.EXE cmd.exe PID 4168 wrote to memory of 5100 4168 NETSTAT.EXE cmd.exe PID 4168 wrote to memory of 5100 4168 NETSTAT.EXE cmd.exe PID 4168 wrote to memory of 3420 4168 NETSTAT.EXE Firefox.exe PID 4168 wrote to memory of 3420 4168 NETSTAT.EXE Firefox.exe PID 4168 wrote to memory of 3420 4168 NETSTAT.EXE Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO894749745.exe"C:\Users\Admin\AppData\Local\Temp\PO894749745.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Nqztpdxxh\s4vhljox.exeFilesize
2.5MB
MD50a7608db01cae07792cea95e792aa866
SHA171dff876e4d5edb6cea78fee7aa15845d4950e24
SHA256c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e
SHA512990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
memory/1304-145-0x0000000000000000-mapping.dmp
-
memory/2480-141-0x00000000026E0000-0x00000000027CE000-memory.dmpFilesize
952KB
-
memory/2480-148-0x0000000007E30000-0x0000000007F06000-memory.dmpFilesize
856KB
-
memory/3016-131-0x0000000004F60000-0x0000000005504000-memory.dmpFilesize
5.6MB
-
memory/3016-132-0x0000000004A50000-0x0000000004AE2000-memory.dmpFilesize
584KB
-
memory/3016-133-0x0000000004A10000-0x0000000004A1A000-memory.dmpFilesize
40KB
-
memory/3016-134-0x00000000073C0000-0x000000000745C000-memory.dmpFilesize
624KB
-
memory/3016-130-0x00000000000D0000-0x000000000018A000-memory.dmpFilesize
744KB
-
memory/4168-146-0x0000000001890000-0x0000000001BDA000-memory.dmpFilesize
3.3MB
-
memory/4168-142-0x0000000000000000-mapping.dmp
-
memory/4168-143-0x0000000000470000-0x000000000047B000-memory.dmpFilesize
44KB
-
memory/4168-144-0x0000000001050000-0x0000000001077000-memory.dmpFilesize
156KB
-
memory/4168-147-0x00000000016C0000-0x000000000174F000-memory.dmpFilesize
572KB
-
memory/4580-140-0x0000000000F60000-0x0000000000F70000-memory.dmpFilesize
64KB
-
memory/4580-139-0x0000000001500000-0x000000000184A000-memory.dmpFilesize
3.3MB
-
memory/4580-138-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/4580-136-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/4580-135-0x0000000000000000-mapping.dmp
-
memory/5100-149-0x0000000000000000-mapping.dmp