Overview

overview

10

Static

static

INQNEW~0.exe

windows7_x64

10

INQNEW~0.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-05-2022 14:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INQNEW~0.exe

  • Size

    276KB

  • MD5

    ebb0fecde4a2e88c63c27c82810113b5

  • SHA1

    c5658bec21ea4dfe2d0a66089d2d18bf081c778f

  • SHA256

    df1b0eef4f32a5c2527691175375962957db71bc913d37f6e71150e599b2b31c

  • SHA512

    05960c717d5f30ca5b1424a3a2806c2a7a00b6ec4a3949bdb7db4d7f5fd885119cf18cbb752537ddcb7bc277ecf683d060c40baee3ac6bdb6f76cb5a50598ad8

Score
10/10
formbookxloaderbe4oloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

be4o

Decoy

laboratoriobioixcha.com

tictocperushop.online

wild-oceans.com

belaruscountry.com

kicktmall.com

fitcoinweb.tech

mores.one

gogear.one

gxrcksy.com

samrcq.com

impossible-icecream.com

bravesxx.com

bookchainart.com

sleepsolutionsofmboro.com

ocbrazilbusinessclub.com

advisor76.xyz

xitaotech.com

mgsdtytifgf3414.xyz

johnson-brown.net

cr3drt.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 4 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1300
    • C:\Users\Admin\AppData\Local\Temp\INQNEW~0.exe
      "C:\Users\Admin\AppData\Local\Temp\INQNEW~0.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\SysWOW64\wscript.exe"
          4⤵
          • Adds policy Run key to start application
          • Suspicious use of SetThreadContext
          • Drops file in Program Files directory
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1720
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            5⤵
              PID:1648
            • C:\Program Files\Mozilla Firefox\Firefox.exe
              "C:\Program Files\Mozilla Firefox\Firefox.exe"
              5⤵
                PID:1884

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1300-64-0x00000000044A0000-0x000000000458E000-memory.dmp
        Filesize

        952KB

        Download
      • memory/1300-75-0x0000000006220000-0x000000000636E000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1300-67-0x0000000005F90000-0x000000000607F000-memory.dmp
        Filesize

        956KB

        Download
      • memory/1648-71-0x0000000000000000-mapping.dmp
        Download
      • memory/1720-68-0x0000000000000000-mapping.dmp
        Download
      • memory/1720-74-0x0000000001EE0000-0x0000000001F70000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1720-72-0x0000000002070000-0x0000000002373000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1720-70-0x0000000000070000-0x000000000009B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/1720-69-0x0000000000AB0000-0x0000000000AD6000-memory.dmp
        Filesize

        152KB

        Download
      • memory/2020-54-0x00000000013C0000-0x000000000140A000-memory.dmp
        Filesize

        296KB

        Download
      • memory/2020-55-0x00000000755C1000-0x00000000755C3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2024-59-0x0000000000400000-0x000000000042B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/2024-57-0x0000000000400000-0x000000000042B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/2024-66-0x00000000002D0000-0x00000000002E1000-memory.dmp
        Filesize

        68KB

        Download
      • memory/2024-65-0x0000000000400000-0x000000000042B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/2024-56-0x0000000000400000-0x000000000042B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/2024-60-0x000000000041F270-mapping.dmp
        Download
      • memory/2024-63-0x0000000000280000-0x0000000000291000-memory.dmp
        Filesize

        68KB

        Download
      • memory/2024-62-0x00000000008D0000-0x0000000000BD3000-memory.dmp
        Filesize

        3.0MB

        Download