Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21/06/2022, 10:20
Static task
static1
Behavioral task
behavioral1
Sample
bis.exe
Resource
win7-20220414-en
General
-
Target
bis.exe
-
Size
451KB
-
MD5
9e1bb80ff1f6f5181ed26c62ef3de29d
-
SHA1
5c37096275b5947dfd68ccacc92eec204fa73883
-
SHA256
a92f8917b2e98217ede5359f7906dd0a60df26e087a1e1c33b81797a334fb448
-
SHA512
f1493090882bbe106508b50a0dcc8ac9966b157837f3d3d428b5b1977bcda3ea00eb067b5f925add5a38e069cfb4e7ce63be49ba8db29b23eb171290226e7004
Malware Config
Extracted
xloader
2.9
rb1k
Hy3kKk3exSb8BwggZ6MfKxQ=
NCL+/Dy1jhSUG9mRm0U=
wWOomCbzt4pHcH22F16ZDMRcKw==
WTIg8VQo+NeSJsTaLk6M9XQi
GxTnP34PxKGMqI0aDg==
BCLmUMWYgpQ0hmDGRvcILQM=
ILk0ukAA71UFWNrW
aHq3rPmIgJpVF+C9GQ==
8jYg+GYnGycf+ufa9Fo=
gQpOLax1ZUbL5at4u1SkP/XMaS0=
s1abd4QIyia5Ta6zEUSM9XQi
JDL1dr1IE+a1q4zB
24b2gBbkpvG81Nh1rLjxJw==
U5KEePzSsY5a/WYuVdUXnycmbPcnk6RB
D+TYrgrRwtaL5YIUEQ==
T1gpjLMr70QZODL8/UOM9XQi
f3Efb+StKpP+MQ==
fUfDKVLlzfcCFgo=
23rI2NitbuCL
ypQDXuCwKpP+MQ==
HAb9/o1eLLQ9wSTfYYSH
dGQztBqhddBmAXhBXcxKFgs=
pot/UnwB2u3ASrJxrLjxJw==
u0T+cxPYr0QFWNrW
Xd4g6AvWeAiHFNmRm0U=
fqY0SI2eZ8o=
8drNzC++V3AVf2DUYR5ZxjZMexa6qwY=
nbJ3+p1pTrKCkI2W2WKmP/XMaS0=
2hALD5uTJQmW5YIUEQ==
xkOFeq85DZta4TTHqkaTsKRHWhWYuw==
oM7LtPFwVWgDawjY9lo=
I6fZxC063kHYasfIFUSM9XQi
3tSd2b+SQYRPWh4=
iQKA+Xs4IpIluCPfYYSH
WZeQeI4b9FYFWNrW
j4Etp+CtbuCL
wWGZaYoV9XsDjMeSwzZ1tqK0WhWYuw==
EmloL1XbangEJg==
yU6IU27/+OCqK5mc+D5pZzEXvksf
WZKSas6qakwYQB4bZaMfKxQ=
bPxAU5ReCj/E6Bmu2VI=
IOZn4Wky9gf+nyfw+Fo=
il/DFi65d1XWM96z2FA=
RtQFCV/SvsqI5YIUEQ==
n3sLWHwMx6QhefHiBg==
s1fVFTG+gQnLhOzE8nq9EMFmMg==
x6iSiQrLangEJg==
czynGrjNeuqB
96wda7Yz/9qL5YIUEQ==
cMAlpBKfasZ0knE2aKMfKxQ=
+b49sNMNangEJg==
ynKneOyojnL+HxwufAhbGocyQO8nk6RB
hsy9q0Ig6o7J5YIUEQ==
49iq9i7AWSj7EvjE9T/yIQ0=
sYxAhPrIi2QqnRrfYYSH
DAo7NXv96UD+qCnt+0SM9XQi
69TZxSrz4MxfcllPdaMfKxQ=
wIryVHQR+gzPXPIBWoh3DHEKLW0nk6RB
L6TuDuPkKpP+MQ==
S6Vr07qsKn06Pw==
fbiiiwzOangEJg==
CcAzujb9ytZvk5qm7D/yIQ0=
tAsA5EU4mfcCFgo=
0knRgKY39EwFWNrW
strictlynightowl.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 4 IoCs
resource yara_rule behavioral2/memory/2544-136-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/2544-138-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/2328-145-0x0000000000E50000-0x0000000000E7C000-memory.dmp xloader behavioral2/memory/2328-149-0x0000000000E50000-0x0000000000E7C000-memory.dmp xloader -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation bis.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mstsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DXP01NUXLXD = "C:\\Program Files (x86)\\Yevu\\9rkl_clttq0.exe" mstsc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2276 set thread context of 2544 2276 bis.exe 91 PID 2544 set thread context of 2044 2544 bis.exe 40 PID 2328 set thread context of 2044 2328 mstsc.exe 40 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Yevu\9rkl_clttq0.exe mstsc.exe -
description ioc Process Key created \Registry\User\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 mstsc.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 2544 bis.exe 2544 bis.exe 2544 bis.exe 2544 bis.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2044 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2544 bis.exe 2544 bis.exe 2544 bis.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe 2328 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2544 bis.exe Token: SeDebugPrivilege 2328 mstsc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2544 2276 bis.exe 91 PID 2276 wrote to memory of 2544 2276 bis.exe 91 PID 2276 wrote to memory of 2544 2276 bis.exe 91 PID 2276 wrote to memory of 2544 2276 bis.exe 91 PID 2276 wrote to memory of 2544 2276 bis.exe 91 PID 2276 wrote to memory of 2544 2276 bis.exe 91 PID 2044 wrote to memory of 2328 2044 Explorer.EXE 92 PID 2044 wrote to memory of 2328 2044 Explorer.EXE 92 PID 2044 wrote to memory of 2328 2044 Explorer.EXE 92 PID 2328 wrote to memory of 4232 2328 mstsc.exe 93 PID 2328 wrote to memory of 4232 2328 mstsc.exe 93 PID 2328 wrote to memory of 4232 2328 mstsc.exe 93 PID 2328 wrote to memory of 1264 2328 mstsc.exe 95 PID 2328 wrote to memory of 1264 2328 mstsc.exe 95 PID 2328 wrote to memory of 1264 2328 mstsc.exe 95 PID 2328 wrote to memory of 3052 2328 mstsc.exe 97 PID 2328 wrote to memory of 3052 2328 mstsc.exe 97 PID 2328 wrote to memory of 3052 2328 mstsc.exe 97 PID 2328 wrote to memory of 1900 2328 mstsc.exe 99 PID 2328 wrote to memory of 1900 2328 mstsc.exe 99 PID 2328 wrote to memory of 1900 2328 mstsc.exe 99
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\bis.exe"C:\Users\Admin\AppData\Local\Temp\bis.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\bis.exe"C:\Users\Admin\AppData\Local\Temp\bis.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bis.exe"3⤵PID:4232
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:1264
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:3052
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1900
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574