Overview

overview

10

Static

static

fzejdpOSxr_bin.js

windows7_x64

10

fzejdpOSxr_bin.js

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    05-07-2022 12:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fzejdpOSxr_bin.js

  • Size

    359KB

  • MD5

    84fa540039df7abc11a136c8a43fde22

  • SHA1

    175daef8a581ff8ae86cded1cb6f68373d665dda

  • SHA256

    d5e68b8de115bfa8d06d5f407c3e6f9c95f545ff4a9ee16f9ba2706993cdd7c0

  • SHA512

    7715e6ae047fdfee1ba18aa1adccb28f1608b591a5e710c687f8c599486163b85a432edbbebdeef2301cf779c969cfee1578ad75a57aceb6f8589b2c054595b5

Score
10/10
formbookxloadermdzqloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

mdzq

Decoy

leop.red

actoconcept.fr

doesmee.com

goplygolf.com

cqshki.net

leflegme.com

wgamersport.xyz

4513367.com

shpoweronline.com

ingeniousconsultingservices.com

dentaldenalia.com

saaraba.net

artnow.media

sbwyt.com

nortonrosefulbrigiht.com

autorad.xyz

clergyfundingandinsurance.com

boarko.com

xn--zoom-kh4j.com

739lakemuirdr.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata
  • Xloader Payload 6 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\fzejdpOSxr_bin.js
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3216
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qNMQUcivjU.js"
        3⤵
          PID:1256
        • C:\Users\Admin\AppData\Local\Temp\bin.exe
          "C:\Users\Admin\AppData\Local\Temp\bin.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4080
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Adds policy Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1628
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"
          3⤵
            PID:1600
          • C:\Windows\SysWOW64\cmd.exe
            /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
            3⤵
              PID:4616
            • C:\Windows\SysWOW64\cmd.exe
              /c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
              3⤵
                PID:3900
              • C:\Program Files\Mozilla Firefox\Firefox.exe
                "C:\Program Files\Mozilla Firefox\Firefox.exe"
                3⤵
                  PID:4692
              • C:\Program Files (x86)\Sp0ylupl0\vdbono8wb.exe
                "C:\Program Files (x86)\Sp0ylupl0\vdbono8wb.exe"
                2⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2288

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            3
            T1112

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Sp0ylupl0\vdbono8wb.exe
              Filesize

              171KB

              MD5

              f1a3c7fee5a476470f039c5a89ccfe51

              SHA1

              c76f1eb2a872c295e656d49b3ddb27a98c03a3b2

              SHA256

              09060292de9b8bf9081d8375c348294c9ac72e087320ec2d8e0a5b48acc5e1cc

              SHA512

              d97550f40ead367d53306b6a7e741242824c5bcba93ed0dfa6b8411a21f4fcbc0dd87a2f0d97cef6052cc097265afd79bfd72ebf4311416d5e1a637e314e8ba0

              Download Submit
            • C:\Program Files (x86)\Sp0ylupl0\vdbono8wb.exe
              Filesize

              171KB

              MD5

              f1a3c7fee5a476470f039c5a89ccfe51

              SHA1

              c76f1eb2a872c295e656d49b3ddb27a98c03a3b2

              SHA256

              09060292de9b8bf9081d8375c348294c9ac72e087320ec2d8e0a5b48acc5e1cc

              SHA512

              d97550f40ead367d53306b6a7e741242824c5bcba93ed0dfa6b8411a21f4fcbc0dd87a2f0d97cef6052cc097265afd79bfd72ebf4311416d5e1a637e314e8ba0

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\DB1
              Filesize

              40KB

              MD5

              b608d407fc15adea97c26936bc6f03f6

              SHA1

              953e7420801c76393902c0d6bb56148947e41571

              SHA256

              b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

              SHA512

              cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\DB1
              Filesize

              48KB

              MD5

              349e6eb110e34a08924d92f6b334801d

              SHA1

              bdfb289daff51890cc71697b6322aa4b35ec9169

              SHA256

              c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

              SHA512

              2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\bin.exe
              Filesize

              171KB

              MD5

              f1a3c7fee5a476470f039c5a89ccfe51

              SHA1

              c76f1eb2a872c295e656d49b3ddb27a98c03a3b2

              SHA256

              09060292de9b8bf9081d8375c348294c9ac72e087320ec2d8e0a5b48acc5e1cc

              SHA512

              d97550f40ead367d53306b6a7e741242824c5bcba93ed0dfa6b8411a21f4fcbc0dd87a2f0d97cef6052cc097265afd79bfd72ebf4311416d5e1a637e314e8ba0

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\bin.exe
              Filesize

              171KB

              MD5

              f1a3c7fee5a476470f039c5a89ccfe51

              SHA1

              c76f1eb2a872c295e656d49b3ddb27a98c03a3b2

              SHA256

              09060292de9b8bf9081d8375c348294c9ac72e087320ec2d8e0a5b48acc5e1cc

              SHA512

              d97550f40ead367d53306b6a7e741242824c5bcba93ed0dfa6b8411a21f4fcbc0dd87a2f0d97cef6052cc097265afd79bfd72ebf4311416d5e1a637e314e8ba0

              Download Submit
            • C:\Users\Admin\AppData\Roaming\qNMQUcivjU.js
              Filesize

              18KB

              MD5

              7ed08a6a01849656952a26779ddebdb8

              SHA1

              80c1ac073671679fa8696e2f2b35aec5ac13adf2

              SHA256

              842f1ec25f5540d2aa87f279b362e06636b929d4c7a7dc812ebfdcd655df7d7e

              SHA512

              9052be1db12d30f26ea5dfb35c2fa25c0db6f231f5546f04bccfdc19a621a186f47d964325bd9dd941ac3d36e91c505a0692ee10a42b6752778e34f36e8c3e2a

              Download Submit
            • memory/1256-130-0x0000000000000000-mapping.dmp
              Download
            • memory/1600-139-0x0000000000000000-mapping.dmp
              Download
            • memory/1628-142-0x0000000002EA0000-0x00000000031EA000-memory.dmp
              Filesize

              3.3MB

              Download
            • memory/1628-141-0x0000000000980000-0x00000000009AB000-memory.dmp
              Filesize

              172KB

              Download
            • memory/1628-138-0x0000000000000000-mapping.dmp
              Download
            • memory/1628-143-0x0000000002CD0000-0x0000000002D60000-memory.dmp
              Filesize

              576KB

              Download
            • memory/1628-144-0x0000000000980000-0x00000000009AB000-memory.dmp
              Filesize

              172KB

              Download
            • memory/1628-140-0x0000000000E70000-0x0000000000E97000-memory.dmp
              Filesize

              156KB

              Download
            • memory/2288-151-0x0000000000000000-mapping.dmp
              Download
            • memory/2288-154-0x00000000019A0000-0x0000000001CEA000-memory.dmp
              Filesize

              3.3MB

              Download
            • memory/2812-146-0x0000000008470000-0x0000000008561000-memory.dmp
              Filesize

              964KB

              Download
            • memory/2812-137-0x0000000008320000-0x000000000846D000-memory.dmp
              Filesize

              1.3MB

              Download
            • memory/2812-145-0x0000000008470000-0x0000000008561000-memory.dmp
              Filesize

              964KB

              Download
            • memory/3900-149-0x0000000000000000-mapping.dmp
              Download
            • memory/4080-136-0x0000000001470000-0x0000000001481000-memory.dmp
              Filesize

              68KB

              Download
            • memory/4080-135-0x0000000001100000-0x000000000144A000-memory.dmp
              Filesize

              3.3MB

              Download
            • memory/4080-132-0x0000000000000000-mapping.dmp
              Download
            • memory/4616-147-0x0000000000000000-mapping.dmp
              Download