Overview

overview

10

Static

static

sample cat...22.exe

windows7-x64

1

sample cat...22.exe

windows10-2004-x64

10

Resubmissions

15-09-2022 17:54

220915-wg9vdadga6 10

15-09-2022 17:52

220915-wfs58shdgr 10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2022 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample catalog2022.exe

  • Size

    288KB

  • MD5

    f0e10bf42bfb76de46b122a9ab381e1f

  • SHA1

    510a22752b3624bb71ab9c198c876b13cd6be9e1

  • SHA256

    5e6ca13143ba73ac8595785c5741f5da0505c0155140d63852aa6d1e74fc081f

  • SHA512

    f6e5ce2530615213a69cc1494667aed3e6b01321aba02c75c4cbb126ef130e8deb1ddd3c23fe73d2de2009dd75dd6c288ee935df1b4471249d5c04e68ae52790

  • SSDEEP

    6144:JH/k7Gstb+5NcvahAKNRqF3hfvAoKqS8bZufRuV8vfBG:Jfkvw5mahbPqnQWv8vfc

Score
10/10
formbookxloaderdwdploaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

dwdp

Decoy

jPxWFTS1Rn/K/LD47WRRW7+Veuct8yc=

ke1Wv1l26dZZxDikX9dU3s6k8+w=

+vtNyVBkx8VMf5KCaIj8DYR5QyLJgQ==

GHXPhYzwXcKgZwqBb/kejm7rfobj

yalW64iE8+aXs70=

MD83dBR0KSF4fizgRhAM

Xti3uNm2JDWgssPgRhAM

X7gYbv5uJhpvjdI0Qg==

ydxGznbNJ3tCCLAX4arq4nweMuQ=

Ca+fvtST8OBbosPgRhAM

kG1QegD8mU/E/hLw1t0=

g9FFFjEC5C2IvR/BhbSrpw==

PCkpeg38W0aPdg1rav1DFnVASw==

vSq+xBf3qjY27H3yqepK+g+nOmOMc3m7

G7WYirSZS9EYob8=

WbEWaOVIAPlSNNc4LsfL53weMuQ=

hnyAvEY4n3rTKS4g5mHKxR0=

JN7b0uCqVrQydMl7JNw=

XTki/RASDK6BCW0q8sU=

DQMBWA9wJyOKqqGSmGHKxR0=

Extracted

Family

xloader

Version

3.8

Campaign

dwdp

Decoy

jPxWFTS1Rn/K/LD47WRRW7+Veuct8yc=

ke1Wv1l26dZZxDikX9dU3s6k8+w=

+vtNyVBkx8VMf5KCaIj8DYR5QyLJgQ==

GHXPhYzwXcKgZwqBb/kejm7rfobj

yalW64iE8+aXs70=

MD83dBR0KSF4fizgRhAM

Xti3uNm2JDWgssPgRhAM

X7gYbv5uJhpvjdI0Qg==

ydxGznbNJ3tCCLAX4arq4nweMuQ=

Ca+fvtST8OBbosPgRhAM

kG1QegD8mU/E/hLw1t0=

g9FFFjEC5C2IvR/BhbSrpw==

PCkpeg38W0aPdg1rav1DFnVASw==

vSq+xBf3qjY27H3yqepK+g+nOmOMc3m7

G7WYirSZS9EYob8=

WbEWaOVIAPlSNNc4LsfL53weMuQ=

hnyAvEY4n3rTKS4g5mHKxR0=

JN7b0uCqVrQydMl7JNw=

XTki/RASDK6BCW0q8sU=

DQMBWA9wJyOKqqGSmGHKxR0=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • Modifies registry class 34 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\sample catalog2022.exe
      "C:\Users\Admin\AppData\Local\Temp\sample catalog2022.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3004
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:4376
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:4588
        • C:\Windows\SysWOW64\cscript.exe
          "C:\Windows\SysWOW64\cscript.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5084
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:932

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2328-136-0x00007FFAAED70000-0x00007FFAAF831000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/2328-133-0x00007FFAAED70000-0x00007FFAAF831000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/2328-132-0x0000000000B60000-0x0000000000BAE000-memory.dmp
          Filesize

          312KB

          Download
        • memory/3004-139-0x0000000000401000-0x000000000042F000-memory.dmp
          Filesize

          184KB

          Download
        • memory/3004-135-0x00000000004012B0-mapping.dmp
          Download
        • memory/3004-138-0x0000000000400000-0x000000000042F000-memory.dmp
          Filesize

          188KB

          Download
        • memory/3004-141-0x00000000012D0000-0x000000000161A000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/3004-142-0x0000000000D40000-0x0000000000D50000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3004-134-0x0000000000400000-0x000000000042F000-memory.dmp
          Filesize

          188KB

          Download
        • memory/3004-145-0x0000000000400000-0x000000000042F000-memory.dmp
          Filesize

          188KB

          Download
        • memory/3004-146-0x0000000000401000-0x000000000042F000-memory.dmp
          Filesize

          184KB

          Download
        • memory/3052-151-0x0000000007FF0000-0x000000000813B000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3052-143-0x0000000007EF0000-0x0000000007FEA000-memory.dmp
          Filesize

          1000KB

          Download
        • memory/3052-153-0x0000000007FF0000-0x000000000813B000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/5084-144-0x0000000000000000-mapping.dmp
          Download
        • memory/5084-149-0x00000000028B0000-0x0000000002BFA000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/5084-150-0x0000000002650000-0x00000000026DF000-memory.dmp
          Filesize

          572KB

          Download
        • memory/5084-148-0x0000000000600000-0x000000000062D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/5084-152-0x0000000000600000-0x000000000062D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/5084-147-0x0000000000C80000-0x0000000000CA7000-memory.dmp
          Filesize

          156KB

          Download