Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
08-12-2022 16:17
General
-
Target
Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe
-
Size
1.0MB
-
MD5
af4c90f16183a6ad67d309954e852c8a
-
SHA1
4b8612090c079bf462c55e774c7199d4f182e937
-
SHA256
e42dddf5106613702329f2fa39feac15baee21cd5b543d288dc82ed621eb7037
-
SHA512
c335c1ab1b2708530424dc094a9b864155275e4d462bf726b38338b9c33f6942c355b9092fa786bf1a20f99c7ac52b4c03e399ff5ab157fff556480db15fc823
-
SSDEEP
12288:0oQgKZ/nXt7virmWhlGLaQYIyzYEmgX/Lifi1SXAe73hdw7YVCiJM2dycvQ0piws:fPNNwAe7x78OQ0Hx4xUhlWp
Malware Config
Extracted
formbook
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
Extracted
xloader
3.Æ…
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3064-147-0x0000000007AF0000-0x0000000007BCB000-memory.dmpFilesize
876KB
-
memory/3064-157-0x0000000007BD0000-0x0000000007C6F000-memory.dmpFilesize
636KB
-
memory/3064-155-0x0000000007BD0000-0x0000000007C6F000-memory.dmpFilesize
636KB
-
memory/3144-146-0x0000000000CA0000-0x0000000000CB0000-memory.dmpFilesize
64KB
-
memory/3144-144-0x0000000001110000-0x000000000145A000-memory.dmpFilesize
3.3MB
-
memory/3144-150-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/3144-138-0x0000000000000000-mapping.dmp
-
memory/3144-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3144-141-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3144-142-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/3144-149-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3144-145-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/4784-137-0x0000000000000000-mapping.dmp
-
memory/4884-132-0x0000000000470000-0x0000000000582000-memory.dmpFilesize
1.1MB
-
memory/4884-135-0x0000000005350000-0x000000000535A000-memory.dmpFilesize
40KB
-
memory/4884-136-0x0000000005A50000-0x0000000005AEC000-memory.dmpFilesize
624KB
-
memory/4884-134-0x0000000004F30000-0x0000000004FC2000-memory.dmpFilesize
584KB
-
memory/4884-133-0x0000000005400000-0x00000000059A4000-memory.dmpFilesize
5.6MB
-
memory/4920-148-0x0000000000000000-mapping.dmp
-
memory/4920-153-0x0000000003220000-0x000000000356A000-memory.dmpFilesize
3.3MB
-
memory/4920-154-0x00000000030D0000-0x000000000315F000-memory.dmpFilesize
572KB
-
memory/4920-152-0x00000000012A0000-0x00000000012CD000-memory.dmpFilesize
180KB
-
memory/4920-156-0x00000000012A0000-0x00000000012CD000-memory.dmpFilesize
180KB
-
memory/4920-151-0x00000000008D0000-0x00000000008DC000-memory.dmpFilesize
48KB