Overview

overview

10

Static

static

3

2f629a402b...7e.exe

windows7-x64

10

2f629a402b...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2023 23:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f629a402b16b6b5a6c223d27673a368507e018b6c526aa62815da9493337d7e.exe

  • Size

    227KB

  • MD5

    71cdc8400bfe18811d29425c2a9cb109

  • SHA1

    031f46d4350785dd4d8ad9eaaed3ae8a410f3382

  • SHA256

    2f629a402b16b6b5a6c223d27673a368507e018b6c526aa62815da9493337d7e

  • SHA512

    e019b3fb80112dab79bb6a2ce9d1bf9ba01f44da277d2399b9ae07d667f2601ddb243dd53f1b7495da0d4ee28ec2731d53916d23deb81b6d8ae40670d4c69fed

  • SSDEEP

    3072:HfY/TU9fE9PEtuYbzKJbf9shCvCPBVfoZveo8spMN9g/m2oICCTobMaBB8NAL+6c:/Ya6Ez0bf9oCvCXAZ21sU6mCCVBMQu

Score
10/10
formbookxloaderpoubloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

poub

Decoy

WY0eksfISzRg4O6c+opnGL6gaw==

moRjn9ExtYi8UmUo+Tya

2vME+GedoxzFnuLXesUoVj4=

EvW4JWJ1NQ8nN3tA3SM=

2mK9efMZMgN1VOs=

8d0jua5b0J6AQEW7

/2cyThOd37DSTYMASDye4Q0t/Vs=

ral+tbIh2KKAQEW7

YLY9jsPtYB/FRmMo+Tya

R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=

KFXGg/T1pCC9GjrxUPTcjw==

8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=

c7am8nhhlCo=

UW91trZj6dENxuRdpxOvW1Cf

sjOMUcvq6lYJCZEfV4euFzY=

62nBgPjdmWQkmWElww==

64E8JqA1aruSUvw=

NqI1reXpcR+REye0

8+y1oOsbjgSyEhjXUPTcjw==

Rx9by8gNBwN1VOs=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 1 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f629a402b16b6b5a6c223d27673a368507e018b6c526aa62815da9493337d7e.exe
    "C:\Users\Admin\AppData\Local\Temp\2f629a402b16b6b5a6c223d27673a368507e018b6c526aa62815da9493337d7e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:928
    • C:\Users\Admin\AppData\Local\Temp\2f629a402b16b6b5a6c223d27673a368507e018b6c526aa62815da9493337d7e.exe
      "C:\Users\Admin\AppData\Local\Temp\2f629a402b16b6b5a6c223d27673a368507e018b6c526aa62815da9493337d7e.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nstBB7.tmp\wywmmy.dll
    Filesize

    5KB

    MD5

    69e275a60ff1f1093c9c28e9eaca6648

    SHA1

    ce7fa683423c77d688a3a29abce7b23e989bd868

    SHA256

    3714b8a9307d601b1e3dd239fe1dfffe20670d335951ac874473143a1034189a

    SHA512

    2505e744fe964d0100b6f4edd788a33661abe19f87a2c69cd52d4b6cdc708383127bc05e968f0a939be1c5bd6ac081e6f985e8e28c378f8470844120376a817b

    Download Submit
  • memory/1504-62-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1504-65-0x00000000008F0000-0x0000000000BF3000-memory.dmp
    Filesize

    3.0MB

    Download