Overview

overview

10

Static

static

SecuriteIn...78.exe

windows7_x64

10

SecuriteIn...78.exe

windows10_x64

10

Analysis

  • max time kernel
    73s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-03-2021 22:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe

  • Size

    164KB

  • MD5

    1da73d4931cd6893f7b9fc765225a62d

  • SHA1

    cdc4992d5e425628b1c12c51d64a9105824bacc5

  • SHA256

    12e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d

  • SHA512

    fe6d7693e80890b3da7a27d37630d48a4de919b53a8532496fe9c4b66665dde605a46f71d42e228d83fa8d3c92aaadc5a36b50e479f450742ab8a06589820a18

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

C2

http://www.pardsoda.com/w25t/

Decoy

nowayinlocksmith.com

bookaprovider.com

joybirder.com

decoracerrado.com

preciousmonments.com

96kixx.com

parentseducationalco-op.com

cbdandbtc.com

santanadeliciasymas.com

finecharlottehomes.com

themanibox.com

backupasia.com

buffalodetailstore.com

iprdo.com

croce-komeko.com

bluechipsgroup.company

truyencow.com

globalism.online

oicrafts.com

naturalawakeningsprograms.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Midie.79660.31247.11578.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/636-4-0x0000000002380000-0x000000000238B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/3288-5-0x00000000004018E4-mapping.dmp
    Download
  • memory/3288-6-0x0000000000401000-0x00000000004FD000-memory.dmp
    Filesize

    1008KB

    Download
  • memory/3288-7-0x0000000000560000-0x0000000000660000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/3288-8-0x0000000000401000-0x0000000000541000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/3288-9-0x000000001E710000-0x000000001EA30000-memory.dmp
    Filesize

    3.1MB

    Download