nloader | 492992c706bb70b10eedb7952c287ec1df35fceb32f4d050a18f51bb6e60e303

General

Target

viri.exe.dll
Size

37KB
MD5

8539346052a26e7afb4c7e4331c88448
SHA1

6be665d2139f14759a025543b83c4c0cbff70687
SHA256

492992c706bb70b10eedb7952c287ec1df35fceb32f4d050a18f51bb6e60e303
SHA512

4d380dbc13def50a6033498174c1fa26f74e3545701deaccab42111ea205d5592f584bf2980ea71c0260d9a67f742c2c9c64267ee73f5f2b9e169e84b69e8753

Score

10^/10

nloader loader

Nloader
Simple loader that includes the keyword 'cambo' in the URL used to download other families.
loader nloader

Nloader Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1924-4-0x0000000000100000-0x0000000000109000-memory.dmp	nloader
behavioral1/memory/1924-5-0x0000000010000000-0x0000000010007000-memory.dmp	nloader
behavioral1/memory/1924-6-0x00000000001D0000-0x00000000001D5000-memory.dmp	nloader
behavioral1/memory/1924-7-0x00000000000F0000-0x00000000000F6000-memory.dmp	nloader

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1364 1924 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1364 WerFault.exe
1364 WerFault.exe
1364 WerFault.exe
1364 WerFault.exe
1364 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1364 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1364 WerFault.exe

pid	pid_target	process	target process
1364	1924	WerFault.exe	rundll32.exe

pid	process
1364	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1364	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1108 wrote to memory of 1924	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1924	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1924	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1924	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1924	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1924	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1924	1108	rundll32.exe	rundll32.exe
PID 1924 wrote to memory of 1364	1924	rundll32.exe	WerFault.exe
PID 1924 wrote to memory of 1364	1924	rundll32.exe	WerFault.exe
PID 1924 wrote to memory of 1364	1924	rundll32.exe	WerFault.exe
PID 1924 wrote to memory of 1364	1924	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\viri.exe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\viri.exe.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1924

memory/1364-8-0x0000000000000000-mapping.dmp

Download
memory/1364-9-0x0000000000900000-0x0000000000911000-memory.dmp

Filesize
68KB

Download
memory/1364-10-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1924-2-0x0000000000000000-mapping.dmp

Download
memory/1924-3-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1924-4-0x0000000000100000-0x0000000000109000-memory.dmp

Filesize
36KB

Download
memory/1924-5-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1924-6-0x00000000001D0000-0x00000000001D5000-memory.dmp

Filesize
20KB

Download
memory/1924-7-0x00000000000F0000-0x00000000000F6000-memory.dmp

Filesize
24KB

Download