Overview

overview

10

Static

static

PO.exe

windows7_x64

10

PO.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-04-2021 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO.exe

  • Size

    529KB

  • MD5

    4bb710142c4fa183e24dbd3ce3c7b51d

  • SHA1

    64a659096deda60c37861ddc0d26d3bfb11cc0c7

  • SHA256

    4903d25c490e1b6c899c4fb9d3d3eb16d79c802245d4c2b667ff06f42724e358

  • SHA512

    7b157763a01bcfba0a66d026af138209a2b3fccd955e789158d39a5e4738491f8146c1894aceabae42e7e064b02314f098ea52351dcbd2f66feed2b8ee6acc35

Score
10/10
xloaderagilenetloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.retro-e-scooter.com/sawc/

Decoy

prozedere.com

p53mutation.net

sidepiecebags.com

5865145.com

hushadianji.com

riseses.com

curvywahinemaui.com

marienish.com

tenxtimes.net

xcusehheseje.com

tjtradelimited.com

mitraberdaya.com

koedk.com

currenibtc.com

casa-rural-via.com

prcodes.xyz

brandariz.net

mcsc.club

curiget.xyz

juli.world

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Users\Admin\AppData\Local\Temp\PO.exe
      "C:\Users\Admin\AppData\Local\Temp\PO.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2808
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:504
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        3⤵
          PID:2448

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
      MD5

      6a673bfc3b67ae9782cb31af2f234c68

      SHA1

      7544e89566d91e84e3cd437b9a073e5f6b56566e

      SHA256

      978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

      SHA512

      72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
      MD5

      6a673bfc3b67ae9782cb31af2f234c68

      SHA1

      7544e89566d91e84e3cd437b9a073e5f6b56566e

      SHA256

      978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

      SHA512

      72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

      Download Submit
    • memory/504-141-0x0000000004740000-0x00000000047CF000-memory.dmp
      Filesize

      572KB

      Download
    • memory/504-138-0x00000000049F0000-0x0000000004D10000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/504-137-0x0000000003100000-0x0000000003128000-memory.dmp
      Filesize

      160KB

      Download
    • memory/504-136-0x00000000008A0000-0x0000000000CDF000-memory.dmp
      Filesize

      4.2MB

      Download
    • memory/504-135-0x0000000000000000-mapping.dmp
      Download
    • memory/2448-140-0x0000000000000000-mapping.dmp
      Download
    • memory/2492-142-0x00000000033A0000-0x0000000003469000-memory.dmp
      Filesize

      804KB

      Download
    • memory/2492-134-0x00000000059F0000-0x0000000005B68000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2808-128-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/2808-132-0x0000000001160000-0x0000000001480000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2808-133-0x0000000000B40000-0x0000000000B50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2808-129-0x000000000041D020-mapping.dmp
      Download
    • memory/4048-125-0x0000000005080000-0x0000000005112000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4048-126-0x0000000007270000-0x000000000727B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/4048-114-0x0000000000860000-0x0000000000861000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4048-127-0x0000000009870000-0x0000000009871000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4048-124-0x00000000068F0000-0x00000000068F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4048-123-0x0000000006AD0000-0x0000000006AD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4048-122-0x0000000006920000-0x0000000006941000-memory.dmp
      Filesize

      132KB

      Download
    • memory/4048-121-0x0000000005080000-0x0000000005112000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4048-119-0x00000000052C0000-0x00000000052C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4048-118-0x0000000005220000-0x0000000005221000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4048-117-0x0000000005180000-0x0000000005181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4048-116-0x0000000005680000-0x0000000005681000-memory.dmp
      Filesize

      4KB

      Download