Overview

overview

10

Static

static

a1d6e3ac3e...1d.exe

windows7_x64

10

a1d6e3ac3e...1d.exe

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    20-04-2021 12:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1d6e3ac3ee1adbbc7a16e5f7d7cac1d.exe

  • Size

    611KB

  • MD5

    a1d6e3ac3ee1adbbc7a16e5f7d7cac1d

  • SHA1

    c389f7fe73ba9c75d391c9f9c2bcff87c51556c7

  • SHA256

    c076e25acd902f35a52bdb12240494e39df85412b09111e451afdc584487b5df

  • SHA512

    d247593dcf889544745ff02599f8094811a83a159c9818c377b00ff39daa68be8125f799d23074b57e2ddfeb878b5d68615e3f258e646164aca98c19dba5807b

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.allindiatrust.com/sbjq/

Decoy

topbrandslook.xyz

kupilabs.com

cedrick.net

91mh.info

ajoph.net

finishtheverse.com

pondokquranaljariyah.com

happyhoopoe.com

lowcostfooddelivery.com

estudiosvacunacovid19-co.com

iestradanhhome.com

xn--caasymas-e3a.com

shopqls.com

wpnator.com

parentedagency.com

nundmshop.com

lodosmimarlik.com

ccidyy.xyz

bem-vestida.com

smartincomeafrica.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1d6e3ac3ee1adbbc7a16e5f7d7cac1d.exe
    "C:\Users\Admin\AppData\Local\Temp\a1d6e3ac3ee1adbbc7a16e5f7d7cac1d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Users\Admin\AppData\Local\Temp\a1d6e3ac3ee1adbbc7a16e5f7d7cac1d.exe
      "C:\Users\Admin\AppData\Local\Temp\a1d6e3ac3ee1adbbc7a16e5f7d7cac1d.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/756-60-0x0000000000980000-0x0000000000981000-memory.dmp
    Filesize

    4KB

    Download
  • memory/756-62-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/756-63-0x0000000000560000-0x0000000000569000-memory.dmp
    Filesize

    36KB

    Download
  • memory/756-64-0x000000007EF40000-0x000000007EF41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/756-65-0x00000000051A0000-0x0000000005222000-memory.dmp
    Filesize

    520KB

    Download
  • memory/756-66-0x00000000020B0000-0x00000000020ED000-memory.dmp
    Filesize

    244KB

    Download
  • memory/1428-68-0x000000000041D060-mapping.dmp
    Download
  • memory/1428-67-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1428-70-0x0000000000A20000-0x0000000000D23000-memory.dmp
    Filesize

    3.0MB

    Download