Overview

overview

10

Static

static

e3fb74ce40...a8.exe

windows7_x64

10

e3fb74ce40...a8.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    20-04-2021 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3fb74ce4008f4d48cefbb730b6885a8.exe

  • Size

    273KB

  • MD5

    e3fb74ce4008f4d48cefbb730b6885a8

  • SHA1

    2fc203f6e0cbf366a747a320545f9d3cd247c93a

  • SHA256

    6733d0ce3ad0c63755f82e7c05a815f2420cccd7f7775dd9227732f59e7fafff

  • SHA512

    520dd3aa03a808400196bdc6bab89e5cf55693104a2907f23a056fd9fc9f3f040604ce5fd0778804ff7a86f2a9b05bce2a389f28db8053d50a4a848a65345d12

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.preciousvessel.com/spj6/

Decoy

kdelchev.com

myriamward.com

megaconsulting.pro

sunglassesmu.com

hispanavisionct.com

bodaciousbuffy.com

chuhuu.com

jerexcursion.com

merkabahindustries.com

shaktiroommontreal.com

violet-moon-interior-design.com

pyrosunited.com

89xs.xyz

bestchatonline.com

cubiscoin.com

ianzu.com

playersresearch.com

digitalvl.com

baans-barw.com

yuria-rain.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3fb74ce4008f4d48cefbb730b6885a8.exe
    "C:\Users\Admin\AppData\Local\Temp\e3fb74ce4008f4d48cefbb730b6885a8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4436
    • C:\Users\Admin\AppData\Local\Temp\e3fb74ce4008f4d48cefbb730b6885a8.exe
      C:\Users\Admin\AppData\Local\Temp\e3fb74ce4008f4d48cefbb730b6885a8.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2332-119-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/2332-120-0x000000000041D010-mapping.dmp
    Download
  • memory/2332-122-0x0000000000FD0000-0x00000000012F0000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/4436-114-0x0000000000A40000-0x0000000000A41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4436-116-0x0000000001270000-0x0000000001272000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4436-117-0x0000000002D10000-0x0000000002D45000-memory.dmp
    Filesize

    212KB

    Download
  • memory/4436-118-0x0000000005370000-0x0000000005371000-memory.dmp
    Filesize

    4KB

    Download