Overview

overview

10

Static

static

a4b6da0419...in.exe

windows7_x64

10

a4b6da0419...in.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    03-05-2021 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4b6da0419d1147387e225baa3506a44c4cc139b6eb35a4e1d5a7ece53c8ea57.bin.exe

  • Size

    742KB

  • MD5

    89324197965133a737f00cf3ea914d66

  • SHA1

    64147e0f689abce3feed599b0f8a931bc825f6e9

  • SHA256

    a4b6da0419d1147387e225baa3506a44c4cc139b6eb35a4e1d5a7ece53c8ea57

  • SHA512

    ed838f964f8f23e7675494674c34f7eb0959a4eccd2c635d9c422dc113b94fd7d667a547ee041a4ffc5dec22da32a71da88609cf40ed3112be70b1a5924ace4a

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.fulibo.net/treq/

Decoy

sungjinguk.com

xinglanyishu.com

datanghengtong.com

theeaglegolf.com

delco-west.com

scflb.com

phpss.com

the-casual1.club

nfmscholarship.com

badtweezers.com

leonardkoh.com

ex-un.com

hft20001224.com

repurposingforresults.com

purerehabandperformance.com

tower9taik.com

goldenesq.com

wrushop.online

ttlqpphp.xyz

fabbvida.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4b6da0419d1147387e225baa3506a44c4cc139b6eb35a4e1d5a7ece53c8ea57.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\a4b6da0419d1147387e225baa3506a44c4cc139b6eb35a4e1d5a7ece53c8ea57.bin.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oAfLOHyig" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEB99.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2136
    • C:\Users\Admin\AppData\Local\Temp\a4b6da0419d1147387e225baa3506a44c4cc139b6eb35a4e1d5a7ece53c8ea57.bin.exe
      "C:\Users\Admin\AppData\Local\Temp\a4b6da0419d1147387e225baa3506a44c4cc139b6eb35a4e1d5a7ece53c8ea57.bin.exe"
      2⤵
        PID:3964
      • C:\Users\Admin\AppData\Local\Temp\a4b6da0419d1147387e225baa3506a44c4cc139b6eb35a4e1d5a7ece53c8ea57.bin.exe
        "C:\Users\Admin\AppData\Local\Temp\a4b6da0419d1147387e225baa3506a44c4cc139b6eb35a4e1d5a7ece53c8ea57.bin.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3852

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpEB99.tmp
      MD5

      6afd814e5a44969b8070a2023bbb4edc

      SHA1

      4afd57928be3e7a8c337558561d68abc351e87cc

      SHA256

      a0e4cb1fc375b840fedf39c9fb1452deadb496e01be9fbfedf8f393b6b9a688c

      SHA512

      ff92d7d24fdc4ef61e6cfa14a7f30f61afe69c0b2190e6a342baafc876ed04445b0bf0e48cff554450db0c82298d3e0f2922c41a5a128cf0df7d7eb6381a4619

      Download Submit
    • memory/784-121-0x0000000005160000-0x0000000005161000-memory.dmp
      Filesize

      4KB

      Download
    • memory/784-123-0x0000000000E50000-0x0000000000EF7000-memory.dmp
      Filesize

      668KB

      Download
    • memory/784-118-0x0000000004F70000-0x0000000004F71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/784-119-0x0000000004E30000-0x0000000004ECC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/784-120-0x0000000004E80000-0x0000000004E81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/784-114-0x0000000000460000-0x0000000000461000-memory.dmp
      Filesize

      4KB

      Download
    • memory/784-122-0x0000000005140000-0x000000000514E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/784-117-0x0000000005470000-0x0000000005471000-memory.dmp
      Filesize

      4KB

      Download
    • memory/784-124-0x0000000008040000-0x00000000080A0000-memory.dmp
      Filesize

      384KB

      Download
    • memory/784-116-0x0000000004ED0000-0x0000000004ED1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2136-125-0x0000000000000000-mapping.dmp
      Download
    • memory/3852-127-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/3852-128-0x000000000041CFB0-mapping.dmp
      Download
    • memory/3852-130-0x0000000001900000-0x0000000001C20000-memory.dmp
      Filesize

      3.1MB

      Download