Overview

overview

10

Static

static

74ed218c_b...is.exe

windows7_x64

10

74ed218c_b...is.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    03-05-2021 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74ed218c_by_Libranalysis.exe

  • Size

    775KB

  • MD5

    74ed218c2c421e3978445a1edbe40a08

  • SHA1

    16d950eae07654c9805d4476928c4c8d7d12fcc1

  • SHA256

    b32ad3bf2b79e411ca0450c1d5430d12c9bb73c269e0838ee512bc816fcce3b7

  • SHA512

    0cb4af6ad1434d4140d0e055fc77de2543c9ea9babe077de27184b1628cbdc8f32530c5f0c2f4b3e1199459c0521e67415421525070c0870e75dc09105bf94d6

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.cats16.com/8u3b/

Decoy

pipienta.com

wisdomfest.net

jenniferreich.com

bigcanoehomesforless.com

kayandbernard.com

offerbuildingsecrets.com

benleefoto.com

contactlesssoftware.tech

statenislandplumbing.info

lifestylemedicineservices.com

blazerplanning.com

fnatic-skins.club

effectivemarketinginc.com

babyshopit.com

2000deal.com

k12paymentcemter.com

spwakd.com

lesreponses.com

abundando.com

hawkspremierfhc.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\74ed218c_by_Libranalysis.exe
      "C:\Users\Admin\AppData\Local\Temp\74ed218c_by_Libranalysis.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Users\Admin\AppData\Local\Temp\74ed218c_by_Libranalysis.exe
        "C:\Users\Admin\AppData\Local\Temp\74ed218c_by_Libranalysis.exe"
        3⤵
          PID:1796
        • C:\Users\Admin\AppData\Local\Temp\74ed218c_by_Libranalysis.exe
          "C:\Users\Admin\AppData\Local\Temp\74ed218c_by_Libranalysis.exe"
          3⤵
            PID:752
          • C:\Users\Admin\AppData\Local\Temp\74ed218c_by_Libranalysis.exe
            "C:\Users\Admin\AppData\Local\Temp\74ed218c_by_Libranalysis.exe"
            3⤵
              PID:1696
            • C:\Users\Admin\AppData\Local\Temp\74ed218c_by_Libranalysis.exe
              "C:\Users\Admin\AppData\Local\Temp\74ed218c_by_Libranalysis.exe"
              3⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:1044
          • C:\Windows\SysWOW64\control.exe
            "C:\Windows\SysWOW64\control.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1512
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Users\Admin\AppData\Local\Temp\74ed218c_by_Libranalysis.exe"
              3⤵
              • Deletes itself
              PID:1152

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1044-69-0x00000000008B0000-0x0000000000BB3000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1044-70-0x0000000000240000-0x0000000000251000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1044-66-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

          Download

        • memory/1044-67-0x000000000041D0A0-mapping.dmp

          Download

        • memory/1152-77-0x0000000000000000-mapping.dmp

          Download

        • memory/1200-79-0x00000000063D0000-0x000000000650C000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1200-71-0x0000000006130000-0x0000000006241000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1512-74-0x0000000000950000-0x000000000096F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1512-72-0x0000000000000000-mapping.dmp

          Download

        • memory/1512-73-0x00000000757C1000-0x00000000757C3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1512-75-0x0000000000080000-0x00000000000A9000-memory.dmp

          Filesize

          164KB

          Download

        • memory/1512-76-0x0000000002040000-0x0000000002343000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1512-78-0x0000000001E00000-0x0000000001E90000-memory.dmp

          Filesize

          576KB

          Download

        • memory/1840-65-0x0000000004790000-0x00000000047F2000-memory.dmp

          Filesize

          392KB

          Download

        • memory/1840-64-0x0000000005010000-0x00000000050B8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1840-60-0x0000000000170000-0x0000000000171000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1840-63-0x00000000005C0000-0x00000000005CE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1840-62-0x0000000004000000-0x0000000004001000-memory.dmp

          Filesize

          4KB

          Download