Overview

overview

10

Static

static

ada8b1320a...5a.exe

windows7_x64

10

ada8b1320a...5a.exe

windows10_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    03-05-2021 07:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ada8b1320a6f303fbd5c09d3dab2235a.exe

  • Size

    734KB

  • MD5

    ada8b1320a6f303fbd5c09d3dab2235a

  • SHA1

    127abb366bfbc70bdb90d0339333b02261eb2140

  • SHA256

    703a9d816bb422e4d2adeee4f7b6df250bf0441004c0939a03e927400420d9b9

  • SHA512

    64e7c304b70911735ad1225d9ad080805f5667b63216308906bb8d8a8463c01dfd1dc43c0b62ebca0c3eab2831d8d17889f4205bfece85e4fc0dfaaca5f98f76

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.ejsuniqueclasses.com/f0sg/

Decoy

deondevemaagua.com

highcolorchem.com

remax-pros-sd.com

smartmotiontrans.com

staltower.com

raiseamerican.com

io-tonix.com

llawenydd.com

minkladieshaircollections.com

ataria.net

roofers-baltimore.com

infinityventura.com

dvdxbase.com

babebrowpen.com

rascontractingllc.com

designingdreamshome.com

groobefunnels.com

americanstatesapparel.com

theketodesserts.com

bend-a-knee.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ada8b1320a6f303fbd5c09d3dab2235a.exe
    "C:\Users\Admin\AppData\Local\Temp\ada8b1320a6f303fbd5c09d3dab2235a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Users\Admin\AppData\Local\Temp\ada8b1320a6f303fbd5c09d3dab2235a.exe
      "C:\Users\Admin\AppData\Local\Temp\ada8b1320a6f303fbd5c09d3dab2235a.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/508-114-0x00000000008E0000-0x00000000008E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/508-116-0x0000000005260000-0x0000000005261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/508-117-0x0000000005800000-0x0000000005801000-memory.dmp

    Filesize

    4KB

    Download

  • memory/508-118-0x0000000005300000-0x0000000005301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/508-119-0x00000000051C0000-0x00000000051C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/508-120-0x0000000005460000-0x0000000005461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/508-121-0x0000000002C90000-0x0000000002C91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/508-122-0x0000000005530000-0x000000000553E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/508-123-0x0000000006F80000-0x0000000007027000-memory.dmp

    Filesize

    668KB

    Download

  • memory/508-124-0x0000000007030000-0x0000000007090000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1632-125-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1632-126-0x000000000041D0A0-mapping.dmp

    Download

  • memory/1632-128-0x00000000016C0000-0x00000000019E0000-memory.dmp

    Filesize

    3.1MB

    Download