Overview

overview

10

Static

static

1

fb6c841478...ff.exe

windows7_x64

10

fb6c841478...ff.exe

windows10_x64

10

Analysis

  • max time kernel
    16s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    03-05-2021 08:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb6c841478354f42dd2baa5e0b617dff.exe

  • Size

    207KB

  • MD5

    fb6c841478354f42dd2baa5e0b617dff

  • SHA1

    c1d1212b6e7cae77ae2d617f461a7d6003cb6c6c

  • SHA256

    b55552391ee123f26e577b412c0df78bd0a59644ec510d1e7e708feff12a2abb

  • SHA512

    49fdaae6792f72de12b4303c4a1874a99e7d1c69bb32cb37d59d9e207e693cdf90612f5ec8278cd7e1cb8c1d1dcd8124b7f66165ed6730ab5c1ec0e8cc8dddb8

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.montcoimmigrationlawyer.com/uoe8/

Decoy

chalance.design

certifiedlaywernj.com

bsbgraphic.com

caeka.com

zagorafinancial.com

cvingenieriacivil.net

mojilifenoosa.com

bucktheherd.net

sparkmonic.com

catherineandwilson.com

cdefenders.com

intersp.net

santoriniimpressivetours.net

arkansaspaymentrelief.com

tewab.com

bjzjgjg.com

michgoliki.com

oallahplease.com

plaisterpress.com

redyroblx.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb6c841478354f42dd2baa5e0b617dff.exe
    "C:\Users\Admin\AppData\Local\Temp\fb6c841478354f42dd2baa5e0b617dff.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3656
    • C:\Users\Admin\AppData\Local\Temp\fb6c841478354f42dd2baa5e0b617dff.exe
      "C:\Users\Admin\AppData\Local\Temp\fb6c841478354f42dd2baa5e0b617dff.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsd27E3.tmp\ynuec.dll
    MD5

    40ad901ded07128f45c05b24c6aee1e0

    SHA1

    cdf241938b7e2574ad66ced23de599dc7e523bc8

    SHA256

    15e60d9e5fa792cd5cc27efc82d3f678cb4b75e28db4ae0161674f48f91977ab

    SHA512

    b21ab6c90e1bde8ffeb96eedc9ac580eb33a13489dc2d786951fd976034b55d36b28bb720efdbdf30437848ac57c6d5844678a0896c219e85fe71a462904b0d3

    Download Submit
  • memory/2636-116-0x000000000041D0A0-mapping.dmp
    Download
  • memory/2636-118-0x00000000009C0000-0x0000000000CE0000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2636-117-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/3656-115-0x0000000002F70000-0x0000000002F72000-memory.dmp
    Filesize

    8KB

    Download