Overview

overview

10

Static

static

sa.exe

windows7_x64

10

sa.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    06-05-2021 04:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sa.exe

  • Size

    841KB

  • MD5

    0aecf41f923bf5cd728a670757af61ed

  • SHA1

    57aba2a76789f270cc3a78903c1cd54ec15d2080

  • SHA256

    c6f11920b2ae7f0255d65e4b04f9944247438ee4d346dc4745f50602df41007b

  • SHA512

    ec827ca487e09e6e74451b0002c9769f882c1a162d0a0f2cfcecf7e6c3b9f2880ff7d25b8114351114a3f8bd6a83383cca183fbe44ea2db353eba10ceba2caf3

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.cats16.com/8u3b/

Decoy

pipienta.com

wisdomfest.net

jenniferreich.com

bigcanoehomesforless.com

kayandbernard.com

offerbuildingsecrets.com

benleefoto.com

contactlesssoftware.tech

statenislandplumbing.info

lifestylemedicineservices.com

blazerplanning.com

fnatic-skins.club

effectivemarketinginc.com

babyshopit.com

2000deal.com

k12paymentcemter.com

spwakd.com

lesreponses.com

abundando.com

hawkspremierfhc.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\sa.exe
      "C:\Users\Admin\AppData\Local\Temp\sa.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Users\Admin\AppData\Local\Temp\sa.exe
        "C:\Users\Admin\AppData\Local\Temp\sa.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:744
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\sa.exe"
        3⤵
        • Deletes itself
        PID:568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/568-73-0x0000000000000000-mapping.dmp
    Download
  • memory/744-69-0x00000000008A0000-0x0000000000BA3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/744-70-0x0000000000350000-0x0000000000361000-memory.dmp
    Filesize

    68KB

    Download
  • memory/744-66-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/744-67-0x000000000041D0A0-mapping.dmp
    Download
  • memory/1220-78-0x00000000040A0000-0x000000000414C000-memory.dmp
    Filesize

    688KB

    Download
  • memory/1220-71-0x0000000004B10000-0x0000000004C41000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1496-74-0x00000000006C0000-0x00000000006CD000-memory.dmp
    Filesize

    52KB

    Download
  • memory/1496-72-0x0000000000000000-mapping.dmp
    Download
  • memory/1496-75-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1496-76-0x0000000001F80000-0x0000000002283000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1496-77-0x0000000001E80000-0x0000000001F10000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1640-65-0x0000000007540000-0x00000000075A6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1640-64-0x0000000004F30000-0x0000000004FDC000-memory.dmp
    Filesize

    688KB

    Download
  • memory/1640-63-0x0000000000890000-0x000000000089E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1640-60-0x0000000000C10000-0x0000000000C11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1640-62-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
    Filesize

    4KB

    Download