Overview

overview

10

Static

static

sa.exe

windows7_x64

10

sa.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    06-05-2021 04:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sa.exe

  • Size

    841KB

  • MD5

    0aecf41f923bf5cd728a670757af61ed

  • SHA1

    57aba2a76789f270cc3a78903c1cd54ec15d2080

  • SHA256

    c6f11920b2ae7f0255d65e4b04f9944247438ee4d346dc4745f50602df41007b

  • SHA512

    ec827ca487e09e6e74451b0002c9769f882c1a162d0a0f2cfcecf7e6c3b9f2880ff7d25b8114351114a3f8bd6a83383cca183fbe44ea2db353eba10ceba2caf3

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.cats16.com/8u3b/

Decoy

pipienta.com

wisdomfest.net

jenniferreich.com

bigcanoehomesforless.com

kayandbernard.com

offerbuildingsecrets.com

benleefoto.com

contactlesssoftware.tech

statenislandplumbing.info

lifestylemedicineservices.com

blazerplanning.com

fnatic-skins.club

effectivemarketinginc.com

babyshopit.com

2000deal.com

k12paymentcemter.com

spwakd.com

lesreponses.com

abundando.com

hawkspremierfhc.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Users\Admin\AppData\Local\Temp\sa.exe
      "C:\Users\Admin\AppData\Local\Temp\sa.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:648
      • C:\Users\Admin\AppData\Local\Temp\sa.exe
        "C:\Users\Admin\AppData\Local\Temp\sa.exe"
        3⤵
          PID:2692
        • C:\Users\Admin\AppData\Local\Temp\sa.exe
          "C:\Users\Admin\AppData\Local\Temp\sa.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2752
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\sa.exe"
          3⤵
            PID:2120

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/648-121-0x00000000059C0000-0x00000000059CE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/648-123-0x00000000015B0000-0x0000000001616000-memory.dmp
        Filesize

        408KB

        Download
      • memory/648-117-0x00000000055B0000-0x00000000055B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/648-118-0x0000000005720000-0x0000000005721000-memory.dmp
        Filesize

        4KB

        Download
      • memory/648-119-0x0000000005650000-0x0000000005651000-memory.dmp
        Filesize

        4KB

        Download
      • memory/648-120-0x0000000005680000-0x0000000005B7E000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/648-116-0x0000000005B80000-0x0000000005B81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/648-114-0x0000000000B80000-0x0000000000B81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/648-122-0x0000000001500000-0x00000000015AC000-memory.dmp
        Filesize

        688KB

        Download
      • memory/1156-135-0x0000000004430000-0x00000000044C0000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1156-134-0x0000000004500000-0x0000000004820000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/1156-132-0x0000000000360000-0x0000000000387000-memory.dmp
        Filesize

        156KB

        Download
      • memory/1156-133-0x0000000002900000-0x0000000002929000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1156-130-0x0000000000000000-mapping.dmp
        Download
      • memory/2120-131-0x0000000000000000-mapping.dmp
        Download
      • memory/2428-129-0x0000000005E10000-0x0000000005F1B000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/2428-136-0x0000000002460000-0x000000000253A000-memory.dmp
        Filesize

        872KB

        Download
      • memory/2752-128-0x0000000001370000-0x0000000001381000-memory.dmp
        Filesize

        68KB

        Download
      • memory/2752-127-0x0000000000F20000-0x0000000001240000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/2752-124-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/2752-125-0x000000000041D0A0-mapping.dmp
        Download