Overview

overview

10

Static

static

76ffc32ba9...b0.exe

windows7_x64

10

76ffc32ba9...b0.exe

windows10_x64

10

Analysis

  • max time kernel
    46s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    06-05-2021 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76ffc32ba98dd84e396af77ad4311d99b3a1bbb0.exe

  • Size

    920KB

  • MD5

    e9777bb4745f38009a1d806392a437e5

  • SHA1

    76ffc32ba98dd84e396af77ad4311d99b3a1bbb0

  • SHA256

    eb8c5fa3da30f5d972e7d30767099990aadce5af9e046a2765b0c64222eab118

  • SHA512

    794f80a25ae343075421e2d6a030d3a30ef0f2790649fad1c7fc80b31b4ce9d755dfe10634e0d28a684f39d2cffec0c8e7c17d18547df88335ef2d5c2de29f0f

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.asconstructionin.com/m3rc/

Decoy

manonkelley.com

prosperouspromises.com

biglebowlski.com

zhenyash.com

wayinfinite.com

vaginalmedicine.com

garnogroup.com

6-8-8-8-8.website

universtal.com

gillet.pro

hwrfxkna.com

unapersonaestabien.com

organicdiehards.com

santini7.com

salt9pepper.com

ericasorganiclife.com

vipgifts.online

mariozumbo.com

genetikfatura.com

heypapabear.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76ffc32ba98dd84e396af77ad4311d99b3a1bbb0.exe
    "C:\Users\Admin\AppData\Local\Temp\76ffc32ba98dd84e396af77ad4311d99b3a1bbb0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Users\Admin\AppData\Local\Temp\76ffc32ba98dd84e396af77ad4311d99b3a1bbb0.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/520-66-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/520-67-0x000000000041D030-mapping.dmp
    Download
  • memory/520-69-0x00000000009E0000-0x0000000000CE3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1632-60-0x00000000013C0000-0x00000000013C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1632-62-0x0000000006ED0000-0x0000000006ED1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1632-63-0x0000000000250000-0x000000000025E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1632-64-0x0000000005100000-0x0000000005190000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1632-65-0x0000000001310000-0x0000000001351000-memory.dmp
    Filesize

    260KB

    Download