Overview

overview

10

Static

static

DHL Receip...78.exe

windows7_x64

10

DHL Receip...78.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    06-05-2021 08:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Receipt_AWB811470484778.exe

  • Size

    1.2MB

  • MD5

    54e12bb22e93723f1207f9b0c68ce740

  • SHA1

    c4c2bd10d4e5a21997e1b5a2eec5beccd63759ea

  • SHA256

    47e832373110163a11b922941cb9a2377c7e44ed290a528073152b0fb1ffef93

  • SHA512

    d1741eecc9bb3177ce4b115ded4379af5d4898a9088882f130f3a52ecfca5cdefd488316e8076f42c56d5e0c12119b38de28236429b67daaf9262b64af1a5bf3

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.maleev.design/a7dr/

Decoy

thevirginiahighlanders.com

crazybenzi.com

nottruthful.com

happi.info

amjadlighting.com

mlebentv.com

pogrebnolipa.com

907wine.com

programheart.com

jenniferlarmstrong.com

alexjcarpenter.com

rokyslegendou.com

confidenceismine.com

thegeek420.com

hover-lover.com

conversationallawinstitute.com

ssonya.com

woopyyl.com

ebotasymas.com

nysobvakoiijqjs.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Users\Admin\AppData\Local\Temp\DHL Receipt_AWB811470484778.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Receipt_AWB811470484778.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Users\Admin\AppData\Local\Temp\DHL Receipt_AWB811470484778.exe
        "C:\Users\Admin\AppData\Local\Temp\DHL Receipt_AWB811470484778.exe"
        3⤵
          PID:3296
        • C:\Users\Admin\AppData\Local\Temp\DHL Receipt_AWB811470484778.exe
          "C:\Users\Admin\AppData\Local\Temp\DHL Receipt_AWB811470484778.exe"
          3⤵
            PID:2236
          • C:\Users\Admin\AppData\Local\Temp\DHL Receipt_AWB811470484778.exe
            "C:\Users\Admin\AppData\Local\Temp\DHL Receipt_AWB811470484778.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1488
        • C:\Windows\SysWOW64\ipconfig.exe
          "C:\Windows\SysWOW64\ipconfig.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Gathers network information
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1020
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\DHL Receipt_AWB811470484778.exe"
            3⤵
              PID:2104

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Command-Line Interface

        1
        T1059

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/640-114-0x0000000000380000-0x0000000000381000-memory.dmp
          Filesize

          4KB

          Download
        • memory/640-116-0x0000000004D10000-0x0000000004D11000-memory.dmp
          Filesize

          4KB

          Download
        • memory/640-117-0x0000000005370000-0x0000000005371000-memory.dmp
          Filesize

          4KB

          Download
        • memory/640-118-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/640-119-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/640-120-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/640-121-0x0000000004E70000-0x000000000536E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/640-122-0x0000000005360000-0x000000000536E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/640-123-0x0000000000C60000-0x0000000000CD9000-memory.dmp
          Filesize

          484KB

          Download
        • memory/640-124-0x0000000009700000-0x0000000009732000-memory.dmp
          Filesize

          200KB

          Download
        • memory/1020-131-0x0000000000000000-mapping.dmp
          Download
        • memory/1020-132-0x0000000000CE0000-0x0000000000CEB000-memory.dmp
          Filesize

          44KB

          Download
        • memory/1020-133-0x0000000000CA0000-0x0000000000CC8000-memory.dmp
          Filesize

          160KB

          Download
        • memory/1020-134-0x0000000002D40000-0x0000000002E8A000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1020-136-0x0000000003230000-0x00000000032BF000-memory.dmp
          Filesize

          572KB

          Download
        • memory/1488-126-0x000000000041D010-mapping.dmp
          Download
        • memory/1488-128-0x0000000001070000-0x0000000001390000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/1488-130-0x0000000000BF0000-0x0000000000C00000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1488-125-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

          Download
        • memory/2104-135-0x0000000000000000-mapping.dmp
          Download
        • memory/2428-129-0x00000000049F0000-0x0000000004B83000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/2428-137-0x0000000004B90000-0x0000000004C90000-memory.dmp
          Filesize

          1024KB

          Download