Overview

overview

10

Static

static

987654OIUYFG.exe

windows7_x64

10

987654OIUYFG.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    07-05-2021 16:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    987654OIUYFG.exe

  • Size

    821KB

  • MD5

    0e0d5f9088ea19c58c3763c0ada56396

  • SHA1

    cfe4ae26328d511ac04c2a51aebdb82ee463c0d3

  • SHA256

    7f0511e940e8caa44c759e4696bf6b6b7f1389a2290b25c5e3f491270c63daab

  • SHA512

    cf4aea4bd30333fdfbf8dbfcd1ae9909f281f0e67b14d8d4d0c9ae4ac5d2579af968d1022169b238016b00448dd49c8de7b13b1f6824fecf56b15a08c4364e6b

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.hysjs168.com/uv34/

Decoy

lattakia-imbiss.com

helenafinaltouch.com

yogamays.com

habangli.com

embraceblm.com

freeurlsite.com

szxanpet.com

inspirationalsblog.com

calibratefirearms.net

chelseashalza.com

ihdeuruim.com

symbolofsafety.com

albanyhumanesociety.net

exclusiveoffer.bet

888yuntu.com

maraitime.com

caletaexperience.com

dreamlikeliving.com

wolvesmito.club

zbyunjin.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\987654OIUYFG.exe
      "C:\Users\Admin\AppData\Local\Temp\987654OIUYFG.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:996
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3916
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:2436

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/996-125-0x000000000041CFC0-mapping.dmp
      Download
    • memory/996-128-0x0000000001880000-0x0000000001BA0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/996-129-0x00000000013F0000-0x0000000001400000-memory.dmp
      Filesize

      64KB

      Download
    • memory/996-124-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/2436-133-0x0000000000000000-mapping.dmp
      Download
    • memory/3008-120-0x0000000007D60000-0x0000000007D61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3008-118-0x0000000007EB0000-0x0000000007EB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3008-122-0x0000000002F80000-0x0000000003019000-memory.dmp
      Filesize

      612KB

      Download
    • memory/3008-123-0x0000000001610000-0x0000000001662000-memory.dmp
      Filesize

      328KB

      Download
    • memory/3008-114-0x0000000000E50000-0x0000000000E51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3008-119-0x0000000007C90000-0x000000000818E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3008-116-0x0000000008190000-0x0000000008191000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3008-121-0x0000000008050000-0x000000000805E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/3008-117-0x0000000007D70000-0x0000000007D71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3020-127-0x0000000004A30000-0x0000000004B9B000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3020-136-0x0000000004BA0000-0x0000000004CF9000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3916-130-0x0000000000000000-mapping.dmp
      Download
    • memory/3916-132-0x0000000000720000-0x0000000000748000-memory.dmp
      Filesize

      160KB

      Download
    • memory/3916-131-0x0000000001080000-0x00000000010A0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3916-134-0x00000000047E0000-0x0000000004B00000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3916-135-0x0000000004630000-0x00000000046BF000-memory.dmp
      Filesize

      572KB

      Download