Overview

overview

10

Static

static

PURCHASE C...DF.exe

windows7_x64

10

PURCHASE C...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    178s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    24-06-2021 12:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PURCHASE CONTRACT #GJPL1202 2021-22PDF.exe

  • Size

    923KB

  • MD5

    8eb4085101f4cc1f78bde6323c2cf954

  • SHA1

    2162c6fa8a2c278b2a6aeea2491ea62eea56e5c4

  • SHA256

    00139ffbc60ffd8c46045238f984371a7cd5dd8a9c0f39af10eb0512bb82a40a

  • SHA512

    56b1a44c974d1635e0daf84b7038ab8e6672b0dc74eb41609c2467a09e2f22b59bb34be7ba0c92623685d845228874c5378d157c299bdc7081aef60bf7919e03

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.xgegqs.com/gscc/

Decoy

digdeepalways.com

medicaidcovidsurvey.com

thebranchfellowship.com

trillionairebigboysclub.com

pointsvalidation.com

thatcomfortableplace.com

stretchingchic.com

tabletadigital.online

xkg.xyz

merlin-hygieneforce.com

mockexamsonline.com

mortgagemegloans.com

fraudcast.net

bexleyheathdmcc.xyz

shop77c.club

blueathue.com

bjzxsd.com

8metode.com

ravexim3.com

kratiemthaicuisine.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\PURCHASE CONTRACT #GJPL1202 2021-22PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\PURCHASE CONTRACT #GJPL1202 2021-22PDF.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Local\Temp\PURCHASE CONTRACT #GJPL1202 2021-22PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\PURCHASE CONTRACT #GJPL1202 2021-22PDF.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:520
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PURCHASE CONTRACT #GJPL1202 2021-22PDF.exe"
        3⤵
        • Deletes itself
        PID:1468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/520-71-0x0000000000220000-0x0000000000230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/520-65-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/520-69-0x0000000000130000-0x0000000000140000-memory.dmp
    Filesize

    64KB

    Download
  • memory/520-68-0x0000000000880000-0x0000000000B83000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/520-66-0x000000000041D050-mapping.dmp
    Download
  • memory/1108-78-0x0000000001E60000-0x0000000002163000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1108-76-0x0000000000040000-0x000000000005F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1108-79-0x0000000001DC0000-0x0000000001E4F000-memory.dmp
    Filesize

    572KB

    Download
  • memory/1108-77-0x00000000000E0000-0x0000000000108000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1108-74-0x0000000074F31000-0x0000000074F33000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1108-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1208-72-0x00000000068C0000-0x0000000006981000-memory.dmp
    Filesize

    772KB

    Download
  • memory/1208-80-0x00000000096B0000-0x00000000097E5000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1208-70-0x0000000004AF0000-0x0000000004C16000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1468-75-0x0000000000000000-mapping.dmp
    Download
  • memory/1656-63-0x00000000078C0000-0x0000000007954000-memory.dmp
    Filesize

    592KB

    Download
  • memory/1656-61-0x0000000006FA0000-0x0000000006FA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1656-64-0x0000000000F30000-0x0000000000F8E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/1656-59-0x00000000013C0000-0x00000000013C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1656-62-0x0000000000500000-0x0000000000510000-memory.dmp
    Filesize

    64KB

    Download