Overview

overview

10

Static

static

PURCHASE C...DF.exe

windows7_x64

10

PURCHASE C...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    166s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    24-06-2021 12:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PURCHASE CONTRACT #GJPL1202 2021-22PDF.exe

  • Size

    923KB

  • MD5

    8eb4085101f4cc1f78bde6323c2cf954

  • SHA1

    2162c6fa8a2c278b2a6aeea2491ea62eea56e5c4

  • SHA256

    00139ffbc60ffd8c46045238f984371a7cd5dd8a9c0f39af10eb0512bb82a40a

  • SHA512

    56b1a44c974d1635e0daf84b7038ab8e6672b0dc74eb41609c2467a09e2f22b59bb34be7ba0c92623685d845228874c5378d157c299bdc7081aef60bf7919e03

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.xgegqs.com/gscc/

Decoy

digdeepalways.com

medicaidcovidsurvey.com

thebranchfellowship.com

trillionairebigboysclub.com

pointsvalidation.com

thatcomfortableplace.com

stretchingchic.com

tabletadigital.online

xkg.xyz

merlin-hygieneforce.com

mockexamsonline.com

mortgagemegloans.com

fraudcast.net

bexleyheathdmcc.xyz

shop77c.club

blueathue.com

bjzxsd.com

8metode.com

ravexim3.com

kratiemthaicuisine.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Local\Temp\PURCHASE CONTRACT #GJPL1202 2021-22PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\PURCHASE CONTRACT #GJPL1202 2021-22PDF.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3892
      • C:\Users\Admin\AppData\Local\Temp\PURCHASE CONTRACT #GJPL1202 2021-22PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\PURCHASE CONTRACT #GJPL1202 2021-22PDF.exe"
        3⤵
          PID:3772
        • C:\Users\Admin\AppData\Local\Temp\PURCHASE CONTRACT #GJPL1202 2021-22PDF.exe
          "C:\Users\Admin\AppData\Local\Temp\PURCHASE CONTRACT #GJPL1202 2021-22PDF.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:736
      • C:\Windows\SysWOW64\mstsc.exe
        "C:\Windows\SysWOW64\mstsc.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\PURCHASE CONTRACT #GJPL1202 2021-22PDF.exe"
          3⤵
            PID:3496

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/736-126-0x000000000041D050-mapping.dmp
        Download
      • memory/736-129-0x0000000001210000-0x000000000135A000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/736-128-0x0000000001760000-0x0000000001A80000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/736-125-0x0000000000400000-0x0000000000428000-memory.dmp
        Filesize

        160KB

        Download
      • memory/3044-137-0x0000000003190000-0x0000000003251000-memory.dmp
        Filesize

        772KB

        Download
      • memory/3044-130-0x00000000059E0000-0x0000000005ACD000-memory.dmp
        Filesize

        948KB

        Download
      • memory/3476-131-0x0000000000000000-mapping.dmp
        Download
      • memory/3476-136-0x0000000005100000-0x000000000518F000-memory.dmp
        Filesize

        572KB

        Download
      • memory/3476-135-0x00000000052B0000-0x00000000055D0000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/3476-134-0x0000000000D30000-0x0000000000D58000-memory.dmp
        Filesize

        160KB

        Download
      • memory/3476-133-0x0000000000D70000-0x000000000106C000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/3496-132-0x0000000000000000-mapping.dmp
        Download
      • memory/3892-121-0x00000000078A0000-0x00000000078B0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3892-118-0x00000000075D0000-0x00000000075D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3892-117-0x0000000007A30000-0x0000000007A31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3892-114-0x0000000000310000-0x0000000000311000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3892-119-0x0000000007470000-0x0000000007471000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3892-120-0x0000000007730000-0x0000000007731000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3892-122-0x00000000071E0000-0x00000000071E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3892-124-0x0000000002570000-0x00000000025CE000-memory.dmp
        Filesize

        376KB

        Download
      • memory/3892-123-0x0000000009A30000-0x0000000009AC4000-memory.dmp
        Filesize

        592KB

        Download
      • memory/3892-116-0x0000000007490000-0x0000000007491000-memory.dmp
        Filesize

        4KB

        Download