686dc98567009e47eac88e95804b9dde.exe

General
Target

686dc98567009e47eac88e95804b9dde.exe

Filesize

172KB

Completed

22-07-2021 08:06

Score
10 /10
MD5

686dc98567009e47eac88e95804b9dde

SHA1

5788c30289d12f69d5cf323049d8d3c3a3e73cda

SHA256

11d84c7f9c579c2e58f4acc04d488d5f1c6cc0439609099eabec42444f5ef952

Malware Config

Extracted

Family xloader
Version 2.3
C2

http://www.extinctionbrews.com/dy8g/

Decoy

mzyxi-rkah-y.net

okinawarongnho.com

qq66520.com

nimbus.watch

cwdelrio.com

regalshopper.com

avito-payment.life

jorgeporcayo.com

galvinsky.digital

guys-only.com

asmfruits-almacenes.com

boatrace-life04.net

cochez.club

thelastvictor.net

janieleconte.com

ivoirepneus.com

saludflv.info

mydreamtv.net

austinphy.com

cajunseafoodstcloud.com

13006608192.com

clear3media.com

thegrowclinic.com

findfoodshop.com

livegaming.store

greensei.com

atmaapothecary.com

builtbydawn.com

wthcoffee.com

melodezu.com

oikoschain.com

matcitekids.com

killrstudio.com

doityourselfism.com

monsoonnerd.com

swissbankmusic.com

envisionfordheights.com

invisiongc.net

aizaibali.com

professioneconsulenza.net

chaneabond.com

theamercianhouseboat.com

scuolatua.com

surivaganza.com

xn--vuq722jwngjre.com

quiteimediato.space

ecofingers.com

manageoceanaccount.com

cindywillardrealtor.com

garimpeirastore.online

Signatures 6

Filter: none

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3932-116-0x0000000000400000-0x0000000000429000-memory.dmpxloader
  • Suspicious use of SetThreadContext
    686dc98567009e47eac88e95804b9dde.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 664 set thread context of 3932664686dc98567009e47eac88e95804b9dde.exe686dc98567009e47eac88e95804b9dde.exe
  • Suspicious behavior: EnumeratesProcesses
    686dc98567009e47eac88e95804b9dde.exe

    Reported IOCs

    pidprocess
    3932686dc98567009e47eac88e95804b9dde.exe
    3932686dc98567009e47eac88e95804b9dde.exe
  • Suspicious behavior: MapViewOfSection
    686dc98567009e47eac88e95804b9dde.exe

    Reported IOCs

    pidprocess
    664686dc98567009e47eac88e95804b9dde.exe
  • Suspicious use of WriteProcessMemory
    686dc98567009e47eac88e95804b9dde.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 664 wrote to memory of 3932664686dc98567009e47eac88e95804b9dde.exe686dc98567009e47eac88e95804b9dde.exe
    PID 664 wrote to memory of 3932664686dc98567009e47eac88e95804b9dde.exe686dc98567009e47eac88e95804b9dde.exe
    PID 664 wrote to memory of 3932664686dc98567009e47eac88e95804b9dde.exe686dc98567009e47eac88e95804b9dde.exe
    PID 664 wrote to memory of 3932664686dc98567009e47eac88e95804b9dde.exe686dc98567009e47eac88e95804b9dde.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\686dc98567009e47eac88e95804b9dde.exe
    "C:\Users\Admin\AppData\Local\Temp\686dc98567009e47eac88e95804b9dde.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: MapViewOfSection
    Suspicious use of WriteProcessMemory
    PID:664
    • C:\Users\Admin\AppData\Local\Temp\686dc98567009e47eac88e95804b9dde.exe
      "C:\Users\Admin\AppData\Local\Temp\686dc98567009e47eac88e95804b9dde.exe"
      Suspicious behavior: EnumeratesProcesses
      PID:3932
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/664-114-0x0000000000460000-0x0000000000462000-memory.dmp

                          • memory/3932-115-0x000000000041D090-mapping.dmp

                          • memory/3932-116-0x0000000000400000-0x0000000000429000-memory.dmp

                          • memory/3932-117-0x0000000000A20000-0x0000000000D40000-memory.dmp