Overview

overview

10

Static

static

klSsrzxwsbxeJQh.exe

windows7_x64

10

klSsrzxwsbxeJQh.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    179s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    27-07-2021 22:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    klSsrzxwsbxeJQh.exe

  • Size

    818KB

  • MD5

    3be1fa609b4f6efa9d30b5c75810f863

  • SHA1

    61dcd8a4bd4641a7cc4800b5aea9ecaf7c6609bf

  • SHA256

    27572043b01a99f3901af4bd40faf03cd04e722e3fb7ba866ccdb3b2d3fabb11

  • SHA512

    b5d36a463c8eca050b3db941449d79b91c870990685b20bc192f09037231a17c2939c74b2312820a09aa54e553e61a6ab0320ea7b5f9ee60a92331ccf79b7911

Score
10/10
xloaderloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.arogyanlife.com/b82a/

Decoy

annguyet.net

parkwood.tech

readysetmortgage.net

betraywithdraw.com

incmagazine.xyz

dentistinpimplesaudagar.com

lianhx.com

prodrelease0827b.com

safehavenwellbeing.com

gehdeinweg.club

sondaggio123.space

prospecx.report

remediate.info

savylash.com

puppornstar.com

coaching-romand.com

boozeshops.com

team316media.com

ldgawydtl.icu

trezteez.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)
    suricata
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\klSsrzxwsbxeJQh.exe
      "C:\Users\Admin\AppData\Local\Temp\klSsrzxwsbxeJQh.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:752
      • C:\Users\Admin\AppData\Local\Temp\klSsrzxwsbxeJQh.exe
        "C:\Users\Admin\AppData\Local\Temp\klSsrzxwsbxeJQh.exe"
        3⤵
          PID:472
        • C:\Users\Admin\AppData\Local\Temp\klSsrzxwsbxeJQh.exe
          "C:\Users\Admin\AppData\Local\Temp\klSsrzxwsbxeJQh.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:612
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\SysWOW64\svchost.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\klSsrzxwsbxeJQh.exe"
          3⤵
          • Deletes itself
          PID:1828

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/612-71-0x0000000000350000-0x0000000000360000-memory.dmp
      Filesize

      64KB

      Download
    • memory/612-68-0x00000000006E0000-0x00000000009E3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/612-66-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/612-67-0x000000000041CFC0-mapping.dmp
      Download
    • memory/612-69-0x0000000000310000-0x0000000000320000-memory.dmp
      Filesize

      64KB

      Download
    • memory/752-63-0x0000000000270000-0x000000000027B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/752-64-0x0000000004F10000-0x0000000004F84000-memory.dmp
      Filesize

      464KB

      Download
    • memory/752-65-0x0000000000560000-0x000000000058F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/752-60-0x00000000010B0000-0x00000000010B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/752-62-0x0000000004D20000-0x0000000004D21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1100-78-0x0000000000540000-0x00000000005CF000-memory.dmp
      Filesize

      572KB

      Download
    • memory/1100-73-0x0000000000000000-mapping.dmp
      Download
    • memory/1100-75-0x0000000000080000-0x00000000000A8000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1100-76-0x0000000000990000-0x0000000000C93000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1100-74-0x0000000000350000-0x0000000000358000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1100-80-0x0000000075451000-0x0000000075453000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1200-72-0x0000000006270000-0x00000000063B8000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1200-70-0x0000000003D70000-0x0000000003E20000-memory.dmp
      Filesize

      704KB

      Download
    • memory/1200-79-0x0000000005ED0000-0x0000000005F84000-memory.dmp
      Filesize

      720KB

      Download
    • memory/1828-77-0x0000000000000000-mapping.dmp
      Download