Overview

overview

10

Static

static

RFQ Rosemount.exe

windows7_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    186s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    27-07-2021 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ Rosemount.exe

  • Size

    1.3MB

  • MD5

    58f2fc9e3b1e045d4f6040e0b15e7b3d

  • SHA1

    3fd996467fc1b057e9f0fe436dd7f46cf460e688

  • SHA256

    5d73a302ff09dd9d39420703dc50c9530ac6e78b55c762f9c03df76be39d6c2c

  • SHA512

    a4d0627fedf36e64aca0dd5154189d0fd280f212adc8e700c3e01ce6a4fe818454b7f3afe79ae37d45b990573be9eaf8d9d3ef58aed2cb19f27d66c64c94d044

Score
10/10
xloaderloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.lapashawhite.com/p596/

Decoy

ushistorical.com

lovepropertylondon.com

acupress-the-point.com

3772548.com

ambientabuse.com

primaveracm.com

themidwestmomblog.com

havasavunma.com

rockyroadbrand.com

zzphys.com

masque-inclusif.com

myeonyeokplus.com

linkernet.pro

zezirma.com

mysiniar.com

andreamall.com

mattesonauto.com

wandopowerinc.com

casaurgence.com

salishseaquilts.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)
    suricata
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1264
    • C:\Users\Admin\AppData\Local\Temp\RFQ Rosemount.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ Rosemount.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Users\Admin\AppData\Local\Temp\RFQ Rosemount.exe
        "C:\Users\Admin\AppData\Local\Temp\RFQ Rosemount.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:776
        • C:\Windows\SysWOW64\help.exe
          "C:\Windows\SysWOW64\help.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:560
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\RFQ Rosemount.exe"
            5⤵
            • Deletes itself
            PID:1764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/560-76-0x0000000000730000-0x0000000000A33000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/560-77-0x0000000075551000-0x0000000075553000-memory.dmp
    Filesize

    8KB

    Download
  • memory/560-74-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/560-73-0x0000000000180000-0x0000000000186000-memory.dmp
    Filesize

    24KB

    Download
  • memory/560-72-0x0000000000000000-mapping.dmp
    Download
  • memory/560-78-0x00000000005F0000-0x0000000000680000-memory.dmp
    Filesize

    576KB

    Download
  • memory/776-68-0x0000000000180000-0x0000000000191000-memory.dmp
    Filesize

    68KB

    Download
  • memory/776-67-0x00000000008B0000-0x0000000000BB3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/776-66-0x000000000041D060-mapping.dmp
    Download
  • memory/776-65-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/776-70-0x00000000002D0000-0x00000000002E1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1164-59-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1164-64-0x00000000006A0000-0x00000000006CB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1164-63-0x00000000053E0000-0x000000000544F000-memory.dmp
    Filesize

    444KB

    Download
  • memory/1164-62-0x00000000004A0000-0x00000000004CD000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1164-61-0x0000000004E10000-0x0000000004E11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1264-71-0x0000000006BF0000-0x0000000006D1E000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1264-79-0x0000000004D80000-0x0000000004E2E000-memory.dmp
    Filesize

    696KB

    Download
  • memory/1264-69-0x0000000006580000-0x000000000668C000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1764-75-0x0000000000000000-mapping.dmp
    Download