Overview

overview

10

Static

static

18e38eae3d...bd.exe

windows7_x64

10

18e38eae3d...bd.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-07-2021 16:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18e38eae3d407418b879271c9b5736bd.exe

  • Size

    664KB

  • MD5

    18e38eae3d407418b879271c9b5736bd

  • SHA1

    922687da4673862f203b62884ac6a2cfb49790d3

  • SHA256

    38ba862149962bc5a10825a2b818391624cda439fcb3f6212b75d84eeeb4f70c

  • SHA512

    2ece524bd152c58d42cc12331f218abb5f60f3e4a9d41e7927d2e76d72a07061aa07fb18d90d329a072734bf39334171ec16e2ba0005f468f8b27a14269a71c9

Score
10/10
xloaderloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.naturalresourcesmgt.com/bsk9/

Decoy

ignitedennys.com

theawslearn.net

tuningyan.wiki

professionalboom.com

btt3d.online

ceyaqua.com

knightslunarius.com

zc168sl.com

girlsnightclasses.com

tcsalud.com

homecottagestudio.com

92gwb.com

stainlesslion.com

arunkapur.com

chalkwithkristi.com

yourmidastouch.com

wijayashaw.com

roofingcompanyinchattanooga.com

sdbadatong.com

tombison.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)
    suricata
  • Xloader Payload 3 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Users\Admin\AppData\Local\Temp\18e38eae3d407418b879271c9b5736bd.exe
      "C:\Users\Admin\AppData\Local\Temp\18e38eae3d407418b879271c9b5736bd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4040
      • C:\Windows\SysWOW64\mshta.exe
        C:\Windows\System32\mshta.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\mshta.exe"
        3⤵
          PID:4048

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2032-121-0x0000000000000000-mapping.dmp
      Download
    • memory/2032-128-0x0000000004B90000-0x0000000004C1F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/2032-127-0x0000000004E40000-0x0000000005160000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2032-125-0x0000000000CA0000-0x0000000000CC8000-memory.dmp
      Filesize

      160KB

      Download
    • memory/2032-124-0x0000000000D00000-0x0000000000D12000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2840-116-0x0000000000830000-0x0000000000831000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2840-119-0x00000000009D0000-0x00000000009E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2840-118-0x0000000003040000-0x0000000003360000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2840-117-0x0000000010410000-0x0000000010438000-memory.dmp
      Filesize

      160KB

      Download
    • memory/2840-115-0x0000000000000000-mapping.dmp
      Download
    • memory/3064-120-0x0000000004DB0000-0x0000000004EE2000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3064-129-0x0000000005E40000-0x0000000005FC9000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/4040-114-0x0000000000620000-0x0000000000621000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4048-126-0x0000000000000000-mapping.dmp
      Download