Overview

overview

10

Static

static

XQFreZzaubEvXYg.exe

windows7_x64

10

XQFreZzaubEvXYg.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-07-2021 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XQFreZzaubEvXYg.exe

  • Size

    465KB

  • MD5

    ddafa2b44ec908b114a4c33431e0952a

  • SHA1

    e85c3f28cd859c6b5ab900c6a0c07a8fcfde8173

  • SHA256

    4ca6a48021d7d442d9311b158691b1f219576d7d37a99f64741463659903ad4c

  • SHA512

    4a3e227d44ad1cd9d6402e3bbde1ecc51196a7d8325f808bd6ba05059a6f596edf82f0ce2b359daa61267f6fcd08dc994549a6b06aec0cda1480ec14ab3efd87

Score
10/10
xloaderloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.panyu-qqbaby.com/weni/

Decoy

sdmdwang.com

konversationswithkoshie.net

carap.club

eagldeream.com

856380585.xyz

elgallocoffee.com

magetu.info

lovertons.com

theichallenge.com

advancedautorepairsonline.com

wingsstyling.info

tapdaugusta.com

wiloasbanhsgtarewdasc.solutions

donjrisdumb.com

experienceddoctor.com

cloverhillconsultants.com

underwear.show

karensgonewild2020.com

arodsr.com

thefucktardmanual.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)
    suricata
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\XQFreZzaubEvXYg.exe
      "C:\Users\Admin\AppData\Local\Temp\XQFreZzaubEvXYg.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Users\Admin\AppData\Local\Temp\XQFreZzaubEvXYg.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1108
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\XQFreZzaubEvXYg.exe"
        3⤵
          PID:2208

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1108-124-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1108-126-0x0000000001000000-0x0000000001320000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1108-127-0x00000000007F0000-0x0000000000800000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1108-125-0x000000000041D000-mapping.dmp
      Download
    • memory/2208-132-0x0000000000000000-mapping.dmp
      Download
    • memory/2752-130-0x0000000000210000-0x0000000000237000-memory.dmp
      Filesize

      156KB

      Download
    • memory/2752-129-0x0000000000000000-mapping.dmp
      Download
    • memory/2752-134-0x0000000004DD0000-0x0000000004E5F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/2752-133-0x0000000004A20000-0x0000000004D40000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2752-131-0x0000000003370000-0x0000000003398000-memory.dmp
      Filesize

      160KB

      Download
    • memory/3016-117-0x0000000004D40000-0x0000000004D41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3016-118-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3016-121-0x00000000071B0000-0x00000000071B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3016-119-0x0000000004E50000-0x000000000534E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3016-114-0x0000000000420000-0x0000000000421000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3016-120-0x0000000004E20000-0x0000000004E22000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3016-116-0x0000000005350000-0x0000000005351000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3016-123-0x00000000069D0000-0x00000000069FE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3016-122-0x0000000006A50000-0x0000000006ACD000-memory.dmp
      Filesize

      500KB

      Download
    • memory/3036-128-0x0000000005A30000-0x0000000005BD2000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3036-135-0x0000000005F20000-0x000000000607A000-memory.dmp
      Filesize

      1.4MB

      Download