Overview

overview

10

Static

static

Instruction copy.exe

windows7_x64

10

Instruction copy.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    197s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    27-07-2021 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Instruction copy.exe

  • Size

    960KB

  • MD5

    f91a66d080744b9e8b946984d6d747c4

  • SHA1

    886580b7e7d7f27135d2c9981770a2a59332e680

  • SHA256

    c6a1a1a68b5faac43930deeab9cd6745bde62869786e21e0681b3dc0973afa80

  • SHA512

    b559c9048de556c45f77e26d4c2f1c7785348b76ae4d5f9957e202a5c9d01e7c68a1a3958aeede45ff427ad741b01fcd15497e67898acfc5176f9ac9aa1e2238

Score
10/10
xloaderloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.inverservi.com/m6b5/

Decoy

ixtarbelize.com

pheamal.com

daiyncc.com

staydoubted.com

laagerlitigation.club

sukrantastansakarya.com

esupport.ltd

vetscontracting.net

themuslimlife.coach

salmanairs.com

somatictherapyservices.com

lastminuteminister.com

comunicarbuenosaires.com

kazuya.tech

insightlyservicedev.com

redevelopment38subhashnagar.com

thefutureinvestor.com

simplysu.com

lagu45.com

livingstonpistolpermit.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)
    suricata
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\Instruction copy.exe
      "C:\Users\Admin\AppData\Local\Temp\Instruction copy.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\Users\Admin\AppData\Local\Temp\Instruction copy.exe
        "C:\Users\Admin\AppData\Local\Temp\Instruction copy.exe"
        3⤵
          PID:336
        • C:\Users\Admin\AppData\Local\Temp\Instruction copy.exe
          "C:\Users\Admin\AppData\Local\Temp\Instruction copy.exe"
          3⤵
            PID:656
          • C:\Users\Admin\AppData\Local\Temp\Instruction copy.exe
            "C:\Users\Admin\AppData\Local\Temp\Instruction copy.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:468
        • C:\Windows\SysWOW64\systray.exe
          "C:\Windows\SysWOW64\systray.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1712
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\Instruction copy.exe"
            3⤵
            • Deletes itself
            PID:516

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/468-64-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/468-65-0x000000000041D0F0-mapping.dmp
        Download
      • memory/468-67-0x00000000000B0000-0x00000000000C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/468-66-0x00000000009F0000-0x0000000000CF3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/516-73-0x0000000000000000-mapping.dmp
        Download
      • memory/1188-61-0x0000000000560000-0x00000000005DB000-memory.dmp
        Filesize

        492KB

        Download
      • memory/1188-62-0x0000000004E60000-0x0000000004E61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1188-63-0x0000000000540000-0x000000000054F000-memory.dmp
        Filesize

        60KB

        Download
      • memory/1188-59-0x00000000000E0000-0x00000000000E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1196-68-0x0000000003D00000-0x0000000003DC8000-memory.dmp
        Filesize

        800KB

        Download
      • memory/1196-75-0x0000000004A30000-0x0000000004B2B000-memory.dmp
        Filesize

        1004KB

        Download
      • memory/1712-71-0x00000000000C0000-0x00000000000E9000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1712-72-0x0000000001F30000-0x0000000002233000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1712-70-0x0000000000990000-0x0000000000995000-memory.dmp
        Filesize

        20KB

        Download
      • memory/1712-69-0x0000000000000000-mapping.dmp
        Download
      • memory/1712-74-0x0000000001DA0000-0x0000000001E2F000-memory.dmp
        Filesize

        572KB

        Download
      • memory/1712-76-0x0000000075AD1000-0x0000000075AD3000-memory.dmp
        Filesize

        8KB

        Download