ledger.exe

General
Target

ledger.exe

Filesize

746KB

Completed

10-09-2021 09:26

Score
10/10
MD5

bb7bbc40aef8439092e6345d3428c975

SHA1

9bf46b95ff700e57bc0e38d5133577bfad260ea2

SHA256

b194903f2fb1231113b2cffdd6cf47e25d4d9f99675654f70865b1f3d0a9160c

Malware Config

Extracted

Family xloader
Version 2.3
Campaign n58i
C2

http://www.biosonicmicrocurrent.com/n58i/

Decoy

electrifyz.com

silkpetalz.net

cognitivenavigation.com

poophaikus.com

orchidiris.com

arteregalos.com

dailybookmarks.info

gogoanume.pro

hushmailgmx.com

trjisa.com

notontrend.com

2020polltax.com

orderhappy.club

panggabean.net

govsathi.com

hrsbxg.com

xvideotokyo.online

lotteplaze.com

lovecleanliveclean.com

swaphomeloans.net

arcadems.info

creatingstrongerathletes.com

follaproperties.com

i-postgram.com

bootybella.fitness

avtofan.net

bimbavbi.com

yourtravelsbuddy.com

laiofit.com

ofnick.com

2g6gc6zma9g.net

phamthanhdam.com

shopteve.com

add-fast.com

studioloungemke.com

maxtoutfitness.com

mapleway.systems

login-settings.com

affoshop.com

hupubets.com

3energyservices.com

ccmfonline.com

keyhousebuyers.com

curvecue.com

developerdevelopment.com

jamesdunnandsons.com

devyassine.com

dongyilove.com

alienpuran.com

tuolp.com

Signatures 11

Filter: none

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/832-66-0x0000000000400000-0x0000000000428000-memory.dmpxloader
    behavioral1/memory/832-67-0x000000000041D040-mapping.dmpxloader
    behavioral1/memory/1628-76-0x00000000000E0000-0x0000000000108000-memory.dmpxloader
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    608cmd.exe
  • Suspicious use of SetThreadContext
    ledger.exeledger.exeexplorer.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1080 set thread context of 8321080ledger.exeledger.exe
    PID 832 set thread context of 1212832ledger.exeExplorer.EXE
    PID 1628 set thread context of 12121628explorer.exeExplorer.EXE
  • Suspicious behavior: EnumeratesProcesses
    ledger.exeexplorer.exe

    Reported IOCs

    pidprocess
    832ledger.exe
    832ledger.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
    1628explorer.exe
  • Suspicious behavior: MapViewOfSection
    ledger.exeexplorer.exe

    Reported IOCs

    pidprocess
    832ledger.exe
    832ledger.exe
    832ledger.exe
    1628explorer.exe
    1628explorer.exe
  • Suspicious use of AdjustPrivilegeToken
    ledger.exeexplorer.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege832ledger.exe
    Token: SeDebugPrivilege1628explorer.exe
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    1212Explorer.EXE
    1212Explorer.EXE
    1212Explorer.EXE
    1212Explorer.EXE
  • Suspicious use of SendNotifyMessage
    Explorer.EXE

    Reported IOCs

    pidprocess
    1212Explorer.EXE
    1212Explorer.EXE
    1212Explorer.EXE
    1212Explorer.EXE
  • Suspicious use of WriteProcessMemory
    ledger.exeExplorer.EXEexplorer.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1080 wrote to memory of 8321080ledger.exeledger.exe
    PID 1080 wrote to memory of 8321080ledger.exeledger.exe
    PID 1080 wrote to memory of 8321080ledger.exeledger.exe
    PID 1080 wrote to memory of 8321080ledger.exeledger.exe
    PID 1080 wrote to memory of 8321080ledger.exeledger.exe
    PID 1080 wrote to memory of 8321080ledger.exeledger.exe
    PID 1080 wrote to memory of 8321080ledger.exeledger.exe
    PID 1212 wrote to memory of 16281212Explorer.EXEexplorer.exe
    PID 1212 wrote to memory of 16281212Explorer.EXEexplorer.exe
    PID 1212 wrote to memory of 16281212Explorer.EXEexplorer.exe
    PID 1212 wrote to memory of 16281212Explorer.EXEexplorer.exe
    PID 1628 wrote to memory of 6081628explorer.execmd.exe
    PID 1628 wrote to memory of 6081628explorer.execmd.exe
    PID 1628 wrote to memory of 6081628explorer.execmd.exe
    PID 1628 wrote to memory of 6081628explorer.execmd.exe
Processes 5
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\ledger.exe
      "C:\Users\Admin\AppData\Local\Temp\ledger.exe"
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Users\Admin\AppData\Local\Temp\ledger.exe
        "C:\Users\Admin\AppData\Local\Temp\ledger.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:832
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\ledger.exe"
        Deletes itself
        PID:608
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/608-74-0x0000000000000000-mapping.dmp

                          • memory/832-69-0x0000000000120000-0x0000000000130000-memory.dmp

                          • memory/832-68-0x0000000000A20000-0x0000000000D23000-memory.dmp

                          • memory/832-66-0x0000000000400000-0x0000000000428000-memory.dmp

                          • memory/832-67-0x000000000041D040-mapping.dmp

                          • memory/1080-64-0x0000000005170000-0x00000000051D0000-memory.dmp

                          • memory/1080-65-0x0000000004F60000-0x0000000004F8A000-memory.dmp

                          • memory/1080-62-0x0000000004E20000-0x0000000004E21000-memory.dmp

                          • memory/1080-63-0x00000000008C0000-0x00000000008D6000-memory.dmp

                          • memory/1080-60-0x00000000010D0000-0x00000000010D1000-memory.dmp

                          • memory/1212-70-0x0000000004E80000-0x0000000005007000-memory.dmp

                          • memory/1212-79-0x0000000003E20000-0x0000000003EE5000-memory.dmp

                          • memory/1628-72-0x0000000075801000-0x0000000075803000-memory.dmp

                          • memory/1628-71-0x0000000000000000-mapping.dmp

                          • memory/1628-75-0x0000000000280000-0x0000000000501000-memory.dmp

                          • memory/1628-76-0x00000000000E0000-0x0000000000108000-memory.dmp

                          • memory/1628-77-0x00000000021D0000-0x00000000024D3000-memory.dmp

                          • memory/1628-78-0x00000000020F0000-0x000000000217F000-memory.dmp

                          • memory/1628-73-0x0000000074581000-0x0000000074583000-memory.dmp