Overview

overview

10

Static

static

RFQ356284678,pdf.exe

windows7_x64

10

RFQ356284678,pdf.exe

windows10_x64

10

Analysis

  • max time kernel
    300s
  • max time network
    299s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    15-09-2021 02:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ356284678,pdf.exe

  • Size

    401KB

  • MD5

    30b799e145ec03674de8d27ae3e5c0ba

  • SHA1

    339a5df9d70b31d0b59a5e97d672f12ccb67e45e

  • SHA256

    5df88b107258b6f9b91512ca18b098fec01005b71eed470932f006103d5bb346

  • SHA512

    d37d9be8f9bc3c17afead37c22b91a96fe2cb4314d09424270e75b2f36d7be4a9d560540909508170f8c0e3e2d1ba0635595045a6299ea5e6f8be215007b841e

Score
10/10
xloadergv6dloaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

gv6d

C2

http://www.breakaway.uk/gv6d/

Decoy

bigfatgay.com

czrsgd168.com

bnkinvestments.com

uhchearingfl.com

hooktowingco.com

bold2x.com

dirtyhandsdigital.com

princetonreviewes.com

typhoonmusicgroup.com

onlinemathcoach.net

safecareethiopia.net

alvarogdeo.com

access-sca-login.pro

handbagswholesalemaster.com

whoaservices.com

telemunndopr.com

dream2works.com

itemconfirmation.com

kentebags.com

chennaipremium.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\RFQ356284678,pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ356284678,pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Users\Admin\AppData\Local\Temp\RFQ356284678,pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\RFQ356284678,pdf.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:356
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:2664
      • C:\Windows\SysWOW64\systray.exe
        "C:\Windows\SysWOW64\systray.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\RFQ356284678,pdf.exe"
          3⤵
            PID:3600
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:3580
          • C:\Program Files (x86)\Cvtato\mjotol9hnn-lg.exe
            "C:\Program Files (x86)\Cvtato\mjotol9hnn-lg.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1008
            • C:\Program Files (x86)\Cvtato\mjotol9hnn-lg.exe
              "C:\Program Files (x86)\Cvtato\mjotol9hnn-lg.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2152

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Cvtato\mjotol9hnn-lg.exe
          MD5

          30b799e145ec03674de8d27ae3e5c0ba

          SHA1

          339a5df9d70b31d0b59a5e97d672f12ccb67e45e

          SHA256

          5df88b107258b6f9b91512ca18b098fec01005b71eed470932f006103d5bb346

          SHA512

          d37d9be8f9bc3c17afead37c22b91a96fe2cb4314d09424270e75b2f36d7be4a9d560540909508170f8c0e3e2d1ba0635595045a6299ea5e6f8be215007b841e

          Download Submit
        • C:\Program Files (x86)\Cvtato\mjotol9hnn-lg.exe
          MD5

          30b799e145ec03674de8d27ae3e5c0ba

          SHA1

          339a5df9d70b31d0b59a5e97d672f12ccb67e45e

          SHA256

          5df88b107258b6f9b91512ca18b098fec01005b71eed470932f006103d5bb346

          SHA512

          d37d9be8f9bc3c17afead37c22b91a96fe2cb4314d09424270e75b2f36d7be4a9d560540909508170f8c0e3e2d1ba0635595045a6299ea5e6f8be215007b841e

          Download Submit
        • C:\Program Files (x86)\Cvtato\mjotol9hnn-lg.exe
          MD5

          30b799e145ec03674de8d27ae3e5c0ba

          SHA1

          339a5df9d70b31d0b59a5e97d672f12ccb67e45e

          SHA256

          5df88b107258b6f9b91512ca18b098fec01005b71eed470932f006103d5bb346

          SHA512

          d37d9be8f9bc3c17afead37c22b91a96fe2cb4314d09424270e75b2f36d7be4a9d560540909508170f8c0e3e2d1ba0635595045a6299ea5e6f8be215007b841e

          Download Submit
        • memory/356-118-0x0000000001470000-0x0000000001790000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/356-119-0x0000000000E00000-0x0000000000F4A000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/356-117-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

          Download
        • memory/356-121-0x0000000000F70000-0x0000000000F80000-memory.dmp
          Filesize

          64KB

          Download
        • memory/356-115-0x000000000041CFC0-mapping.dmp
          Download
        • memory/1008-130-0x0000000000000000-mapping.dmp
          Download
        • memory/1008-135-0x0000000001240000-0x0000000001256000-memory.dmp
          Filesize

          88KB

          Download
        • memory/2152-133-0x000000000041CFC0-mapping.dmp
          Download
        • memory/2152-136-0x0000000000F30000-0x0000000001250000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/2556-123-0x0000000000000000-mapping.dmp
          Download
        • memory/2556-127-0x0000000004610000-0x0000000004930000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/2556-128-0x0000000004470000-0x00000000044FF000-memory.dmp
          Filesize

          572KB

          Download
        • memory/2556-124-0x0000000001060000-0x0000000001066000-memory.dmp
          Filesize

          24KB

          Download
        • memory/2556-125-0x00000000006B0000-0x00000000006D8000-memory.dmp
          Filesize

          160KB

          Download
        • memory/3036-129-0x0000000000650000-0x00000000006F7000-memory.dmp
          Filesize

          668KB

          Download
        • memory/3036-122-0x0000000006A80000-0x0000000006BCE000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3036-120-0x0000000006880000-0x0000000006953000-memory.dmp
          Filesize

          844KB

          Download
        • memory/3580-137-0x0000000000000000-mapping.dmp
          Download
        • memory/3580-139-0x0000023134780000-0x00000231348C5000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3580-138-0x00007FF6B2000000-0x00007FF6B2093000-memory.dmp
          Filesize

          588KB

          Download
        • memory/3600-126-0x0000000000000000-mapping.dmp
          Download
        • memory/4044-116-0x0000000000870000-0x0000000000872000-memory.dmp
          Filesize

          8KB

          Download