Overview

overview

10

Static

static

Payment document.exe

windows7_x64

10

Payment document.exe

windows10_x64

10

Resubmissions

27-09-2021 04:27

210927-e27gbaffej 10

15-09-2021 13:46

210915-q22fvaagb2 10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    15-09-2021 13:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment document.exe

  • Size

    532KB

  • MD5

    d0cceb56aaec4f8d458498904813b790

  • SHA1

    8efefaefb2a32c05c3282721be10c0b838c0cc96

  • SHA256

    bb60b98852cad89fe450ec8486cee96bb6932b29c692f97d5b7ed7936556845f

  • SHA512

    26137c91ab694b4bc21d06ed5f5f916c6884f7a7a94536a22948290c9cfa1cb1ac84ecd4f0893784eaab0eb6c674f05d6062b0dc6f61293935bb3eef53571de0

Score
10/10
xloaderdbewloaderrat

Malware Config

Extracted

Family

xloader

Version

2.4

Campaign

dbew

C2

http://www.mengtai.xyz/dbew/

Decoy

unblock-sites.xyz

xkmfiue.com

8pz96.com

affkart.com

attila-velte.com

hyrq30.website

tinoovia.com

egraintrade.com

smokynagata.com

welojz.xyz

lizethdavid.com

traumland56.com

player23games.com

mvnupersonaltraining.com

anonymousmen.com

learnchinese-school.com

haus-us.com

homayounmusic.com

kp-taku.com

djalleykat.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\Temp\Payment document.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment document.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Users\Admin\AppData\Local\Temp\Payment document.exe
        "C:\Users\Admin\AppData\Local\Temp\Payment document.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4044
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Payment document.exe"
        3⤵
          PID:776

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/776-131-0x0000000000000000-mapping.dmp
      Download
    • memory/2280-129-0x0000000006030000-0x0000000006145000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2280-136-0x0000000002BC0000-0x0000000002C8D000-memory.dmp
      Filesize

      820KB

      Download
    • memory/3656-135-0x0000000004980000-0x0000000004A10000-memory.dmp
      Filesize

      576KB

      Download
    • memory/3656-134-0x0000000004CB0000-0x0000000004FD0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3656-132-0x0000000000C20000-0x000000000105F000-memory.dmp
      Filesize

      4.2MB

      Download
    • memory/3656-133-0x00000000006E0000-0x0000000000709000-memory.dmp
      Filesize

      164KB

      Download
    • memory/3656-130-0x0000000000000000-mapping.dmp
      Download
    • memory/3972-121-0x0000000005230000-0x0000000005231000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3972-124-0x00000000081A0000-0x00000000081CB000-memory.dmp
      Filesize

      172KB

      Download
    • memory/3972-123-0x0000000005C90000-0x0000000005CEE000-memory.dmp
      Filesize

      376KB

      Download
    • memory/3972-122-0x0000000004F50000-0x0000000004F57000-memory.dmp
      Filesize

      28KB

      Download
    • memory/3972-115-0x0000000000680000-0x0000000000681000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3972-120-0x0000000004FB0000-0x00000000054AE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3972-119-0x0000000004F30000-0x0000000004F31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3972-118-0x0000000004FB0000-0x0000000004FB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3972-117-0x00000000054B0000-0x00000000054B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4044-125-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/4044-126-0x000000000041D3E0-mapping.dmp
      Download
    • memory/4044-128-0x00000000017B0000-0x00000000017C1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/4044-127-0x0000000001880000-0x0000000001BA0000-memory.dmp
      Filesize

      3.1MB

      Download