Overview

overview

10

Static

static

2a59d23966...08.exe

windows7_x64

10

2a59d23966...08.exe

windows10_x64

5

Analysis

  • max time kernel
    147s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-en-20210916
  • submitted
    17-09-2021 21:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a59d2396654692dc87a81df7554b608.exe

  • Size

    433KB

  • MD5

    2a59d2396654692dc87a81df7554b608

  • SHA1

    a545b6bc8ab5afd12feb22686af50f4075fb61cd

  • SHA256

    04e98a900ca361b68ebcfbad6453ddc626d93c8afb13916c18dd0e9648187566

  • SHA512

    a612f5fe059baf09f6aa30c7a41c9c00d225f326d5d6a10476aa1969c2e0ce3c39986b519ff77be787a61695d71e2fc18766ea9f93509332096c0d7e613cbea8

Score
10/10
xloaderb6a4loaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b6a4

C2

http://www.helpmovingandstorage.com/b6a4/

Decoy

gr2future.com

asteroid.finance

skoba-plast.com

rnerfrfw5z3ki.net

thesmartroadtoretirement.com

avisdrummondhomes.com

banban365.net

profesyonelkampcadiri.net

royalloanhs.com

yulujy.com

xn--naqejahan-n3b.com

msalee.net

dollyvee.com

albertagamehawkersclub.com

cbspecialists.com

findingforeverrealty.com

mrtireshop.com

wadamasanari.com

growtechinfo.com

qipai039.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a59d2396654692dc87a81df7554b608.exe
    "C:\Users\Admin\AppData\Local\Temp\2a59d2396654692dc87a81df7554b608.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Users\Admin\AppData\Local\Temp\2a59d2396654692dc87a81df7554b608.exe
      "C:\Users\Admin\AppData\Local\Temp\2a59d2396654692dc87a81df7554b608.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/524-55-0x000000000041D0B0-mapping.dmp
    Download
  • memory/524-56-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/524-57-0x00000000008D0000-0x0000000000BD3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/980-53-0x0000000076921000-0x0000000076923000-memory.dmp
    Filesize

    8KB

    Download
  • memory/980-54-0x0000000000100000-0x0000000000102000-memory.dmp
    Filesize

    8KB

    Download