Overview

overview

10

Static

static

2a69371ccb...b9.exe

windows7_x64

10

2a69371ccb...b9.exe

windows10_x64

10

Analysis

  • max time kernel
    85s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    18-09-2021 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a69371ccb46bbc07aebe99359fd69b9.exe

  • Size

    477KB

  • MD5

    2a69371ccb46bbc07aebe99359fd69b9

  • SHA1

    8be1b2e74bb857b130222bf2604fa79952792034

  • SHA256

    06db28157cbf8afaef9fada2db963f0a1f81a266512c748dc6ea86d371036900

  • SHA512

    fd8089141d3a926e197c3aee2ed4b44798591b0311a5973de3eafc88c1837d9620c413a873c27c579ce133f299926026938601b0784dd50588ca02cf123835af

Score
10/10
xloaderuytfloaderrat

Malware Config

Extracted

Family

xloader

Version

2.4

Campaign

uytf

C2

http://www.fasilitatortoefl.com/uytf/

Decoy

estherestates.online

babyballetwigan.com

ignorantrough.xyz

moominmamalog.com

pasticcerialemmi.com

orangstyle.com

oldwaterfordfarm.com

aiiqiuwnsas.com

youindependents.com

runbank.net

phytolipshine.com

almedmedicalcenter.com

czxzsa.com

yummyblockparty.com

gadgetinfo.info

cloudfolderplayer.com

chowding.com

xn--tarzmbu-ufb.com

danielaasab.com

dreampropertiesluxury.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a69371ccb46bbc07aebe99359fd69b9.exe
    "C:\Users\Admin\AppData\Local\Temp\2a69371ccb46bbc07aebe99359fd69b9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3556
    • C:\Users\Admin\AppData\Local\Temp\2a69371ccb46bbc07aebe99359fd69b9.exe
      "C:\Users\Admin\AppData\Local\Temp\2a69371ccb46bbc07aebe99359fd69b9.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3556-115-0x00000000000C0000-0x00000000000C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3556-117-0x0000000004F30000-0x0000000004F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3556-118-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3556-119-0x0000000004AB0000-0x0000000004AB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3556-120-0x0000000004A30000-0x0000000004F2E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3556-121-0x0000000004CD0000-0x0000000004CD7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/3556-122-0x0000000006E30000-0x0000000006E31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3556-123-0x0000000007260000-0x00000000072C0000-memory.dmp
    Filesize

    384KB

    Download
  • memory/3556-124-0x0000000009A30000-0x0000000009A5B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/3920-125-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/3920-126-0x000000000041D520-mapping.dmp
    Download
  • memory/3920-127-0x00000000011C0000-0x00000000014E0000-memory.dmp
    Filesize

    3.1MB

    Download