Overview

overview

10

Static

static

1

9d38faec32...80.exe

windows7_x64

10

9d38faec32...80.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    21-09-2021 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d38faec3253e9ce395c8970d03d8180.exe

  • Size

    253KB

  • MD5

    9d38faec3253e9ce395c8970d03d8180

  • SHA1

    53128b83b922c39ed32065c9d8baae2c13059719

  • SHA256

    1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24

  • SHA512

    0c883d98ff5f255f3c4cdc1664f726606e44280e867dd727caa19cd6aa3aee849c4dc5d9555b118310f2b648a2c217d30d297005648c61edd40969e21dd2271a

Score
10/10
xloader9gdgloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

9gdg

C2

http://www.dechocolate.online/9gdg/

Decoy

cao-catos.ca

humanityumbrella.com

heatherflintford.com

paddyjulian.com

venturedart.com

pimpyoursmile.com

shellbacklabs.com

acesteeisupply.com

socotrajeweltours.com

aykutozden.com

corncobmeal.com

lesbiansforever.com

picknock.com

pawspetreiki.com

waikikidesignco.com

lelittnpasumo4.xyz

billing-updating.info

barangdapo.com

gatorfirerescue.com

jmovt.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d38faec3253e9ce395c8970d03d8180.exe
    "C:\Users\Admin\AppData\Local\Temp\9d38faec3253e9ce395c8970d03d8180.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\Local\Temp\9d38faec3253e9ce395c8970d03d8180.exe
      "C:\Users\Admin\AppData\Local\Temp\9d38faec3253e9ce395c8970d03d8180.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsvAC36.tmp\chav.dll
    MD5

    03cae9032f6d2d44d8ecd93c87f1313f

    SHA1

    fe8f16836750db7d7fcb42d1d0ea77d55d145832

    SHA256

    ba8dc1fbfac80564485d83433578839c4ffe432e4ec3e81182fb7eadcc54c6b8

    SHA512

    5871980c59e457f47e47c86232640b2211c89bc6d3a9da7f89bf73f8f09fc6a8a48c9b88412c84367d7162349103192107ec24af637cd96227edd0db320fdc67

    Download Submit
  • memory/1048-53-0x00000000755A1000-0x00000000755A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1704-55-0x000000000041D4A0-mapping.dmp
    Download
  • memory/1704-56-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1704-57-0x0000000000730000-0x0000000000A33000-memory.dmp
    Filesize

    3.0MB

    Download