Resubmissions

24-09-2021 11:59

210924-n5z13sghb4 10

10-09-2021 09:11

210910-k5z5ashgh3 10

Analysis

  • max time kernel
    297s
  • max time network
    302s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    24-09-2021 11:59

General

  • Target

    B1o.exe

  • Size

    614KB

  • MD5

    5e3dc4e700d55cb8232bdbeade8ca8ad

  • SHA1

    8a4c46e292dafb7db736c03f784a997b6dece9aa

  • SHA256

    00aa65bb6c94d28f04933ebc90a56bf75d62ac3cd246afa1ef60d671a40ee978

  • SHA512

    6b1d6e010c303ea7663f33d82255eea9f0c0c2b941301788b3e811138c1f08021b922e4a63426b2f3deb00d5b36e4d2eed3ea640a7562998836b87e2bfa02cf9

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

chg

C2

http://www.chiaketo.com/chg/

Decoy

worldvaypg.com

cremationprosguiding.info

counterpub.com

steamed-chicken.com

bethhavencemetery.com

wanda12.com

thejdot.com

juliusbuckley.com

realloveawaitsnow.com

healthandenergyadvisors.com

stockholmfasadputs.com

uvsafetysolutions.com

mamucosmetic.com

konoozalyemen.com

grillschalen.com

zljmys.com

paradseautos.com

home360.asia

domentemenegi37.com

farazahmadosama.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:392
    • C:\Users\Admin\AppData\Local\Temp\B1o.exe
      "C:\Users\Admin\AppData\Local\Temp\B1o.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1312
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3116
      • C:\Users\Admin\AppData\Local\Temp\B1o.exe
        "C:\Users\Admin\AppData\Local\Temp\B1o.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4092
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\SysWOW64\cmd.exe
        /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
        3⤵
          PID:3960
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:3616

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Collection

      Data from Local System

      1
      T1005

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\DB1
        MD5

        b608d407fc15adea97c26936bc6f03f6

        SHA1

        953e7420801c76393902c0d6bb56148947e41571

        SHA256

        b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

        SHA512

        cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

      • memory/392-121-0x0000000005F40000-0x0000000006079000-memory.dmp
        Filesize

        1.2MB

      • memory/392-127-0x0000000004C50000-0x0000000004DC1000-memory.dmp
        Filesize

        1.4MB

      • memory/2404-115-0x0000000000730000-0x0000000000731000-memory.dmp
        Filesize

        4KB

      • memory/2924-122-0x0000000000000000-mapping.dmp
      • memory/2924-123-0x00000000008C0000-0x00000000008CC000-memory.dmp
        Filesize

        48KB

      • memory/2924-124-0x0000000002B50000-0x0000000002B78000-memory.dmp
        Filesize

        160KB

      • memory/2924-125-0x0000000004B30000-0x0000000004E50000-memory.dmp
        Filesize

        3.1MB

      • memory/2924-126-0x00000000049A0000-0x0000000004A2F000-memory.dmp
        Filesize

        572KB

      • memory/3616-131-0x00007FF61EB40000-0x00007FF61EBD3000-memory.dmp
        Filesize

        588KB

      • memory/3616-132-0x000001FA720D0000-0x000001FA721CE000-memory.dmp
        Filesize

        1016KB

      • memory/3616-130-0x0000000000000000-mapping.dmp
      • memory/3960-128-0x0000000000000000-mapping.dmp
      • memory/4092-120-0x0000000000590000-0x00000000005A0000-memory.dmp
        Filesize

        64KB

      • memory/4092-119-0x0000000000B30000-0x0000000000E50000-memory.dmp
        Filesize

        3.1MB

      • memory/4092-118-0x000000000041D030-mapping.dmp
      • memory/4092-116-0x0000000000400000-0x0000000000428000-memory.dmp
        Filesize

        160KB