d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7

General
Target

d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe

Filesize

421KB

Completed

24-09-2021 13:12

Score
10 /10
MD5

859a1a6574e4a09027f729908318b282

SHA1

bf7c9e96ca263d7811f7357f8645af42b04c093b

SHA256

d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7

Malware Config

Extracted

Family xloader
Version 2.5
Campaign arup
C2

http://www.sapphiretype.com/arup/

Decoy

mezonpezon.com

bellapbd.com

xn--2kr800ab2z.group

cupecoysuites.com

extractselect.com

cherrycooky.com

reshawna.com

bluewinetours.com

dez2fly.com

washedproductions.com

om-asahi-kasei-jp.com

talkingpoint.tours

avaspacecompany.com

fbtvmall.com

trocaoferta.com

mionegozio.com

reitschuetz.com

basepicks.com

networkagricity.com

kastore.club

groovydeer.com

realisa.net

891708.com

naveenachittibiyina.com

guizhouawj.com

royaltortoisecookieco.online

scubafarm.com

sibo.care

rapi-vet.com

metaid.website

shadoworksart.com

gratitudegalore.com

penhal.com

fetch-an-us-itchy.zone

melisaakyolicmimarlik.com

yiweise.com

sofasstorremolinos.com

rfanil.com

metaverselemon.com

theholidaymovieplanner.com

n4sins.com

fortcor.com

galaxysingle.com

gzwqpsyj.com

azur-riviera-rental.com

bharathpaperbagmachine.com

pinup722bk.com

darkness.global

theihearthotel.com

wecowork.net

Signatures 5

Filter: none

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1520-125-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral1/memory/1520-126-0x000000000041D4B0-mapping.dmpxloader
  • Suspicious use of SetThreadContext
    d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2372 set thread context of 15202372d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exed84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe
  • Suspicious behavior: EnumeratesProcesses
    d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe

    Reported IOCs

    pidprocess
    1520d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe
    1520d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe
  • Suspicious use of WriteProcessMemory
    d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2372 wrote to memory of 15202372d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exed84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe
    PID 2372 wrote to memory of 15202372d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exed84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe
    PID 2372 wrote to memory of 15202372d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exed84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe
    PID 2372 wrote to memory of 15202372d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exed84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe
    PID 2372 wrote to memory of 15202372d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exed84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe
    PID 2372 wrote to memory of 15202372d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exed84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe
    "C:\Users\Admin\AppData\Local\Temp\d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Local\Temp\d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe
      "C:\Users\Admin\AppData\Local\Temp\d84f2a05198d85dd6f2bf606fe6e24f7ca929cff9796d6b7f269bb8e7cf8b2a7.exe"
      Suspicious behavior: EnumeratesProcesses
      PID:1520
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1520-125-0x0000000000400000-0x0000000000429000-memory.dmp

                          • memory/1520-126-0x000000000041D4B0-mapping.dmp

                          • memory/1520-127-0x00000000013D0000-0x00000000016F0000-memory.dmp

                          • memory/2372-115-0x00000000002E0000-0x00000000002E1000-memory.dmp

                          • memory/2372-117-0x0000000005120000-0x0000000005121000-memory.dmp

                          • memory/2372-118-0x0000000004B70000-0x0000000004B71000-memory.dmp

                          • memory/2372-122-0x0000000004EC0000-0x0000000004EC4000-memory.dmp

                          • memory/2372-123-0x0000000007440000-0x000000000749C000-memory.dmp

                          • memory/2372-124-0x00000000074A0000-0x00000000074CC000-memory.dmp

                          • memory/2372-119-0x0000000004C20000-0x000000000511E000-memory.dmp

                          • memory/2372-120-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

                          • memory/2372-121-0x0000000006FC0000-0x0000000006FC1000-memory.dmp