INVOICE.exe

General
Target

INVOICE.exe

Filesize

1MB

Completed

24-09-2021 15:05

Score
10 /10
MD5

3e0b369f71d263bd0918bfce2b1873c3

SHA1

0919aa900e50b290cc90426537ec25a9c44496b0

SHA256

c10f872ac7d56c5c8d5151eb8d5c3aba275f83bd55700c0dc38776a04b275175

Malware Config

Extracted

Family xloader
Version 2.5
Campaign m6rs
C2

http://www.litediv.com/m6rs/

Decoy

globalsovereignbank.com

ktnrape.xyz

churchybulletin.com

ddyla.com

imatge.cat

iwholesalestore.com

cultivapro.club

ibcfcl.com

refurbisheddildo.com

killerinktnpasumo4.xyz

mdphotoart.com

smi-ity.com

stanprolearningcenter.com

companyintelapp.com

tacticarc.com

soolls.com

gra68.net

cedricettori.digital

mossobuy.com

way2liv.com

j9b.xyz

bmfgi.com

gargantua-traiteur.com

tavolabread.com

neoplus-create.com

tracks-clicks.com

santsp.com

tokusa-f.com

yardparx.online

seinvestments-sg.com

elegantbrushes.net

restaurantemachupicchu.com

ha0313.com

dock7rods.com

emphatictrifles.com

onefunline.top

caulsshop.com

kittyol.com

thehealthyheifer.net

plotmyplot.com

leewaysvcs.com

eur86.com

lightsinwall.com

jiankangkyw.com

travilent.com

dvaccounts.com

wittyon.com

tommywoodenski.com

dividendoylibertad.com

aqscksw.com

Signatures 10

Filter: none

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1532-59-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral1/memory/1532-60-0x000000000041D3D0-mapping.dmpxloader
    behavioral1/memory/1680-67-0x0000000000080000-0x00000000000A9000-memory.dmpxloader
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    612cmd.exe
  • Suspicious use of SetThreadContext
    INVOICE.exeINVOICE.exenetsh.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2024 set thread context of 15322024INVOICE.exeINVOICE.exe
    PID 1532 set thread context of 12641532INVOICE.exeExplorer.EXE
    PID 1680 set thread context of 12641680netsh.exeExplorer.EXE
  • Suspicious behavior: EnumeratesProcesses
    INVOICE.exenetsh.exe

    Reported IOCs

    pidprocess
    1532INVOICE.exe
    1532INVOICE.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
    1680netsh.exe
  • Suspicious behavior: MapViewOfSection
    INVOICE.exenetsh.exe

    Reported IOCs

    pidprocess
    1532INVOICE.exe
    1532INVOICE.exe
    1532INVOICE.exe
    1680netsh.exe
    1680netsh.exe
  • Suspicious use of AdjustPrivilegeToken
    INVOICE.exenetsh.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1532INVOICE.exe
    Token: SeDebugPrivilege1680netsh.exe
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    1264Explorer.EXE
    1264Explorer.EXE
  • Suspicious use of SendNotifyMessage
    Explorer.EXE

    Reported IOCs

    pidprocess
    1264Explorer.EXE
    1264Explorer.EXE
  • Suspicious use of WriteProcessMemory
    INVOICE.exeExplorer.EXEnetsh.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2024 wrote to memory of 15322024INVOICE.exeINVOICE.exe
    PID 2024 wrote to memory of 15322024INVOICE.exeINVOICE.exe
    PID 2024 wrote to memory of 15322024INVOICE.exeINVOICE.exe
    PID 2024 wrote to memory of 15322024INVOICE.exeINVOICE.exe
    PID 2024 wrote to memory of 15322024INVOICE.exeINVOICE.exe
    PID 2024 wrote to memory of 15322024INVOICE.exeINVOICE.exe
    PID 2024 wrote to memory of 15322024INVOICE.exeINVOICE.exe
    PID 1264 wrote to memory of 16801264Explorer.EXEnetsh.exe
    PID 1264 wrote to memory of 16801264Explorer.EXEnetsh.exe
    PID 1264 wrote to memory of 16801264Explorer.EXEnetsh.exe
    PID 1264 wrote to memory of 16801264Explorer.EXEnetsh.exe
    PID 1680 wrote to memory of 6121680netsh.execmd.exe
    PID 1680 wrote to memory of 6121680netsh.execmd.exe
    PID 1680 wrote to memory of 6121680netsh.execmd.exe
    PID 1680 wrote to memory of 6121680netsh.execmd.exe
Processes 5
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
      "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
        "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:1532
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\SysWOW64\netsh.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
        Deletes itself
        PID:612
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/612-65-0x0000000000000000-mapping.dmp

                          • memory/1264-71-0x0000000006CE0000-0x0000000006E54000-memory.dmp

                          • memory/1264-63-0x0000000003E20000-0x0000000003EE1000-memory.dmp

                          • memory/1532-60-0x000000000041D3D0-mapping.dmp

                          • memory/1532-62-0x0000000000290000-0x00000000002A1000-memory.dmp

                          • memory/1532-61-0x0000000000C30000-0x0000000000F33000-memory.dmp

                          • memory/1532-59-0x0000000000400000-0x0000000000429000-memory.dmp

                          • memory/1680-67-0x0000000000080000-0x00000000000A9000-memory.dmp

                          • memory/1680-66-0x0000000001470000-0x000000000148B000-memory.dmp

                          • memory/1680-69-0x0000000075821000-0x0000000075823000-memory.dmp

                          • memory/1680-68-0x0000000000A90000-0x0000000000D93000-memory.dmp

                          • memory/1680-64-0x0000000000000000-mapping.dmp

                          • memory/1680-70-0x00000000009C0000-0x0000000000A50000-memory.dmp

                          • memory/2024-58-0x0000000004D20000-0x0000000004D52000-memory.dmp

                          • memory/2024-57-0x00000000056B0000-0x0000000005711000-memory.dmp

                          • memory/2024-56-0x0000000000370000-0x0000000000377000-memory.dmp

                          • memory/2024-55-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

                          • memory/2024-53-0x0000000000B20000-0x0000000000B21000-memory.dmp