INVOICE.exe

General
Target

INVOICE.exe

Filesize

1MB

Completed

24-09-2021 15:05

Score
10 /10
MD5

3e0b369f71d263bd0918bfce2b1873c3

SHA1

0919aa900e50b290cc90426537ec25a9c44496b0

SHA256

c10f872ac7d56c5c8d5151eb8d5c3aba275f83bd55700c0dc38776a04b275175

Malware Config

Extracted

Family xloader
Version 2.5
Campaign m6rs
C2

http://www.litediv.com/m6rs/

Decoy

globalsovereignbank.com

ktnrape.xyz

churchybulletin.com

ddyla.com

imatge.cat

iwholesalestore.com

cultivapro.club

ibcfcl.com

refurbisheddildo.com

killerinktnpasumo4.xyz

mdphotoart.com

smi-ity.com

stanprolearningcenter.com

companyintelapp.com

tacticarc.com

soolls.com

gra68.net

cedricettori.digital

mossobuy.com

way2liv.com

j9b.xyz

bmfgi.com

gargantua-traiteur.com

tavolabread.com

neoplus-create.com

tracks-clicks.com

santsp.com

tokusa-f.com

yardparx.online

seinvestments-sg.com

elegantbrushes.net

restaurantemachupicchu.com

ha0313.com

dock7rods.com

emphatictrifles.com

onefunline.top

caulsshop.com

kittyol.com

thehealthyheifer.net

plotmyplot.com

leewaysvcs.com

eur86.com

lightsinwall.com

jiankangkyw.com

travilent.com

dvaccounts.com

wittyon.com

tommywoodenski.com

dividendoylibertad.com

aqscksw.com

Signatures 9

Filter: none

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3204-124-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral2/memory/3204-125-0x000000000041D3D0-mapping.dmpxloader
    behavioral2/memory/3868-132-0x0000000000700000-0x0000000000729000-memory.dmpxloader
  • Suspicious use of SetThreadContext
    INVOICE.exeINVOICE.exewscript.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4796 set thread context of 32044796INVOICE.exeINVOICE.exe
    PID 3204 set thread context of 29003204INVOICE.exeExplorer.EXE
    PID 3868 set thread context of 29003868wscript.exeExplorer.EXE
  • Suspicious behavior: EnumeratesProcesses
    INVOICE.exewscript.exe

    Reported IOCs

    pidprocess
    3204INVOICE.exe
    3204INVOICE.exe
    3204INVOICE.exe
    3204INVOICE.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
    3868wscript.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    2900Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    INVOICE.exewscript.exe

    Reported IOCs

    pidprocess
    3204INVOICE.exe
    3204INVOICE.exe
    3204INVOICE.exe
    3868wscript.exe
    3868wscript.exe
  • Suspicious use of AdjustPrivilegeToken
    INVOICE.exeExplorer.EXEwscript.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3204INVOICE.exe
    Token: SeShutdownPrivilege2900Explorer.EXE
    Token: SeCreatePagefilePrivilege2900Explorer.EXE
    Token: SeDebugPrivilege3868wscript.exe
    Token: SeShutdownPrivilege2900Explorer.EXE
    Token: SeCreatePagefilePrivilege2900Explorer.EXE
    Token: SeShutdownPrivilege2900Explorer.EXE
    Token: SeCreatePagefilePrivilege2900Explorer.EXE
  • Suspicious use of UnmapMainImage
    Explorer.EXE

    Reported IOCs

    pidprocess
    2900Explorer.EXE
  • Suspicious use of WriteProcessMemory
    INVOICE.exeExplorer.EXEwscript.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4796 wrote to memory of 32044796INVOICE.exeINVOICE.exe
    PID 4796 wrote to memory of 32044796INVOICE.exeINVOICE.exe
    PID 4796 wrote to memory of 32044796INVOICE.exeINVOICE.exe
    PID 4796 wrote to memory of 32044796INVOICE.exeINVOICE.exe
    PID 4796 wrote to memory of 32044796INVOICE.exeINVOICE.exe
    PID 4796 wrote to memory of 32044796INVOICE.exeINVOICE.exe
    PID 2900 wrote to memory of 38682900Explorer.EXEwscript.exe
    PID 2900 wrote to memory of 38682900Explorer.EXEwscript.exe
    PID 2900 wrote to memory of 38682900Explorer.EXEwscript.exe
    PID 3868 wrote to memory of 34403868wscript.execmd.exe
    PID 3868 wrote to memory of 34403868wscript.execmd.exe
    PID 3868 wrote to memory of 34403868wscript.execmd.exe
Processes 5
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of UnmapMainImage
    Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
      "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
        "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:3204
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3868
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
        PID:3440
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/2900-135-0x0000000005590000-0x00000000056EB000-memory.dmp

                          • memory/2900-128-0x0000000002EA0000-0x0000000002F81000-memory.dmp

                          • memory/3204-127-0x0000000001300000-0x0000000001311000-memory.dmp

                          • memory/3204-126-0x0000000001320000-0x0000000001640000-memory.dmp

                          • memory/3204-124-0x0000000000400000-0x0000000000429000-memory.dmp

                          • memory/3204-125-0x000000000041D3D0-mapping.dmp

                          • memory/3440-130-0x0000000000000000-mapping.dmp

                          • memory/3868-129-0x0000000000000000-mapping.dmp

                          • memory/3868-133-0x00000000045B0000-0x00000000048D0000-memory.dmp

                          • memory/3868-132-0x0000000000700000-0x0000000000729000-memory.dmp

                          • memory/3868-131-0x0000000000850000-0x0000000000877000-memory.dmp

                          • memory/3868-134-0x0000000004410000-0x00000000044A0000-memory.dmp

                          • memory/4796-123-0x0000000008340000-0x0000000008372000-memory.dmp

                          • memory/4796-122-0x00000000081D0000-0x0000000008231000-memory.dmp

                          • memory/4796-121-0x0000000005BC0000-0x0000000005BC7000-memory.dmp

                          • memory/4796-120-0x0000000007E40000-0x0000000007E41000-memory.dmp

                          • memory/4796-119-0x0000000005A40000-0x0000000005F3E000-memory.dmp

                          • memory/4796-118-0x0000000005B00000-0x0000000005B01000-memory.dmp

                          • memory/4796-117-0x0000000005A40000-0x0000000005A41000-memory.dmp

                          • memory/4796-116-0x0000000005F40000-0x0000000005F41000-memory.dmp

                          • memory/4796-114-0x0000000000F10000-0x0000000000F11000-memory.dmp