Overview

overview

10

Static

static

83843e9448...75.exe

windows7_x64

10

83843e9448...75.exe

windows10_x64

10

Resubmissions

27-09-2021 02:32

210927-c1drhafeg6 10

10-09-2021 09:33

210910-ljmgrahha6 10

Analysis

  • max time kernel
    97s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    27-09-2021 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83843e9448edc71956a3926bbe5dcc28cf29b375.exe

  • Size

    501KB

  • MD5

    d7f127ac909e3fcfed12491dff3d4f29

  • SHA1

    83843e9448edc71956a3926bbe5dcc28cf29b375

  • SHA256

    a687c755bac51d13e6b038d7e737261fb6922ff8eef86300058048c1f84ec844

  • SHA512

    bac89961cb3b9f539d5aa75a9192b37128d108bd47e903eafa36882393fa2c6e1d4990c10041898a928c4b0792a8215b409ad3ce2ee572543f75a3759e01e482

Score
10/10
xloaderconvloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

conv

C2

http://www.7stepsmeal.com/conv/

Decoy

hydrusgraphene.com

eastwindshomes.com

f1-holding.com

tomrings.com

nickysclosetnest.com

eckare88.com

southboundsupplies.com

asilar.net

ludiali.com

sarahasmussen.com

terreetmerphotography.com

tesserlink.com

xayxcq.com

jobforage.com

76leads.com

onyamarx.com

sandrinafloral.com

a5y7tvmr4.xyz

greatdanesuk.com

superbartendergigs.store

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83843e9448edc71956a3926bbe5dcc28cf29b375.exe
    "C:\Users\Admin\AppData\Local\Temp\83843e9448edc71956a3926bbe5dcc28cf29b375.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\83843e9448edc71956a3926bbe5dcc28cf29b375.exe
      "C:\Users\Admin\AppData\Local\Temp\83843e9448edc71956a3926bbe5dcc28cf29b375.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/904-65-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/904-66-0x000000000041CFA0-mapping.dmp
    Download
  • memory/904-67-0x0000000000960000-0x0000000000C63000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2000-59-0x0000000000CC0000-0x0000000000CC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2000-61-0x0000000004950000-0x0000000004951000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2000-62-0x0000000000660000-0x0000000000667000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2000-63-0x0000000005070000-0x00000000050D0000-memory.dmp
    Filesize

    384KB

    Download
  • memory/2000-64-0x00000000048D0000-0x00000000048FA000-memory.dmp
    Filesize

    168KB

    Download