Overview

overview

10

Static

static

swift_copy...df.exe

windows7_x64

10

swift_copy...df.exe

windows10_x64

10

Resubmissions

27-09-2021 03:06

210927-dltpvafedm 10

14-09-2021 15:14

210914-smbyraahel 10

Analysis

  • max time kernel
    601s
  • max time network
    600s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    27-09-2021 03:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    swift_copy_MT103_pdf.exe

  • Size

    501KB

  • MD5

    1c620763897a2166e17aab168bcf0d09

  • SHA1

    5d3d29ab6ec3f5e4d80f188d15a97002347ea6de

  • SHA256

    98cd8d900722c5903311d5c8e6a64333fa8bcda553cef3c872ba54a74c6ee47e

  • SHA512

    a631295724d1896dba791db58d2d370bf1330ab57f328253294025f5695da05b7c3ec94192e48421a0c7d19899d9e3bed5aa96f61564d6183fb6857e4bf61077

Score
10/10
xloaderconvloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

conv

C2

http://www.7stepsmeal.com/conv/

Decoy

hydrusgraphene.com

eastwindshomes.com

f1-holding.com

tomrings.com

nickysclosetnest.com

eckare88.com

southboundsupplies.com

asilar.net

ludiali.com

sarahasmussen.com

terreetmerphotography.com

tesserlink.com

xayxcq.com

jobforage.com

76leads.com

onyamarx.com

sandrinafloral.com

a5y7tvmr4.xyz

greatdanesuk.com

superbartendergigs.store

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe"
        3⤵
          PID:4072
        • C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe
          "C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe"
          3⤵
            PID:1992
          • C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe
            "C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe"
            3⤵
              PID:3500
            • C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe
              "C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe"
              3⤵
                PID:4060
              • C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe
                "C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe"
                3⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                PID:2592
            • C:\Windows\SysWOW64\control.exe
              "C:\Windows\SysWOW64\control.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4360
              • C:\Windows\SysWOW64\cmd.exe
                /c del "C:\Users\Admin\AppData\Local\Temp\swift_copy_MT103_pdf.exe"
                3⤵
                  PID:4328

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2592-126-0x0000000000400000-0x0000000000428000-memory.dmp
              Filesize

              160KB

              Download
            • memory/2592-131-0x0000000000E80000-0x0000000000E90000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2592-128-0x00000000012B0000-0x00000000015D0000-memory.dmp
              Filesize

              3.1MB

              Download
            • memory/2592-129-0x00000000009F0000-0x0000000000A00000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2592-127-0x000000000041CFA0-mapping.dmp
              Download
            • memory/3048-139-0x00000000049F0000-0x0000000004B0A000-memory.dmp
              Filesize

              1.1MB

              Download
            • memory/3048-132-0x0000000002400000-0x00000000024C3000-memory.dmp
              Filesize

              780KB

              Download
            • memory/3048-130-0x0000000000430000-0x00000000004EE000-memory.dmp
              Filesize

              760KB

              Download
            • memory/3644-122-0x00000000090F0000-0x00000000090F1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3644-119-0x0000000005700000-0x0000000005701000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3644-124-0x0000000009560000-0x00000000095C5000-memory.dmp
              Filesize

              404KB

              Download
            • memory/3644-123-0x0000000009060000-0x0000000009067000-memory.dmp
              Filesize

              28KB

              Download
            • memory/3644-115-0x0000000000D00000-0x0000000000D01000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3644-121-0x0000000005BC0000-0x0000000005BC1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3644-120-0x0000000005510000-0x00000000055A2000-memory.dmp
              Filesize

              584KB

              Download
            • memory/3644-125-0x000000000BD60000-0x000000000BD8E000-memory.dmp
              Filesize

              184KB

              Download
            • memory/3644-118-0x00000000055B0000-0x00000000055B1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3644-117-0x0000000005C00000-0x0000000005C01000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4328-136-0x0000000000000000-mapping.dmp
              Download
            • memory/4360-134-0x0000000000130000-0x0000000000150000-memory.dmp
              Filesize

              128KB

              Download
            • memory/4360-135-0x0000000002150000-0x0000000002178000-memory.dmp
              Filesize

              160KB

              Download
            • memory/4360-137-0x00000000042F0000-0x0000000004610000-memory.dmp
              Filesize

              3.1MB

              Download
            • memory/4360-138-0x0000000004040000-0x00000000040CF000-memory.dmp
              Filesize

              572KB

              Download
            • memory/4360-133-0x0000000000000000-mapping.dmp
              Download