Overview

overview

10

Static

static

apmPuZR9VEFCl0d.exe

windows7_x64

10

apmPuZR9VEFCl0d.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    28-09-2021 10:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    apmPuZR9VEFCl0d.exe

  • Size

    417KB

  • MD5

    675b5a620f66d0abbd3940ef365ee298

  • SHA1

    7baa86b11256ad89b51decfa1fab8fa8d192ff78

  • SHA256

    d2c3619f62ee7f09594134678d02e47d6a0b71a5e203f3edae6a9f5dbecb4f48

  • SHA512

    ceef3ab4249ae9e2567dc2d349dc22f1cb190d7b908c4f6869c8f81da30df76c9504fa98d8521914a797355f4a1127c50bf19e89441f46c85036b9baa5c7110a

Score
10/10
xloaderjdt0loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

jdt0

C2

http://www.jen4x.com/jdt0/

Decoy

william188.com

kmknim.com

freedomnofear.com

industrialohare.com

devopswave.com

g1fz.com

aliceguidi.info

linkared.com

crossboda.com

lpddr3.com

ktnword.xyz

productsdesign.top

dulichnhatviet.com

piazzaassociates.com

inpude.com

kmi.contractors

getkyrobak.com

sportinggoodssuperstore.com

trifoly.info

aspectjudge.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Users\Admin\AppData\Local\Temp\apmPuZR9VEFCl0d.exe
      "C:\Users\Admin\AppData\Local\Temp\apmPuZR9VEFCl0d.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1480
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:1580

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1408-71-0x0000000006890000-0x00000000069FB000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1408-64-0x00000000040A0000-0x0000000004183000-memory.dmp
      Filesize

      908KB

      Download
    • memory/1480-63-0x00000000002E0000-0x00000000002F1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1480-62-0x0000000000A20000-0x0000000000D23000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1480-61-0x000000000041D390-mapping.dmp
      Download
    • memory/1480-60-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1580-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1592-67-0x0000000000180000-0x00000000001A2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1592-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1592-68-0x0000000000070000-0x0000000000099000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1592-69-0x0000000001F20000-0x0000000002223000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1592-70-0x0000000002230000-0x00000000022C0000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1592-72-0x00000000765A1000-0x00000000765A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2036-59-0x0000000000640000-0x000000000066C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/2036-58-0x00000000050B0000-0x000000000510A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/2036-57-0x0000000000320000-0x000000000032E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2036-54-0x0000000000270000-0x0000000000271000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2036-56-0x0000000004C10000-0x0000000004C11000-memory.dmp
      Filesize

      4KB

      Download