Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-09-2021 12:45
General
-
Target
BL.exe
-
Size
807KB
-
MD5
655d846a65b27c02ed505b03a4c3bb5c
-
SHA1
9b0861b0e816878ba0293cbe7c2838ed6f1ab98b
-
SHA256
c6abf1c546a9bd38b2e156da3b3d13388a3f81cf1955f85f76792c6193e144a6
-
SHA512
0ce9e954e41771c8ee9d982798d659ac73e9880aa887541348e70ae9a4a880163145b1c3e1650f99a8e1ebb8b0177cb7ffab0daa41027a4dffeca5e0a4534bda
Malware Config
Extracted
xloader
2.3
angp
http://www.cartoonuniversetr.com/angp/
up24az.com
zeroveom.com
1digitalventures.com
forddongsaigon.com
ryota-mizusawa.com
quick-1k.com
startprofitsonline.com
thumbaycomforts.com
wigholes.website
makhariskloset.com
laranabcn.com
unseen.observer
multipliii.com
smartpod.tech
lightparis.com
reddetenis.com
forprosperliving.group
growingequityfund.com
youbuzc.com
kompromat.global
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BL.exe"C:\Users\Admin\AppData\Local\Temp\BL.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2276-115-0x0000000002220000-0x0000000002221000-memory.dmpFilesize
4KB
-
memory/2788-119-0x0000000000000000-mapping.dmp
-
memory/2788-121-0x0000000010410000-0x0000000010439000-memory.dmpFilesize
164KB
-
memory/2788-120-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/2788-122-0x00000000044F0000-0x0000000004810000-memory.dmpFilesize
3.1MB
-
memory/2788-123-0x0000000000EB0000-0x0000000000EC0000-memory.dmpFilesize
64KB
-
memory/3040-124-0x0000000006920000-0x0000000006A31000-memory.dmpFilesize
1.1MB
-
memory/3040-130-0x0000000002C40000-0x0000000002D2B000-memory.dmpFilesize
940KB
-
memory/3776-125-0x0000000000000000-mapping.dmp
-
memory/3776-126-0x0000000000A60000-0x0000000000A73000-memory.dmpFilesize
76KB
-
memory/3776-127-0x0000000000980000-0x00000000009A9000-memory.dmpFilesize
164KB
-
memory/3776-128-0x0000000004B60000-0x0000000004E80000-memory.dmpFilesize
3.1MB
-
memory/3776-129-0x0000000004920000-0x00000000049AF000-memory.dmpFilesize
572KB