Overview

overview

10

Static

static

1ZA109T4043832978.exe

windows7_x64

10

1ZA109T4043832978.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    29-09-2021 17:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ZA109T4043832978.exe

  • Size

    870KB

  • MD5

    b9c97800cf3e146a5ab333672363db14

  • SHA1

    545da9f150fcdf0994b87d09b26963c3a2788665

  • SHA256

    5f849b2eff2280adf1041388bbad6fc2e4f047c36b6d942ecd4e07946352049c

  • SHA512

    65f5ed4a6ebfb6125faa6f347070d391c5ec883f84603777605da2790cb8bf90c372e8d1bb86447479e2ddb3d63ea6b4fb089667a0fdb7ed6587b2416c7a7fb5

Score
10/10
xloadertr7hloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

tr7h

C2

http://www.globalinterchangellc.com/tr7h/

Decoy

hnhstudios.com

du-lang.com

lonestartradeoilllc.com

criptool.online

rebus-automotive.com

boxedwallconsepts.net

helixarray.com

jinqiaodianfen.com

goldenwaxi.com

comprarloterianacional.com

digebitdigital.com

cryptoupp.com

332151.com

bousui.club

redakassoumeh.com

giantinosglobalreachstore.com

resultsnft.com

papicolar.com

juvesti.com

tax-kaikei.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1364
    • C:\Users\Admin\AppData\Local\Temp\1ZA109T4043832978.exe
      "C:\Users\Admin\AppData\Local\Temp\1ZA109T4043832978.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Users\Admin\AppData\Local\Temp\1ZA109T4043832978.exe
        "C:\Users\Admin\AppData\Local\Temp\1ZA109T4043832978.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:976
        • C:\Windows\SysWOW64\raserver.exe
          "C:\Windows\SysWOW64\raserver.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1852
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\1ZA109T4043832978.exe"
            5⤵
            • Deletes itself
            PID:584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/584-71-0x0000000000000000-mapping.dmp
    Download
  • memory/976-62-0x0000000000C90000-0x0000000000F93000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/976-65-0x00000000001D0000-0x00000000001E1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/976-60-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/976-61-0x000000000041D4C0-mapping.dmp
    Download
  • memory/976-63-0x0000000000190000-0x00000000001A1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1364-74-0x0000000003FB0000-0x000000000404D000-memory.dmp
    Filesize

    628KB

    Download
  • memory/1364-66-0x0000000006FE0000-0x000000000710D000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1364-64-0x0000000006440000-0x0000000006582000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1756-59-0x00000000045E0000-0x0000000004618000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1756-53-0x0000000000BB0000-0x0000000000BB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1756-58-0x00000000009C0000-0x00000000009C2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1756-57-0x0000000007DD0000-0x0000000007E38000-memory.dmp
    Filesize

    416KB

    Download
  • memory/1756-56-0x00000000009A0000-0x00000000009B3000-memory.dmp
    Filesize

    76KB

    Download
  • memory/1756-55-0x0000000004CA0000-0x0000000004CA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1852-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1852-68-0x0000000076B61000-0x0000000076B63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1852-69-0x00000000001E0000-0x00000000001FC000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1852-70-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1852-72-0x0000000001F90000-0x0000000002293000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1852-73-0x0000000001E00000-0x0000000001E90000-memory.dmp
    Filesize

    576KB

    Download