Overview

overview

10

Static

static

10

7.exe

windows7_x64

10

7.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    08-10-2021 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7.exe

  • Size

    164KB

  • MD5

    d5505bd41c64788074c8dc6fb0e68226

  • SHA1

    d0b5f1288fbd6f0e9844a6e06d3fe148ab9bd5dd

  • SHA256

    7c091c9ad6167399192bd97032c60267e78566353b6d25a84e40f823b56bcbe1

  • SHA512

    78c421545624fc4162e23b21558e584c352b882ee4d658f7b946a9812d067fa9ef28d4c7dd844ae81a3b7be697fb378a6ad476e41e94646586fdea3c39ceb5b1

Score
10/10
xloaderpvxzloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pvxz

C2

http://www.finetipster.com/pvxz/

Decoy

imt-token.club

abravewayocen.online

shcloudcar.com

mshoppingworld.online

ncgf08.xyz

stuinfo.xyz

wesavetheplanetofficial.com

tourbox.xyz

believeinyourselftraining.com

jsboyat.com

aaeconomy.info

9etmorea.info

purosepeti7.com

goticketly.com

pinkmemorypt.com

mylifewellnesscentre.com

iridina.online

petrestore.online

neema.xyz

novelfooditalia.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\7.exe
      "C:\Users\Admin\AppData\Local\Temp\7.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1464
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:800
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\7.exe"
        3⤵
        • Deletes itself
        PID:648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/648-60-0x0000000000000000-mapping.dmp
    Download
  • memory/800-56-0x0000000000000000-mapping.dmp
    Download
  • memory/800-57-0x0000000000F80000-0x0000000000F86000-memory.dmp
    Filesize

    24KB

    Download
  • memory/800-58-0x0000000000850000-0x0000000000B53000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/800-59-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/800-61-0x0000000000580000-0x0000000000610000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1204-55-0x0000000004290000-0x0000000004354000-memory.dmp
    Filesize

    784KB

    Download
  • memory/1204-62-0x0000000006180000-0x00000000062DB000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1464-53-0x00000000007D0000-0x0000000000AD3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1464-54-0x0000000000130000-0x0000000000141000-memory.dmp
    Filesize

    68KB

    Download