Overview

overview

10

Static

static

1

371c76d362...20.exe

windows7_x64

10

371c76d362...20.exe

windows7_x64

10

371c76d362...20.exe

windows7_x64

10

371c76d362...20.exe

windows11_x64

10

371c76d362...20.exe

windows10_x64

10

371c76d362...20.exe

windows10_x64

10

371c76d362...20.exe

windows10_x64

10

Resubmissions

21-10-2021 12:23

211021-pkp6tabbdj 10

21-10-2021 10:11

211021-l7x86abaak 10

Analysis

  • max time kernel
    555s
  • max time network
    607s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    21-10-2021 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    371c76d36256463a54d34e12d6741720.exe

  • Size

    251KB

  • MD5

    371c76d36256463a54d34e12d6741720

  • SHA1

    41843093a5b3a7f5712abd30937004b203851252

  • SHA256

    4de35ea5d1f54708e27e4806246a6c9d9b2217cfef24c7b2321a8f6026c5d98c

  • SHA512

    f2e87fb4628a8b413ced0d92bcedafc4667e8655ac2c13fa15b7f806ddd19daec919003da80f4157f83e5a24b24a4ccac98c2dfd351227b6a549443c8e7c5759

Score
10/10
xloaderm5cwloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m5cw

C2

http://www.art-for-a-cause.com/m5cw/

Decoy

stolpfabriken.com

aromaessentialco.com

rmcclaincpa.com

wuruixin.com

sidhyanticlasses.com

horilka.store

organic-outlaws.com

customsoftwarelogistics.com

cheryltesting.com

thecompacthomegym.com

the22yards.club

quickloanprovidersservices.com

grippyent.com

guard-usa.com

agircredit.com

classificationmetallurgie.com

quizzesandcode.com

catdanos.com

8676789.rest

gotbestshavlngplansforyou.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe
    "C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe
      "C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsy9483.tmp\ztqv.dll
    MD5

    97d84d39bb68b5a29e976b40d7d0a00c

    SHA1

    cf4c09487fffb9ace9ab6b82f33da0d5a851ef1c

    SHA256

    5b29c5ee49d9cdde15d88a9e4f8f6b4bba9e2dc4ec65c02d734726fe0f2952c8

    SHA512

    aab5b8831538f96c00e77f16349065bfaa93e7b25206a6d5fe0871f518f38ae31437f2f9f93f36f488e1869eaf97dd4697a282d726ce9a292cf4276242733546

    Download Submit
  • memory/840-55-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/840-56-0x000000000041D4C0-mapping.dmp
    Download
  • memory/840-57-0x00000000006F0000-0x00000000009F3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1212-53-0x00000000751A1000-0x00000000751A3000-memory.dmp
    Filesize

    8KB

    Download