Overview

overview

10

Static

static

1

XLOQKH0876...65.exe

windows7_x64

10

XLOQKH0876...65.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    185s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    22-10-2021 03:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XLOQKH087654560780098765.exe

  • Size

    416KB

  • MD5

    1a3bcd7f400b0d7a37166c1c5af7f886

  • SHA1

    a654cdfc29951ac2e77af3fbbbd7160b5205c8f9

  • SHA256

    fe63755f7b7c30e933cb3897136a75a7d1903ca044a04ef9bd91d426596f279d

  • SHA512

    47974116e9b5b0cc6407fe7c651619b6fef5af7df0190d3b4e5c906a1520ed66ae7e4e1af6e578bf93af9dbd3625845678fd834aea15db9082dad2abbd77f69f

Score
10/10
xloaderiaoploaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

iaop

C2

http://www.georgeinnhatherleigh.com/iaop/

Decoy

oosakichi.com

group1beadles.com

navegadorexclusivo.digital

awefca.xyz

strakerwilliams.com

stone-img.com

radialodge.com

tequesquitengo.net

humanegardens.com

rubberyporqjp.xyz

farazkhak.com

gfsexpornvideos.com

stealth-carrier.com

hemtpi.xyz

tygcj.com

agileiance.com

ioan316.com

kitchendesigns.xyz

shannacarolphotography.com

oheytech88.net

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\AppData\Local\Temp\XLOQKH087654560780098765.exe
      "C:\Users\Admin\AppData\Local\Temp\XLOQKH087654560780098765.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Users\Admin\AppData\Local\Temp\XLOQKH087654560780098765.exe
        "C:\Users\Admin\AppData\Local\Temp\XLOQKH087654560780098765.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1404
    • C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:620
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\XLOQKH087654560780098765.exe"
        3⤵
        • Deletes itself
        PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsy587D.tmp\wvhivcwcy.dll
    MD5

    5d0d2589c6c859b43bb0e6c6b88fa767

    SHA1

    4085e250109fefddf1a35b3fb3fadc66714effda

    SHA256

    6de76b65e1561c0897a3261b9fe55ac75ef4d1e2456a302a9257dc38dcb81d1e

    SHA512

    8ef33f865ed19fd6779e7520590bbe1aa864cc5f7e3222f314f6953abcbc7537aaf2397f0b91a720db3e220cea1c3da15ec453ea1d5bb82a7d783bf5853b68af

    Download Submit
  • memory/376-54-0x0000000075C11000-0x0000000075C13000-memory.dmp
    Filesize

    8KB

    Download
  • memory/620-62-0x0000000000000000-mapping.dmp
    Download
  • memory/620-67-0x0000000001F80000-0x0000000002010000-memory.dmp
    Filesize

    576KB

    Download
  • memory/620-64-0x0000000000540000-0x0000000000549000-memory.dmp
    Filesize

    36KB

    Download
  • memory/620-66-0x0000000002110000-0x0000000002413000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/620-65-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1384-61-0x0000000004880000-0x0000000004969000-memory.dmp
    Filesize

    932KB

    Download
  • memory/1384-68-0x0000000005E40000-0x0000000005F19000-memory.dmp
    Filesize

    868KB

    Download
  • memory/1404-59-0x0000000000850000-0x0000000000B53000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1404-60-0x00000000002C0000-0x00000000002D1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1404-56-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1404-57-0x000000000041D4E0-mapping.dmp
    Download
  • memory/1760-63-0x0000000000000000-mapping.dmp
    Download