Overview

overview

10

Static

static

SOA.exe

windows7_x64

10

SOA.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    176s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    25-10-2021 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOA.exe

  • Size

    580KB

  • MD5

    a0661a2081100ffcb2a6f012237c4955

  • SHA1

    2331112fa3c9357aaba68c3d7402b112c705c72a

  • SHA256

    11f0960531aa51e1fc9e04c007c60d731d309baa35e90d9d4e9c49feff74d47d

  • SHA512

    dd3173fd770ec1601a6b454d450ce8118c596b3e72ead12c79df5f3dd4165be9892b8273775b9da1aa6136a55898bfb31a4da2c16e15303b402c00e9b117b774

Score
10/10
xloaderimm8loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

imm8

C2

http://www.hideserthealthinsurance.com/imm8/

Decoy

ewgnkxdgtqfspem.com

patxipiruli.com

eejy.ltd

parc-pro.com

kdcindia.com

dimathi.com

majesticreinsstable.com

zhaoyun.xyz

starfroot.com

dikanwang.com

420moxielane.com

danilaschembri.com

stablecoinreviews.com

camham.co.uk

happyspaces4life.com

ivonina.com

businesszukai.com

dietkusimple.com

nomeasureu.com

youthcampresources.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Users\Admin\AppData\Local\Temp\SOA.exe
      "C:\Users\Admin\AppData\Local\Temp\SOA.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:1752
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1976
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1404
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
            PID:792

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/792-69-0x0000000000000000-mapping.dmp
        Download
      • memory/1404-73-0x0000000001EB0000-0x0000000001F3F000-memory.dmp
        Filesize

        572KB

        Download
      • memory/1404-70-0x0000000000A80000-0x0000000000AA6000-memory.dmp
        Filesize

        152KB

        Download
      • memory/1404-72-0x0000000002180000-0x0000000002483000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1404-71-0x0000000000070000-0x0000000000098000-memory.dmp
        Filesize

        160KB

        Download
      • memory/1404-68-0x0000000000000000-mapping.dmp
        Download
      • memory/1408-67-0x0000000007130000-0x000000000724C000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/1408-74-0x0000000007540000-0x0000000007652000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/1528-59-0x00000000006E0000-0x0000000000723000-memory.dmp
        Filesize

        268KB

        Download
      • memory/1528-54-0x00000000001E0000-0x00000000001E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1528-58-0x0000000005F60000-0x0000000005FD8000-memory.dmp
        Filesize

        480KB

        Download
      • memory/1528-57-0x0000000000480000-0x0000000000487000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1528-56-0x0000000005010000-0x0000000005011000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1976-65-0x00000000008C0000-0x0000000000BC3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1976-66-0x0000000000280000-0x0000000000290000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1976-63-0x000000000041D030-mapping.dmp
        Download
      • memory/1976-62-0x0000000000400000-0x0000000000428000-memory.dmp
        Filesize

        160KB

        Download
      • memory/1976-61-0x0000000000400000-0x0000000000428000-memory.dmp
        Filesize

        160KB

        Download
      • memory/1976-60-0x0000000000400000-0x0000000000428000-memory.dmp
        Filesize

        160KB

        Download