Overview

overview

10

Static

static

1

0e03abdcfc...8a.exe

windows7_x64

10

0e03abdcfc...8a.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • submitted
    01-01-1970 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e03abdcfc2280af3abae47683c0368a.exe

  • Size

    421KB

  • MD5

    0e03abdcfc2280af3abae47683c0368a

  • SHA1

    8b25868c70d66c3aafc37e400ca3af4d117e7bd5

  • SHA256

    9205523ee331f11fbe9fb30fa72a45ed45ed2eb5f92b26f01b9e26774264e9d5

  • SHA512

    54affd451f4ff96c85d770c9c65587732f53c6d4a17355e54f6fc2eacfe4584bb3400f7235aa8c2c83619a97b694284a33916f62b9166f137dfcc6cbfb6a1a8b

Score
10/10
xloaderdnz9loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dnz9

C2

http://www.mykigey5.xyz/dnz9/

Decoy

anlefa.com

jelle.graphics

socalsandblasting.com

gamjadog.online

sabanetavirtual.com

serv-blackhawk-net.com

at-markant.com

carbonfiber.cloud

nftmarketfree.com

abcfortis.xyz

44a44.net

alardellyux.com

alle-notdienste.com

dazzletower.com

rsphongrui.com

leasedrillrig.store

cabinetfuid.com

divinelawn.com

baileysepictravel.com

healthwellness.store

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e03abdcfc2280af3abae47683c0368a.exe
    "C:\Users\Admin\AppData\Local\Temp\0e03abdcfc2280af3abae47683c0368a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Users\Admin\AppData\Local\Temp\0e03abdcfc2280af3abae47683c0368a.exe
      "C:\Users\Admin\AppData\Local\Temp\0e03abdcfc2280af3abae47683c0368a.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsyCE77.tmp\fejywy.dll
    MD5

    96ac5399552c74027b0869aa85c04b90

    SHA1

    4b499e53790ac158cf3cb6d368d83772f986ea60

    SHA256

    90cdf6d580cbce5bd78813c80da4df0fffb2ec78ffe1829169799812e4b91739

    SHA512

    98b77f682f30f6a842b12bcd74602a8e9fc092c178dfbc0af7038199d403f7adc8125afca3a66b9d3f27d45733e65a86ae87f8012a4439654062615451b0b66d

    Download Submit
  • memory/836-54-0x0000000075821000-0x0000000075823000-memory.dmp
    Filesize

    8KB

    Download
  • memory/856-56-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/856-57-0x000000000041D490-mapping.dmp
    Download
  • memory/856-58-0x00000000008D0000-0x0000000000BD3000-memory.dmp
    Filesize

    3.0MB

    Download