Overview

overview

10

Static

static

10

dump_2.bin.exe

windows7_x64

10

dump_2.bin.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    28-10-2021 09:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dump_2.bin.exe

  • Size

    163KB

  • MD5

    affd2e9e568d6d431cb872166ba00a97

  • SHA1

    14d2752d408c3e825cdddeb9beb84de7c3434eed

  • SHA256

    64a668add3d7f3bbcc0ef6acb25529c70df773d74e7e17a4a8fd8c95e81ee8bd

  • SHA512

    e0c9fc9c14b83bbebe13441eb873b942f59c54b474c861980d37d45eb68b935b60fdc37952072fa2d927b11a0294f68050663e61656101843e6bb5eb1f479c5b

Score
10/10
xloaderc8teloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

c8te

C2

http://www.art-space.xyz/c8te/

Decoy

solendshop.com

petanimals2021.com

infullylucky.com

advisormarketing.online

hgfdsx.com

bjshsq.com

43454255.xyz

newsexpressed.com

tenacityshipping.com

y-promotion.com

saltypigeon.com

acemodule.com

satisfaction-spa.com

evertownnyc.com

orgoheart.com

bankerszonemock.com

conveniente-prestamo.com

suprememodelmanagement.com

ego-designteam.com

mecanicotijuana.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Users\Admin\AppData\Local\Temp\dump_2.bin.exe
      "C:\Users\Admin\AppData\Local\Temp\dump_2.bin.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:3812
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:3712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1588-117-0x0000000000890000-0x0000000000970000-memory.dmp
    Filesize

    896KB

    Download
  • memory/1588-123-0x0000000004FF0000-0x0000000005126000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/3712-118-0x0000000000000000-mapping.dmp
    Download
  • memory/3712-120-0x0000000000670000-0x0000000000699000-memory.dmp
    Filesize

    164KB

    Download
  • memory/3712-119-0x0000000000BD0000-0x0000000000BF0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/3712-121-0x00000000046D0000-0x00000000049F0000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/3712-122-0x0000000004390000-0x0000000004420000-memory.dmp
    Filesize

    576KB

    Download
  • memory/3812-115-0x0000000001800000-0x0000000001B20000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/3812-116-0x00000000017C0000-0x00000000017D1000-memory.dmp
    Filesize

    68KB

    Download