Overview

overview

10

Static

static

1

ZT2468.exe

windows7_x64

10

ZT2468.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    04-11-2021 13:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ZT2468.exe

  • Size

    288KB

  • MD5

    fab8e59e983d01fc0693c15309576f7a

  • SHA1

    7237e7d63f241d7785e638edf05a71064574659c

  • SHA256

    272447b597810afe392f24b2fbcab08cd76224f54251e009742ed350595fe54d

  • SHA512

    0eb51bc407abb70cabe32081b9e073505a761048e399a69a7857775974454b29d7fe46f46b12296f58e33e0feca5488adf399979b7ff9ead9e1e3ea24cd75120

Score
10/10
xloaderu5ehloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u5eh

C2

http://www.retonamoss.com/u5eh/

Decoy

tryafaq.com

bobcathntshop.com

oglead.com

026skz.xyz

brasbux.com

adna17.com

noveltyrofjiy.xyz

realestatecompanys.com

leman-web.com

df5686.com

jonathonhawkins.com

juliedominyfloralartistry.com

classyeventsco.com

aquaticatt.com

iotworld.xyz

hoc8.com

disposablediapers.store

peregovorim.online

advancebits.club

getaburialplan.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\ZT2468.exe
      "C:\Users\Admin\AppData\Local\Temp\ZT2468.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Users\Admin\AppData\Local\Temp\ZT2468.exe
        "C:\Users\Admin\AppData\Local\Temp\ZT2468.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3720
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:3384
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:3096
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:2628
          • C:\Windows\SysWOW64\autofmt.exe
            "C:\Windows\SysWOW64\autofmt.exe"
            2⤵
              PID:2752
            • C:\Windows\SysWOW64\autofmt.exe
              "C:\Windows\SysWOW64\autofmt.exe"
              2⤵
                PID:3012
              • C:\Windows\SysWOW64\autofmt.exe
                "C:\Windows\SysWOW64\autofmt.exe"
                2⤵
                  PID:2632
                • C:\Windows\SysWOW64\autofmt.exe
                  "C:\Windows\SysWOW64\autofmt.exe"
                  2⤵
                    PID:1788
                  • C:\Windows\SysWOW64\autofmt.exe
                    "C:\Windows\SysWOW64\autofmt.exe"
                    2⤵
                      PID:2696
                    • C:\Windows\SysWOW64\autofmt.exe
                      "C:\Windows\SysWOW64\autofmt.exe"
                      2⤵
                        PID:3756
                      • C:\Windows\SysWOW64\autofmt.exe
                        "C:\Windows\SysWOW64\autofmt.exe"
                        2⤵
                          PID:3928
                        • C:\Windows\SysWOW64\wlanext.exe
                          "C:\Windows\SysWOW64\wlanext.exe"
                          2⤵
                          • Suspicious use of SetThreadContext
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: MapViewOfSection
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4092
                          • C:\Windows\SysWOW64\cmd.exe
                            /c del "C:\Users\Admin\AppData\Local\Temp\ZT2468.exe"
                            3⤵
                              PID:4052

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Initial Access

                        Execution

                        Persistence

                        Privilege Escalation

                        Defense Evasion

                        Credential Access

                        Discovery

                        System Information Discovery

                        1
                        T1082

                        Lateral Movement

                        Collection

                        Exfiltration

                        Command and Control

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • \Users\Admin\AppData\Local\Temp\nsbBB14.tmp\jarjiypg.dll
                          MD5

                          6f34375ab63f8e726809b4ba0fbac265

                          SHA1

                          4ae027f2810893240dddbb08d50e81565d578035

                          SHA256

                          07001303d1031888767e46c324fb943967b1e3298f65f5a1c5053a344f2467aa

                          SHA512

                          0995a19e2582657dfb1e56ce53b280d3a817a154a6057a99b6b3329fa18203db3d5b8b97f76d5ab65822368d36c08d9c243183cd37c62648245d82e60f416791

                          Download Submit
                        • memory/3020-121-0x0000000005E40000-0x0000000005FCA000-memory.dmp
                          Filesize

                          1.5MB

                          Download
                        • memory/3020-128-0x00000000064E0000-0x0000000006610000-memory.dmp
                          Filesize

                          1.2MB

                          Download
                        • memory/3720-116-0x0000000000400000-0x0000000000429000-memory.dmp
                          Filesize

                          164KB

                          Download
                        • memory/3720-117-0x000000000041D3E0-mapping.dmp
                          Download
                        • memory/3720-120-0x00000000005C0000-0x00000000005D1000-memory.dmp
                          Filesize

                          68KB

                          Download
                        • memory/3720-119-0x0000000000B40000-0x0000000000E60000-memory.dmp
                          Filesize

                          3.1MB

                          Download
                        • memory/4052-126-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4092-122-0x0000000000000000-mapping.dmp
                          Download
                        • memory/4092-125-0x0000000003050000-0x00000000030FE000-memory.dmp
                          Filesize

                          696KB

                          Download
                        • memory/4092-124-0x0000000003020000-0x0000000003049000-memory.dmp
                          Filesize

                          164KB

                          Download
                        • memory/4092-127-0x0000000003500000-0x0000000003590000-memory.dmp
                          Filesize

                          576KB

                          Download
                        • memory/4092-123-0x00000000001D0000-0x00000000001E7000-memory.dmp
                          Filesize

                          92KB

                          Download