Overview

overview

10

Static

static

5917d602f4...a7.exe

windows7_x64

10

5917d602f4...a7.exe

windows10_x64

10

Analysis

  • max time kernel
    128s
  • max time network
    130s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    06-11-2021 09:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5917d602f423946e08474241e6a731a7.exe

  • Size

    438KB

  • MD5

    5917d602f423946e08474241e6a731a7

  • SHA1

    3cebe4b56204cee8b1eb168840bccf439f2d09b0

  • SHA256

    e86bb6d494e6720f0eaecd5a18c8e7c55324a1a301c5111f98a94d82fe295574

  • SHA512

    5ec95638d00578cf4c1b4e0be6ffb08f78af0419efea4eef3fab686fa637db3b2e836af6ab63f36aa33f7b2df78c5a22dab02fff6ae346831f81af590a11f947

Score
10/10
xloadernohaloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

noha

C2

http://www.mglracing.com/noha/

Decoy

iphone13promax.support

trailer-racks.xyz

overseaspoolservice.com

r2d2u.com

dawajeju.com

nextgenproxyvote.com

xn--vhqp8mm8dbtz.group

commonsenserisk.com

cmcqgxtyd.com

data2form.com

bois-applique.com

originallollipop.com

lj0008lj.net

spfldvaccineday.info

phalcosnusa.com

llcmastermachine.com

onlyforu14.rest

bestmarketingautomations.com

officialswitchmusic.com

thepretenseofjustice.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5917d602f423946e08474241e6a731a7.exe
    "C:\Users\Admin\AppData\Local\Temp\5917d602f423946e08474241e6a731a7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Users\Admin\AppData\Local\Temp\5917d602f423946e08474241e6a731a7.exe
      "C:\Users\Admin\AppData\Local\Temp\5917d602f423946e08474241e6a731a7.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1632-124-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1632-125-0x000000000041D490-mapping.dmp
    Download
  • memory/1632-126-0x0000000001300000-0x0000000001620000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2504-115-0x0000000000530000-0x0000000000531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2504-117-0x0000000005400000-0x0000000005401000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2504-118-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2504-119-0x0000000004F20000-0x0000000004F21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2504-120-0x0000000004F00000-0x00000000053FE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2504-121-0x00000000053E0000-0x00000000053E6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/2504-122-0x00000000076B0000-0x00000000076B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2504-123-0x0000000007660000-0x00000000076AC000-memory.dmp
    Filesize

    304KB

    Download