Overview

overview

10

Static

static

SOA & INV ...21.exe

windows7_x64

10

SOA & INV ...21.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    09-11-2021 12:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOA & INV FOR OCT'21.exe

  • Size

    426KB

  • MD5

    6807709a74cde5eafc0f8c668a13be81

  • SHA1

    460279d69c1ddd6d36ed25e7985e9e2bbad7ad65

  • SHA256

    696ba6fed0994cac4e47993f336820499cd3faf3ce4713d4e0be0ea0d91748af

  • SHA512

    bd75b2f3aaa316028e489eec30df49cd02ce6320ba3faebe24ac88f177434ca45638cb7118972ff86e9c16d2a44caf1cb400bcc42363fc9de7cbf96dd872f032

Score
10/10
xloaderu0n0loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u0n0

C2

http://www.52xjg3.xyz/u0n0/

Decoy

learnwithvr.net

minismi2.com

slimfitbottle.com

gzartisan.com

fullfamilyclub.com

adaptationstudios.com

domynt.com

aboydnfuid.com

dirtroaddesigns.net

timhortons-ca.xyz

gladiator-111.com

breakingza.com

njjbds.com

keithrgordon.com

litestore365.host

unichromegame.com

wundversorgung-tirol.com

wholistic-choice.com

shingletownrrn.com

kapikenya.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Users\Admin\AppData\Local\Temp\SOA & INV FOR OCT'21.exe
      "C:\Users\Admin\AppData\Local\Temp\SOA & INV FOR OCT'21.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:752
      • C:\Users\Admin\AppData\Local\Temp\SOA & INV FOR OCT'21.exe
        "C:\Users\Admin\AppData\Local\Temp\SOA & INV FOR OCT'21.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1744
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\SOA & INV FOR OCT'21.exe"
        3⤵
        • Deletes itself
        PID:944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/752-57-0x0000000075801000-0x0000000075803000-memory.dmp
    Filesize

    8KB

    Download
  • memory/752-58-0x0000000004C70000-0x0000000004C71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/752-59-0x0000000000990000-0x0000000000997000-memory.dmp
    Filesize

    28KB

    Download
  • memory/752-60-0x0000000004CB0000-0x0000000004CF6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/752-55-0x0000000000A20000-0x0000000000A21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/944-73-0x0000000000000000-mapping.dmp
    Download
  • memory/960-75-0x0000000000070000-0x0000000000099000-memory.dmp
    Filesize

    164KB

    Download
  • memory/960-77-0x0000000000610000-0x00000000006A0000-memory.dmp
    Filesize

    576KB

    Download
  • memory/960-76-0x00000000021F0000-0x00000000024F3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/960-74-0x0000000000910000-0x0000000000932000-memory.dmp
    Filesize

    136KB

    Download
  • memory/960-72-0x0000000000000000-mapping.dmp
    Download
  • memory/1360-71-0x00000000041E0000-0x00000000042EE000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1360-68-0x0000000006C20000-0x0000000006D79000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1360-78-0x0000000008D80000-0x0000000008E94000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1744-61-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1744-70-0x0000000000310000-0x0000000000321000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1744-69-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1744-66-0x0000000000A90000-0x0000000000D93000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1744-67-0x0000000000280000-0x0000000000291000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1744-64-0x000000000041D440-mapping.dmp
    Download
  • memory/1744-63-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1744-62-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download