Overview

overview

10

Static

static

SOA & INV ...21.exe

windows7_x64

10

SOA & INV ...21.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    09-11-2021 12:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOA & INV FOR OCT'21.exe

  • Size

    426KB

  • MD5

    6807709a74cde5eafc0f8c668a13be81

  • SHA1

    460279d69c1ddd6d36ed25e7985e9e2bbad7ad65

  • SHA256

    696ba6fed0994cac4e47993f336820499cd3faf3ce4713d4e0be0ea0d91748af

  • SHA512

    bd75b2f3aaa316028e489eec30df49cd02ce6320ba3faebe24ac88f177434ca45638cb7118972ff86e9c16d2a44caf1cb400bcc42363fc9de7cbf96dd872f032

Score
10/10
xloaderu0n0loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u0n0

C2

http://www.52xjg3.xyz/u0n0/

Decoy

learnwithvr.net

minismi2.com

slimfitbottle.com

gzartisan.com

fullfamilyclub.com

adaptationstudios.com

domynt.com

aboydnfuid.com

dirtroaddesigns.net

timhortons-ca.xyz

gladiator-111.com

breakingza.com

njjbds.com

keithrgordon.com

litestore365.host

unichromegame.com

wundversorgung-tirol.com

wholistic-choice.com

shingletownrrn.com

kapikenya.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\SOA & INV FOR OCT'21.exe
      "C:\Users\Admin\AppData\Local\Temp\SOA & INV FOR OCT'21.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Users\Admin\AppData\Local\Temp\SOA & INV FOR OCT'21.exe
        "C:\Users\Admin\AppData\Local\Temp\SOA & INV FOR OCT'21.exe"
        3⤵
          PID:772
        • C:\Users\Admin\AppData\Local\Temp\SOA & INV FOR OCT'21.exe
          "C:\Users\Admin\AppData\Local\Temp\SOA & INV FOR OCT'21.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:776
      • C:\Windows\SysWOW64\systray.exe
        "C:\Windows\SysWOW64\systray.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\SOA & INV FOR OCT'21.exe"
          3⤵
            PID:3192

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/776-127-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/776-130-0x0000000000EC0000-0x00000000011E0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/776-131-0x0000000000A10000-0x0000000000B5A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/776-128-0x000000000041D440-mapping.dmp

        Download

      • memory/2268-136-0x0000000000530000-0x0000000000559000-memory.dmp

        Filesize

        164KB

        Download

      • memory/2268-138-0x0000000004480000-0x0000000004510000-memory.dmp

        Filesize

        576KB

        Download

      • memory/2268-137-0x00000000046C0000-0x00000000049E0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2268-135-0x0000000000B00000-0x0000000000B06000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2268-133-0x0000000000000000-mapping.dmp

        Download

      • memory/2416-132-0x0000000004F80000-0x00000000050CE000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2416-139-0x00000000066E0000-0x000000000683D000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2720-120-0x0000000005490000-0x0000000005491000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2720-124-0x0000000004F70000-0x0000000004F77000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2720-121-0x0000000004F90000-0x0000000004F91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2720-118-0x0000000000570000-0x0000000000571000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2720-122-0x0000000004F40000-0x0000000004F41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2720-123-0x0000000004F90000-0x000000000548E000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/2720-126-0x0000000005CE0000-0x0000000005D26000-memory.dmp

        Filesize

        280KB

        Download

      • memory/2720-125-0x0000000005D30000-0x0000000005D31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3192-134-0x0000000000000000-mapping.dmp

        Download