Overview

overview

10

Static

static

Quotation ...nt.exe

windows7_x64

10

Quotation ...nt.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    17-11-2021 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation - Urgent.exe

  • Size

    847KB

  • MD5

    ba72b878c2663e3f76de3d4ed7dfc8d2

  • SHA1

    e5a908d5a4ffeb873f176346c60663d575c8007f

  • SHA256

    ffba1e049d0da0a9f880a0f7e0b84a17699362ad87a1198cec937250c66587fd

  • SHA512

    9536239139c2f082767c4c03317a62aaf34e1f5a0a721063885919bb9e526ac3cbe13e1b5c56b6aab8722d3ad597b35f340636988565e8503c18092c58750471

Score
10/10
xloaderea0rloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Users\Admin\AppData\Local\Temp\Quotation - Urgent.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation - Urgent.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Users\Admin\AppData\Local\Temp\Quotation - Urgent.exe
        "C:\Users\Admin\AppData\Local\Temp\Quotation - Urgent.exe"
        3⤵
          PID:3288
        • C:\Users\Admin\AppData\Local\Temp\Quotation - Urgent.exe
          "C:\Users\Admin\AppData\Local\Temp\Quotation - Urgent.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3468
      • C:\Windows\SysWOW64\autoconv.exe
        "C:\Windows\SysWOW64\autoconv.exe"
        2⤵
          PID:2928
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\SysWOW64\rundll32.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2936
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\Quotation - Urgent.exe"
            3⤵
              PID:1624

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1624-134-0x0000000000000000-mapping.dmp
          Download
        • memory/2768-117-0x0000000005980000-0x0000000005981000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2768-118-0x0000000005560000-0x0000000005561000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2768-119-0x0000000005480000-0x000000000597E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/2768-120-0x00000000056D0000-0x00000000056D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2768-121-0x0000000005810000-0x0000000005817000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2768-122-0x0000000007D00000-0x0000000007D01000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2768-123-0x0000000007CB0000-0x0000000007CFE000-memory.dmp
          Filesize

          312KB

          Download
        • memory/2768-124-0x0000000007ED0000-0x0000000007EFC000-memory.dmp
          Filesize

          176KB

          Download
        • memory/2768-115-0x0000000000B10000-0x0000000000B11000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2920-130-0x0000000002640000-0x0000000002718000-memory.dmp
          Filesize

          864KB

          Download
        • memory/2920-137-0x0000000004760000-0x000000000487D000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/2936-133-0x0000000000E70000-0x0000000000E99000-memory.dmp
          Filesize

          164KB

          Download
        • memory/2936-131-0x0000000000000000-mapping.dmp
          Download
        • memory/2936-132-0x0000000000FB0000-0x0000000000FC3000-memory.dmp
          Filesize

          76KB

          Download
        • memory/2936-135-0x0000000004DB0000-0x00000000050D0000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/2936-136-0x0000000004C20000-0x0000000004CB0000-memory.dmp
          Filesize

          576KB

          Download
        • memory/3468-128-0x0000000001360000-0x0000000001680000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/3468-129-0x0000000000EB0000-0x0000000000EC1000-memory.dmp
          Filesize

          68KB

          Download
        • memory/3468-126-0x000000000041D410-mapping.dmp
          Download
        • memory/3468-125-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

          Download