Overview

overview

10

Static

static

10

Purchase O...01.exe

windows7_x64

10

Purchase O...01.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    21-11-2021 15:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order no.202201EYL-01.exe

  • Size

    163KB

  • MD5

    bf3176a88b749246b4294096531f97ca

  • SHA1

    34ae702a189c937a26dd8066466d43a3ef756b61

  • SHA256

    2ff3a8569873600f75e011be4ead5896a408672e43b15008679692557f6dc6c9

  • SHA512

    a75d6c7e362c06ae248b830bd91ec75730116461e7f6bc93c16ffc7c619c7eff8282a83439fffdae31ea401e6629db31ef8d36f041d6c08f353a5758c09f3327

Score
10/10
xloader46uqloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

46uq

C2

http://www.jixelbbk.com/46uq/

Decoy

spiritueleonlinetraining.online

jrpz86.com

dataxmart.com

zeogg.club

killiandooley.com

159studios.com

clginter.com

greenwirechicago.com

kennycheng.tech

carolyngracecoaching.com

cp-altodelamuela.com

amazonflowerjewelry.com

anseron.net

surplusqlxbjy.online

asasal.com

online-buy-now.com

kolab.today

statisticsacademy.com

dcupqiu.club

braxtynmi.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Local\Temp\Purchase Order no.202201EYL-01.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Order no.202201EYL-01.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1364
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order no.202201EYL-01.exe"
        3⤵
        • Deletes itself
        PID:1740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/864-58-0x0000000000000000-mapping.dmp
    Download
  • memory/864-59-0x00000000007B0000-0x00000000007D6000-memory.dmp
    Filesize

    152KB

    Download
  • memory/864-60-0x00000000000B0000-0x00000000000D9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/864-61-0x0000000002030000-0x0000000002333000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/864-63-0x00000000008E0000-0x0000000000970000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1276-57-0x0000000006C30000-0x0000000006DA8000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1276-64-0x00000000073A0000-0x00000000074BC000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1364-56-0x0000000000270000-0x0000000000281000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1364-55-0x00000000008D0000-0x0000000000BD3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1740-62-0x0000000000000000-mapping.dmp
    Download