Overview

overview

10

Static

static

DO 2168569...21.exe

windows7_x64

10

DO 2168569...21.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    26-11-2021 10:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DO 2168569 2172145000025112021.exe

  • Size

    584KB

  • MD5

    cb8bd5b9563bf3cfbafbbbbf99048266

  • SHA1

    9972dd790388aa860598448da56312571e4f4f5e

  • SHA256

    16afc1275bbb9dc325bcb03d7d0fb57b704adc0438c5c006070bdd07f2259230

  • SHA512

    858f481523f80cd8490deb9539a4ca8d5109aba5c6328ad0ea6f7aa063c229c462bc3a19197b08c7e6811df41c21b7fe8d7bf27f69a3c93d96f97795a88956a6

Score
10/10
xloaderu0n0loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u0n0

C2

http://www.52xjg3.xyz/u0n0/

Decoy

learnwithvr.net

minismi2.com

slimfitbottle.com

gzartisan.com

fullfamilyclub.com

adaptationstudios.com

domynt.com

aboydnfuid.com

dirtroaddesigns.net

timhortons-ca.xyz

gladiator-111.com

breakingza.com

njjbds.com

keithrgordon.com

litestore365.host

unichromegame.com

wundversorgung-tirol.com

wholistic-choice.com

shingletownrrn.com

kapikenya.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\DO 2168569 2172145000025112021.exe
      "C:\Users\Admin\AppData\Local\Temp\DO 2168569 2172145000025112021.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Users\Admin\AppData\Local\Temp\DO 2168569 2172145000025112021.exe
        "C:\Users\Admin\AppData\Local\Temp\DO 2168569 2172145000025112021.exe"
        3⤵
          PID:572
        • C:\Users\Admin\AppData\Local\Temp\DO 2168569 2172145000025112021.exe
          "C:\Users\Admin\AppData\Local\Temp\DO 2168569 2172145000025112021.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1140
      • C:\Windows\SysWOW64\raserver.exe
        "C:\Windows\SysWOW64\raserver.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:432
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\DO 2168569 2172145000025112021.exe"
          3⤵
          • Deletes itself
          PID:1680

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/432-72-0x0000000000000000-mapping.dmp
      Download
    • memory/432-78-0x0000000001D60000-0x0000000001DF0000-memory.dmp
      Filesize

      576KB

      Download
    • memory/432-77-0x0000000001DF0000-0x00000000020F3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/432-76-0x00000000000D0000-0x00000000000F9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/432-75-0x0000000000100000-0x000000000011C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/432-73-0x0000000074E51000-0x0000000074E53000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1140-61-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1140-62-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1140-64-0x000000000041D440-mapping.dmp
      Download
    • memory/1140-67-0x0000000000110000-0x0000000000121000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1140-63-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1140-66-0x00000000008A0000-0x0000000000BA3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1140-69-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1140-70-0x0000000000300000-0x0000000000311000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1220-71-0x0000000006280000-0x00000000063E4000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1220-68-0x0000000003CD0000-0x0000000003E0C000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1220-79-0x0000000003E90000-0x0000000003F4B000-memory.dmp
      Filesize

      748KB

      Download
    • memory/1496-55-0x0000000000260000-0x0000000000261000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1496-60-0x0000000004E60000-0x0000000004EBA000-memory.dmp
      Filesize

      360KB

      Download
    • memory/1496-59-0x00000000049E5000-0x00000000049F6000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1496-58-0x0000000000580000-0x0000000000588000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1496-57-0x00000000049E0000-0x00000000049E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1680-74-0x0000000000000000-mapping.dmp
      Download