Overview

overview

10

Static

static

Overdue Invoice.exe

windows7_x64

3

Overdue Invoice.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    01-12-2021 08:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Overdue Invoice.exe

  • Size

    614KB

  • MD5

    fc0c4e91f8407bc6d4d650924e7a4fae

  • SHA1

    6dd4286594c7d6171c9cf8479cd6a2b0821d053f

  • SHA256

    e630a2d0f63e21c38730606f15825c625d37eb1ff5b038724b403a1f72c591ec

  • SHA512

    038c6d7e7a455bf79fc9c5e77800d04be999b0ba84568eb90b18fb622577ceb54fa4ab5854bc8386b48d6cbaa53008993f94eb8172b6d8d74107cdb741ef811f

Score
10/10
xloaderea0rloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Users\Admin\AppData\Local\Temp\Overdue Invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\Overdue Invoice.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Users\Admin\AppData\Local\Temp\Overdue Invoice.exe
        "C:\Users\Admin\AppData\Local\Temp\Overdue Invoice.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:604
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3436
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Overdue Invoice.exe"
        3⤵
          PID:1476

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/604-127-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/604-130-0x00000000016B0000-0x00000000019D0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/604-131-0x00000000011F0000-0x0000000001201000-memory.dmp
      Filesize

      68KB

      Download
    • memory/604-128-0x000000000041D410-mapping.dmp
      Download
    • memory/1476-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2584-124-0x0000000005670000-0x0000000005676000-memory.dmp
      Filesize

      24KB

      Download
    • memory/2584-120-0x0000000005680000-0x0000000005681000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2584-126-0x0000000006130000-0x0000000006187000-memory.dmp
      Filesize

      348KB

      Download
    • memory/2584-118-0x0000000000960000-0x0000000000961000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2584-123-0x0000000005240000-0x0000000005241000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2584-122-0x0000000005180000-0x000000000567E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/2584-121-0x0000000005260000-0x0000000005261000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2584-125-0x00000000061D0000-0x00000000061D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2984-132-0x00000000061E0000-0x00000000062F0000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2984-139-0x0000000002B00000-0x0000000002BE5000-memory.dmp
      Filesize

      916KB

      Download
    • memory/3436-135-0x00000000009C0000-0x00000000009E9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/3436-134-0x0000000001200000-0x0000000001216000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3436-133-0x0000000000000000-mapping.dmp
      Download
    • memory/3436-137-0x0000000004AF0000-0x0000000004E10000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3436-138-0x00000000049F0000-0x0000000004A80000-memory.dmp
      Filesize

      576KB

      Download