Overview

overview

10

Static

static

1

9ec07103c0...d8.exe

windows7_x64

10

9ec07103c0...d8.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    156s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    03-12-2021 10:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ec07103c052555c630c02674ceff8d8.exe

  • Size

    654KB

  • MD5

    9ec07103c052555c630c02674ceff8d8

  • SHA1

    ebde834f4e440a9f560a5ef41831832e5396f82d

  • SHA256

    99ce2e68255b2f3b1ee1934af1eacd280a096adaedcaa2df1f03e8d9ee01e860

  • SHA512

    c21b211407903c8bbb3e492adaf155c1751b180efc1de7dcc6cd65194f0ba32c5271c7e0a49b5634d8a376831149f912d7bc18d5965465a6a68c42e3e1ba86e8

Score
10/10
xloaderea0rloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ec07103c052555c630c02674ceff8d8.exe
    "C:\Users\Admin\AppData\Local\Temp\9ec07103c052555c630c02674ceff8d8.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3388
    • C:\Users\Admin\AppData\Local\Temp\9ec07103c052555c630c02674ceff8d8.exe
      "C:\Users\Admin\AppData\Local\Temp\9ec07103c052555c630c02674ceff8d8.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsk3526.tmp\abuzfzrzkg.dll
    MD5

    62c704f52892ef91ba52080a3840fdc9

    SHA1

    110eb4c9b6dbe5c37a5a8e1f86d71d96c45a6a82

    SHA256

    8f92430d41cbbaf0cedec9eec04101fe6b047532448110d4e4c9babb63a55cfc

    SHA512

    60f853f5be7996f7dd5daa00a6c80abb576307f8cf60600e2162d4761e122bb3bb5422b9b946971852439b0b50865412dc0039c24c2ff773201238bc0dcbfe7b

    Download Submit
  • memory/2972-119-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/2972-120-0x000000000041D410-mapping.dmp
    Download
  • memory/2972-121-0x0000000000A50000-0x0000000000D70000-memory.dmp
    Filesize

    3.1MB

    Download