Overview

overview

10

Static

static

1

5d10c77689...8c.exe

windows7_x64

10

5d10c77689...8c.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    06-12-2021 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d10c77689e0c3bea850fa3c9ef40e8c.exe

  • Size

    516KB

  • MD5

    5d10c77689e0c3bea850fa3c9ef40e8c

  • SHA1

    35dca95d10a31fe0b1832f43005c0a79a6854604

  • SHA256

    8a0fb297baf6f3affb73e0c20116dec0bbbae0292fcbffc3948051555df5099d

  • SHA512

    920b5f4c55db41e225bb760a2d26b4aec8fed0d3d66392bbe8acf91cec35097e0934a2559661dd45eaa5b2303c102eedb4c88aef91e024c05b78d6cf289f795a

Score
10/10
xloaderea0rloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d10c77689e0c3bea850fa3c9ef40e8c.exe
    "C:\Users\Admin\AppData\Local\Temp\5d10c77689e0c3bea850fa3c9ef40e8c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\5d10c77689e0c3bea850fa3c9ef40e8c.exe
      "C:\Users\Admin\AppData\Local\Temp\5d10c77689e0c3bea850fa3c9ef40e8c.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nssBDF3.tmp\mpsjizjnb.dll
    MD5

    0815108791c7713f3a2d231a0a1f47fc

    SHA1

    0ee9fb0ce287805b0219b37767ce778c5ed2f482

    SHA256

    13a86e1868a200ce896a613f5fb0f61e548edbe7e31597e356c248f490ddaffd

    SHA512

    76ba98646074ca7258f083891d2e94105062ba0233a7c0ed3c46cb027a71696fd21ec811d4aad973c48105eab47fda5ad08911e6b1aef79131ee65bf8ebc093e

    Download Submit
  • memory/3128-116-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/3128-117-0x000000000041D410-mapping.dmp
    Download
  • memory/3128-118-0x0000000000AF0000-0x0000000000E10000-memory.dmp
    Filesize

    3.1MB

    Download