Overview

overview

10

Static

static

tmp/femp.exe

windows7_x64

10

tmp/femp.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    14-12-2021 12:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp/femp.exe

  • Size

    344KB

  • MD5

    c62a556b445ff8cf1b9e0b038a13137e

  • SHA1

    7fefc1609a4e66d234abb47a1536857317bdb31b

  • SHA256

    4b3af4ebfe94ecb1730c15620080935f619b6592fad681921968f986c030c0c3

  • SHA512

    c372806da30c98b047d46f8e70cce90f93829fe484ff5eb49354bd132a846ff126ea4c7024e5fae8de60c96117d940ea4fe2d6c783c67987354c7eee99c4638e

Score
10/10
xloaderef6cloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ef6c

C2

http://www.fis.photos/ef6c/

Decoy

gicaredocs.com

govusergroup.com

conversationspit.com

brondairy.com

rjtherealest.com

xn--9m1bq8wgkag3rjvb.com

mylori.net

softandcute.store

ahljsm.com

shacksolid.com

weekendmusecollection.com

gaminghallarna.net

pgonline111.online

44mpt.xyz

ambrandt.com

eddytattoo.com

blendeqes.com

upinmyfeels.com

lacucinadesign.com

docomoau.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Users\Admin\AppData\Local\Temp\tmp\femp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp\femp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3824
      • C:\Users\Admin\AppData\Local\Temp\tmp\femp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp\femp.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4392
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:4364
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\SysWOW64\cmd.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\tmp\femp.exe"
          3⤵
            PID:3260

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3032-129-0x00000000067A0000-0x00000000068ED000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/3032-139-0x00000000035A0000-0x0000000003633000-memory.dmp
        Filesize

        588KB

        Download
      • memory/3032-132-0x0000000003350000-0x0000000003404000-memory.dmp
        Filesize

        720KB

        Download
      • memory/3260-137-0x0000000000000000-mapping.dmp
        Download
      • memory/3824-117-0x0000000005340000-0x0000000005341000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3824-118-0x0000000004D40000-0x0000000004D41000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3824-119-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3824-120-0x0000000004E40000-0x000000000533E000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/3824-121-0x0000000004E10000-0x0000000004E15000-memory.dmp
        Filesize

        20KB

        Download
      • memory/3824-122-0x0000000005AE0000-0x0000000005AE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3824-123-0x0000000005A90000-0x0000000005ADB000-memory.dmp
        Filesize

        300KB

        Download
      • memory/3824-115-0x0000000000460000-0x0000000000461000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4392-128-0x0000000001180000-0x0000000001191000-memory.dmp
        Filesize

        68KB

        Download
      • memory/4392-130-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/4392-127-0x0000000001730000-0x0000000001A50000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/4392-131-0x00000000011B0000-0x00000000012FA000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/4392-125-0x000000000041D3D0-mapping.dmp
        Download
      • memory/4392-124-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/4468-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4468-134-0x0000000000BC0000-0x0000000000C19000-memory.dmp
        Filesize

        356KB

        Download
      • memory/4468-135-0x0000000000590000-0x00000000005B9000-memory.dmp
        Filesize

        164KB

        Download
      • memory/4468-136-0x0000000003190000-0x00000000034B0000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/4468-138-0x0000000002FE0000-0x0000000003070000-memory.dmp
        Filesize

        576KB

        Download