Overview

overview

10

Static

static

IMG-022013758.exe

windows7_x64

10

IMG-022013758.exe

windows10_x64

1

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    10-01-2022 23:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG-022013758.exe

  • Size

    1.2MB

  • MD5

    911dd6e4e76bd413bd62a3de696f6982

  • SHA1

    ad9ad231d5a86565f5ab719dd4a0e3eab42cfc5d

  • SHA256

    4724b55ca938b0bbdc393ddfecec9ccad30b911490e9fc1922546596526cdb04

  • SHA512

    b37bbf84af87cc3d17cafecbc351104344d665c39ffd8efc0801819c0f15a5f4d032ae8d6e0b46357f75a63aabcac3d6f9a2b68c4c2883c3168e6d0e39e97317

Score
10/10
xloaderp8celoaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p8ce

Decoy

wishmeluck1.xyz

nawabumi.com

terra.fish

eoraipsumami.quest

awakeningyourid.com

csyein.com

tslsinteligentes.com

cataractusa.com

capitalwheelstogo.com

staffremotely.com

trashbinwasher.com

blaneyparkrendezvous.com

yolrt.com

northendtaproom.com

showgeini.com

b95206.com

almcpersonaltraining.com

lovabledoodleshome.com

woodlandstationcondos.com

nikahlive.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\IMG-022013758.exe
      "C:\Users\Admin\AppData\Local\Temp\IMG-022013758.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1092
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1828
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        3⤵
          PID:1104

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/960-54-0x0000000000F40000-0x000000000106E000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/960-55-0x0000000000F40000-0x000000000106E000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/960-56-0x0000000000F00000-0x0000000000F01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/960-57-0x00000000003E0000-0x00000000003F4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1092-60-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1092-58-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1092-61-0x000000000041D490-mapping.dmp
      Download
    • memory/1092-64-0x0000000000280000-0x0000000000291000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1092-63-0x00000000008E0000-0x0000000000BE3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1092-59-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1092-66-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1092-67-0x00000000003B0000-0x00000000003C1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1104-73-0x0000000000000000-mapping.dmp
      Download
    • memory/1208-65-0x0000000006110000-0x0000000006268000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1208-68-0x0000000003E70000-0x0000000003F2C000-memory.dmp
      Filesize

      752KB

      Download
    • memory/1208-75-0x0000000004450000-0x0000000004568000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1828-69-0x0000000000000000-mapping.dmp
      Download
    • memory/1828-70-0x0000000000CE0000-0x0000000000CE7000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1828-71-0x00000000000C0000-0x00000000000E9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1828-72-0x00000000020F0000-0x00000000023F3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1828-74-0x0000000000600000-0x0000000000690000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1828-76-0x0000000076151000-0x0000000076153000-memory.dmp
      Filesize

      8KB

      Download