Overview

overview

10

Static

static

1

vsl_rfq012...22.exe

windows7_x64

10

vsl_rfq012...22.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    25-01-2022 09:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vsl_rfq01209800122.exe

  • Size

    249KB

  • MD5

    c348f7fa655d92a8af86e74aa75821e6

  • SHA1

    3b9a060bb64b880595287fcc300d4b5513acb879

  • SHA256

    fd86ed836eaae451df45e757be525d3c9260d72e0c8af2eb85f1832a8499eac1

  • SHA512

    65b4275494e326fa96b9e89e95c9688097eaddde8af4b57cbe01471f01986239fc314b914952286d0e1fe9543f93c44964e9191cc95bea7b345be606862495b4

Score
10/10
xloaderigwaloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

igwa

Decoy

listingswithalex.com

funtabse.com

aydenwalling.com

prochal.net

superfoodsnederland.com

moldluck.com

dianekgordon.store

regionalhomescommercial.com

mysecuritymadesimple.com

malwaremastery.com

kodaikeiko.com

jrzg996.com

agricurve.net

songlingjiu.com

virginianundahfishingclub.com

friendschance.com

pastelpresents.com

answertitles.com

survival-hunter.com

nxfddl.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Users\Admin\AppData\Local\Temp\vsl_rfq01209800122.exe
      "C:\Users\Admin\AppData\Local\Temp\vsl_rfq01209800122.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Users\Admin\AppData\Local\Temp\vsl_rfq01209800122.exe
        "C:\Users\Admin\AppData\Local\Temp\vsl_rfq01209800122.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:488
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:1336
      • C:\Windows\SysWOW64\chkdsk.exe
        "C:\Windows\SysWOW64\chkdsk.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1188
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\vsl_rfq01209800122.exe"
          3⤵
            PID:1492

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Users\Admin\AppData\Local\Temp\nsv1CEC.tmp\rgyunbk.dll
        MD5

        102bdaa73ca322fbf4ceca5a598869f7

        SHA1

        b88c98aba6bc55637782a9e78a49ca3f32ef150c

        SHA256

        84c4f3dcd65df355ed10044404c126697b8c1e55a9b1c37e4b43b35c77ae10a1

        SHA512

        aad7fcc36fd66722ca027d689536d32c9ce6994ba5f34d6e891ae973963b7c85cea33b05fdcde140bf087ff98c7dc23c643c07a14baead7404a39a3b99a93d77

        Download Submit
      • memory/488-122-0x0000000000510000-0x0000000000EA0000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/488-118-0x0000000000A20000-0x0000000000D40000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/488-119-0x0000000000880000-0x0000000000A1C000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/488-121-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/488-116-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1188-124-0x0000000001070000-0x000000000107A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1188-125-0x0000000000E00000-0x0000000000E29000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1188-126-0x00000000055B0000-0x00000000058D0000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/1188-127-0x0000000005270000-0x0000000005404000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3064-120-0x00000000062A0000-0x00000000063B3000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/3064-123-0x0000000002C60000-0x0000000002D59000-memory.dmp
        Filesize

        996KB

        Download
      • memory/3064-128-0x0000000002DE0000-0x0000000002EB8000-memory.dmp
        Filesize

        864KB

        Download