Overview

overview

10

Static

static

328bee37fc...4e.exe

windows7_x64

10

328bee37fc...4e.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    25-01-2022 20:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    328bee37fcb028ff0d8b6b2c406b3b4e.exe

  • Size

    814KB

  • MD5

    328bee37fcb028ff0d8b6b2c406b3b4e

  • SHA1

    be9254a60f0301a22c6ab708b3829c2d61f21adb

  • SHA256

    11e5030403c99dfa27a1c41a8a3abf2408324166735b081a7db038c9a3ec357d

  • SHA512

    87677e6eb40a4163e2c23d500664d1bbc5502393de8db774ad1568b70e3f360c258a815db2665b61fabac9afb1e357b32f10af4ccc2cdc68f115d1eea2495aca

Score
10/10
xloaderpnugloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pnug

Decoy

natureate.com

ita-pots.website

sucohansmushroom.com

produrielrosen.com

gosystemupdatenow.online

jiskra.art

janwiench.com

norfolkfoodhall.com

iloveaddictss.com

pogozip.com

buyinstapva.com

teardirectionfreedom.xyz

0205168.com

apaixonadosporpugs.online

jawscoinc.com

crafter.quest

wikipedianow.com

radiopuls.net

kendama-co.com

goodstudycanada.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\328bee37fcb028ff0d8b6b2c406b3b4e.exe
    "C:\Users\Admin\AppData\Local\Temp\328bee37fcb028ff0d8b6b2c406b3b4e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3436
    • C:\Users\Admin\AppData\Local\Temp\328bee37fcb028ff0d8b6b2c406b3b4e.exe
      "C:\Users\Admin\AppData\Local\Temp\328bee37fcb028ff0d8b6b2c406b3b4e.exe"
      2⤵
        PID:4248
      • C:\Users\Admin\AppData\Local\Temp\328bee37fcb028ff0d8b6b2c406b3b4e.exe
        "C:\Users\Admin\AppData\Local\Temp\328bee37fcb028ff0d8b6b2c406b3b4e.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4348

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3436-115-0x0000000000320000-0x00000000003F2000-memory.dmp
      Filesize

      840KB

      Download
    • memory/3436-116-0x0000000005080000-0x000000000557E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3436-117-0x0000000004C40000-0x0000000004CD2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3436-118-0x0000000004B80000-0x000000000507E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3436-119-0x0000000004CE0000-0x0000000004CEA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3436-120-0x00000000070E0000-0x000000000717C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3436-121-0x0000000005750000-0x000000000575C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/3436-122-0x000000007F930000-0x000000007F931000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3436-123-0x0000000007320000-0x0000000007388000-memory.dmp
      Filesize

      416KB

      Download
    • memory/4348-124-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/4348-125-0x0000000001740000-0x0000000001A60000-memory.dmp
      Filesize

      3.1MB

      Download