Overview

overview

10

Static

static

jvDX48oGKQdeYMi.exe

windows7_x64

10

jvDX48oGKQdeYMi.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    27-01-2022 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jvDX48oGKQdeYMi.exe

  • Size

    383KB

  • MD5

    99b9c988d90c490263510e46d63e1eb3

  • SHA1

    8d805807d852e5e7746c995d3c0d7bdd6480ee9b

  • SHA256

    e34c0a8218be6d3783e8cd61b8040b6b39004ad34e68c1cdb2f123b636e6b274

  • SHA512

    ef837611568b5e8c2d6857a085e4bcf2f2f33a556819ade65fe1f4301c5de9c6cf3165d79c90ad9c6a9ddae431c17cb26438c6dc5684d76e4202f17ef2b33327

Score
10/10
xloaderwdc8loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

wdc8

Decoy

mygotomaid.com

joyoushealthandwellnessspa.com

wefundprojects.com

magicbasketbourse.net

vitos3.xyz

oligopoly.city

beauty-bihada.asia

visitnewrichmond.com

crgeniusworld.biz

bantasis.com

transsexual.pro

casagraph.com

eastjamrecords.com

howtotrainyourmustache.com

heiappropriate.xyz

bataperu.com

ces341.com

prajahitha.com

manuelagattegger.com

wolfpackmotorcycletours.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 2 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\jvDX48oGKQdeYMi.exe
      "C:\Users\Admin\AppData\Local\Temp\jvDX48oGKQdeYMi.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Users\Admin\AppData\Local\Temp\jvDX48oGKQdeYMi.exe
        "C:\Users\Admin\AppData\Local\Temp\jvDX48oGKQdeYMi.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:572
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\jvDX48oGKQdeYMi.exe"
        3⤵
        • Deletes itself
        PID:1868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/572-60-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/572-64-0x0000000000830000-0x0000000000B33000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/572-65-0x0000000000270000-0x0000000000281000-memory.dmp
    Filesize

    68KB

    Download
  • memory/572-62-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/572-61-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/900-59-0x0000000005000000-0x0000000005062000-memory.dmp
    Filesize

    392KB

    Download
  • memory/900-55-0x00000000001E0000-0x0000000000246000-memory.dmp
    Filesize

    408KB

    Download
  • memory/900-58-0x00000000004F0000-0x00000000004FC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/900-57-0x0000000004B10000-0x0000000004B11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/900-56-0x00000000769D1000-0x00000000769D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1200-66-0x0000000004D90000-0x0000000004EB4000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1200-72-0x0000000004BD0000-0x0000000004C6D000-memory.dmp
    Filesize

    628KB

    Download
  • memory/1764-68-0x00000000005F0000-0x00000000006F4000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1764-69-0x00000000000D0000-0x00000000000F9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1764-70-0x0000000002060000-0x0000000002363000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1764-71-0x0000000001C90000-0x0000000001ECC000-memory.dmp
    Filesize

    2.2MB

    Download