Overview

overview

10

Static

static

enquiry n...21.exe

windows7_x64

10

enquiry n...21.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    160s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    27-01-2022 14:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    enquiry no. 2770034921.exe

  • Size

    381KB

  • MD5

    5dde426d4383be37f818ee1205c50e11

  • SHA1

    060c70157ceea0b08243a53e4baae2331b4449f8

  • SHA256

    3f277a6819833eb0c7feab4e952301b4bac883e38ec8bd266093b6757d1920e8

  • SHA512

    3b56d429b5d471cda4a8087dca70d74093bc3ac55a0cefba7949a76b254927d1ccadbbbf5a60554162817e930ed83ecf1515745763c0f13680c4ca9548054ac3

Score
10/10
xloadergab7loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

gab7

Decoy

mbb11.xyz

taishancable.com

karaoke-sega.com

mana-space.com

danielandkaela.com

ancorasports.com

magentaclass.com

tenloe045.xyz

colorbold.com

5starrentertainment.com

candgconstructiontx.com

664cqi.com

alexeykazakov.com

umrashed.space

thepowerof10.club

scotchwoodofficeworks.com

anelis.digital

label34.group

karimico.com

dogsforsaleinkenya.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\AppData\Local\Temp\enquiry no. 2770034921.exe
      "C:\Users\Admin\AppData\Local\Temp\enquiry no. 2770034921.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3484
      • C:\Users\Admin\AppData\Local\Temp\enquiry no. 2770034921.exe
        "C:\Users\Admin\AppData\Local\Temp\enquiry no. 2770034921.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:984
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3276
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\enquiry no. 2770034921.exe"
        3⤵
          PID:632

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/984-125-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/984-128-0x00000000015A0000-0x00000000015B1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/984-127-0x0000000001A40000-0x0000000001D60000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3056-134-0x0000000006CC0000-0x0000000006E07000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3056-129-0x0000000006B70000-0x0000000006CB7000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3276-131-0x0000000000BD0000-0x0000000000BF9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/3276-130-0x00000000010D0000-0x00000000010E9000-memory.dmp
      Filesize

      100KB

      Download
    • memory/3276-132-0x0000000004D10000-0x0000000005030000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3276-133-0x00000000049D0000-0x0000000004B62000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3484-123-0x00000000074C0000-0x000000000755C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3484-124-0x00000000075F0000-0x0000000007652000-memory.dmp
      Filesize

      392KB

      Download
    • memory/3484-122-0x0000000004F60000-0x0000000004F6C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/3484-121-0x0000000004CD0000-0x00000000051CE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3484-120-0x0000000004D20000-0x0000000004D2A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3484-119-0x0000000004D70000-0x0000000004E02000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3484-117-0x0000000000480000-0x00000000004E6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3484-118-0x00000000051D0000-0x00000000056CE000-memory.dmp
      Filesize

      5.0MB

      Download