Overview

overview

10

Static

static

BANK DETAI...df.exe

windows7_x64

10

BANK DETAI...df.exe

windows10_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BANK DETAILS-26012022-971332pdf.exe

  • Size

    234KB

  • MD5

    915102405b44b4eb490450935905b4c5

  • SHA1

    cc89138f906776cc8ceb6135753bd1bfdc423846

  • SHA256

    234d944f1c4d9dcb90a6797dc13bf50fa2290da2230d134ee70bc4b7c4143ab8

  • SHA512

    d34136c97136cdb01cde174506dd02b250894f4427dcac3c0d98dbc2a417db0b1fd15ad950b491b5795fb345ebe4eba175baac23252d3222eb0e5d253adf4615

Score
10/10
xloaderbe4oloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

be4o

Decoy

neonewway.club

kuanghong.club

7bkj.com

ooo-club.com

kamchatka-agency.com

sjsndtvitzru.mobi

noireimpactcollective.net

justbe-event.com

easypeasy.community

southcoast.glass

janhenningsen.com

jmxyjj.com

tarihibilet.com

nagradi7.com

percentrostered.net

certvaxid.com

kingseafoodsydney.com

blacksheepwalk.com

waktuk.com

inteligenciaenrefrigeracion.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Blocklisted process makes network request 5 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Users\Admin\AppData\Local\Temp\BANK DETAILS-26012022-971332pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\BANK DETAILS-26012022-971332pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1008
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:3324
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\SysWOW64\rundll32.exe"
        2⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:572
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          3⤵
            PID:988

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/572-128-0x0000000000B20000-0x0000000000B33000-memory.dmp
        Filesize

        76KB

        Download
      • memory/572-131-0x0000000004A00000-0x0000000004B97000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/572-130-0x0000000004D40000-0x0000000005060000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/572-129-0x0000000002D40000-0x0000000002D69000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1008-124-0x0000000000E90000-0x000000000102B000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1008-125-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1008-126-0x0000000001560000-0x0000000001571000-memory.dmp
        Filesize

        68KB

        Download
      • memory/1008-122-0x0000000001030000-0x0000000001350000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/1008-120-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/2620-117-0x0000016ABA200000-0x0000016ABA240000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2620-119-0x0000016ABBE80000-0x0000016ABBE8E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/2620-118-0x0000016ABC180000-0x0000016ABC182000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3040-123-0x0000000005410000-0x0000000005519000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/3040-127-0x0000000006680000-0x0000000006806000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/3040-132-0x00000000064C0000-0x00000000065DD000-memory.dmp
        Filesize

        1.1MB

        Download