Overview

overview

10

Static

static

SNO22 Pric...14.exe

windows7_x64

3

SNO22 Pric...14.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 13:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SNO22 PriceLetter595406_RACX-159814.exe

  • Size

    7KB

  • MD5

    7088f42f3e34585a113c57d472e7f6e9

  • SHA1

    a3bae33f21a6068eb3c76bc3e74c61df20d5596b

  • SHA256

    472f77899f797ab92af8a3b5eacbf827ce8e287971f4dd3a9f23ae00d7b25475

  • SHA512

    4a86a834ad2a6cc35ab62aa0af9cd8d9c87d9fa1daf1c8328cba856fc27569c8c7d89e64be714805fdc65af6022d5602c08237f5a1344fc6ff7e9d1c54fccb01

Score
10/10
xloaderp8celoaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p8ce

Decoy

wishmeluck1.xyz

nawabumi.com

terra.fish

eoraipsumami.quest

awakeningyourid.com

csyein.com

tslsinteligentes.com

cataractusa.com

capitalwheelstogo.com

staffremotely.com

trashbinwasher.com

blaneyparkrendezvous.com

yolrt.com

northendtaproom.com

showgeini.com

b95206.com

almcpersonaltraining.com

lovabledoodleshome.com

woodlandstationcondos.com

nikahlive.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SNO22 PriceLetter595406_RACX-159814.exe
    "C:\Users\Admin\AppData\Local\Temp\SNO22 PriceLetter595406_RACX-159814.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
      2⤵
        PID:2572
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 192
          3⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2552

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2572-123-0x00000000003C0000-0x00000000003E9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2648-118-0x0000000000740000-0x0000000000748000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2648-119-0x0000000005000000-0x0000000005001000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2648-120-0x0000000002890000-0x00000000028A4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2648-121-0x0000000007AA0000-0x0000000007B3C000-memory.dmp
      Filesize

      624KB

      Download