Overview

overview

10

Static

static

Proforma I...DF.exe

windows7_x64

10

Proforma I...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    31-01-2022 04:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Proforma Invoice #09876-INV-Order.PDF.exe

  • Size

    652KB

  • MD5

    e6deb32888a854099ad15feea9a528b6

  • SHA1

    50f6573ee795bb5301ab75d3d1fe54cb02f4cef2

  • SHA256

    e0da8ee3e3841832297dbb9aa41c61a4c0d4ed14cd62153da3742a5dfa7ea6e1

  • SHA512

    ba35bb7d5cb11c4a3aff0bcb0c015f0cabdbc19325fcab2930bcd023b893a446780e8e580a560fbb45475e552b15ca6fa65e374f001824b670c07f18d8d9fa10

Score
10/10
xloaderpoutloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pout

Decoy

leadergaterealty.com

k7bsz.info

laidjapp1.com

eastcountytaxi.com

betterlife-uae.com

materaiku.com

chanhxebinhthuan-hcm.online

06gjm.xyz

67t.xyz

here-we-meet.com

screened-articletoseetoday.info

lucykg.club

mujdobron.quest

susakhi.com

funtabse.com

unlimitedpain.com

2ed58fwec.xyz

weighttrainingexpert.com

allisonsheillax.com

yektaburgers.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Local\Temp\Proforma Invoice #09876-INV-Order.PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice #09876-INV-Order.PDF.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Users\Admin\AppData\Local\Temp\Proforma Invoice #09876-INV-Order.PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice #09876-INV-Order.PDF.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:636
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice #09876-INV-Order.PDF.exe"
        3⤵
        • Deletes itself
        PID:1120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/636-59-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/636-64-0x0000000000180000-0x0000000000191000-memory.dmp
    Filesize

    68KB

    Download
  • memory/636-63-0x0000000000C30000-0x0000000000F33000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/636-61-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/636-60-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/980-68-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/980-67-0x00000000004A0000-0x00000000005A4000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/980-69-0x00000000020A0000-0x00000000023A3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/980-70-0x00000000002F0000-0x0000000001F0C000-memory.dmp
    Filesize

    28.1MB

    Download
  • memory/1276-65-0x0000000006AF0000-0x0000000006C08000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1276-71-0x0000000006C10000-0x0000000006D25000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1520-58-0x00000000056F0000-0x0000000005774000-memory.dmp
    Filesize

    528KB

    Download
  • memory/1520-57-0x00000000003C0000-0x00000000003D4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1520-56-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1520-55-0x00000000766D1000-0x00000000766D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1520-54-0x0000000000B80000-0x0000000000C2A000-memory.dmp
    Filesize

    680KB

    Download