Overview

overview

10

Static

static

7t98b0nkQlBODdw.exe

windows7_x64

10

7t98b0nkQlBODdw.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    22-02-2022 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7t98b0nkQlBODdw.exe

  • Size

    1.0MB

  • MD5

    0466190246cd2f51a7784d53820242ac

  • SHA1

    f85c141f0d77f97ffea3af67866e1b311c2fb7bb

  • SHA256

    873dbebeb40efa109a634b2ca2cb3faeae658dae5c19b518f4769c6dd65f4d38

  • SHA512

    1f07df02ce04c07b1f94ebdf8095d1a4358059761f274b044acddc1bdf0d1145d9a40a2d7dbd499cec5a950d6bea6765b4a98f923ec2a84a0aff3972373e8e9e

Score
10/10
xloaderwdc8loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

wdc8

Decoy

mygotomaid.com

joyoushealthandwellnessspa.com

wefundprojects.com

magicbasketbourse.net

vitos3.xyz

oligopoly.city

beauty-bihada.asia

visitnewrichmond.com

crgeniusworld.biz

bantasis.com

transsexual.pro

casagraph.com

eastjamrecords.com

howtotrainyourmustache.com

heiappropriate.xyz

bataperu.com

ces341.com

prajahitha.com

manuelagattegger.com

wolfpackmotorcycletours.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 55 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\7t98b0nkQlBODdw.exe
      "C:\Users\Admin\AppData\Local\Temp\7t98b0nkQlBODdw.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1052
      • C:\Users\Admin\AppData\Local\Temp\7t98b0nkQlBODdw.exe
        "C:\Users\Admin\AppData\Local\Temp\7t98b0nkQlBODdw.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1740
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\7t98b0nkQlBODdw.exe"
        3⤵
        • Deletes itself
        PID:1880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1052-54-0x00000000000C0000-0x00000000001CC000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1052-55-0x000000007387E000-0x000000007387F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1052-56-0x00000000003F0000-0x0000000000400000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1052-57-0x00000000074A0000-0x00000000074A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1052-58-0x0000000007AA0000-0x0000000007B4E000-memory.dmp
    Filesize

    696KB

    Download
  • memory/1052-59-0x0000000000800000-0x0000000000830000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1160-70-0x00000000000C0000-0x00000000000E9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1160-69-0x0000000000C00000-0x0000000000C16000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1160-73-0x0000000000880000-0x0000000000910000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1160-72-0x00000000754B1000-0x00000000754B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1160-71-0x0000000002020000-0x0000000002323000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1220-74-0x00000000041B0000-0x0000000004257000-memory.dmp
    Filesize

    668KB

    Download
  • memory/1220-66-0x0000000004EE0000-0x000000000504E000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1740-64-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1740-68-0x0000000000230000-0x0000000000241000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1740-60-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1740-67-0x00000000009A0000-0x0000000000CA3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1740-61-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1740-65-0x000000000041D000-0x000000000041E000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1740-62-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download