Overview

overview

10

Static

static

tmp.exe

windows7_x64

10

tmp.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294209s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    23-02-2022 15:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    706KB

  • MD5

    953708e0cefbd35c124e526d9f7bd4d2

  • SHA1

    5c3437b790aaca62b048c38f53584aedb6aaa118

  • SHA256

    5598831a8a17b53751f4c34112c7c4b42d4906a6e73d60018ae8d499ce605580

  • SHA512

    1b21b714b95ae43200b652178a99b815ac6f95a3e411497cf21592e3ecb788fe8e813a5d55299c044a3ec6ad362e584cce132801efcc2c64cc85324636969960

Score
10/10
xloadervfm2loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

vfm2

Decoy

alfaiptvturkiye.com

snagged.xyz

sarrosh.com

jpitkin.com

shiningproent.com

welcommon.com

oglesheatandair.com

qtomdnwj.xyz

threemee-pictures.com

refractory.online

ethercut.com

uniformityenegotiate.com

hawktech.club

adventplus.online

tuntun-newmarket.com

tiendasnea.online

thegranitegalleria.com

trawk.club

gold2guide.art

skphoolmakhana.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:524
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:572
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
          PID:904

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/524-64-0x00000000001D0000-0x00000000001E1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/524-58-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/524-62-0x00000000008A0000-0x0000000000BA3000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/524-57-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/524-63-0x000000000041D000-0x000000000041E000-memory.dmp

      Filesize

      4KB

      Download

    • memory/524-59-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/524-61-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/572-66-0x00000000757C1000-0x00000000757C3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/572-67-0x0000000000830000-0x0000000000844000-memory.dmp

      Filesize

      80KB

      Download

    • memory/572-68-0x00000000000D0000-0x00000000000F9000-memory.dmp

      Filesize

      164KB

      Download

    • memory/572-69-0x00000000022D0000-0x00000000025D3000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/572-70-0x0000000000760000-0x00000000007F0000-memory.dmp

      Filesize

      576KB

      Download

    • memory/1244-65-0x0000000006110000-0x000000000621F000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1244-71-0x00000000041E0000-0x0000000004280000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1908-56-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1908-55-0x0000000000410000-0x0000000000422000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1908-54-0x0000000000F50000-0x0000000001006000-memory.dmp

      Filesize

      728KB

      Download