Overview

overview

10

Static

static

banco_tran...22.exe

windows7_x64

1

banco_tran...22.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    28-02-2022 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    banco_transferencia0280222.exe

  • Size

    54KB

  • MD5

    75c063f3e5bc2c6d22d69808c5f05f23

  • SHA1

    2ed397d5b902e367bae3f07848c258b63f669997

  • SHA256

    6f0508408689f77795e27f5320115355744c6b7d02cf59197dae8646bc73f267

  • SHA512

    6a4c3d048ee62edd468a510bab0657b5ef9a33b86c5005efaa8794358ceb3fa9ab986da63edd38cae0197264a82c6b1b4635d5cf400fc9111cc6eda4e5c6b9dc

Score
10/10
xloaderuar3loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

jogoreviravolta.com

keysine.com

sami60.com

morganators.com

referral.directory

campdiscount.info

vanwah.com

jmtmjz.com

der-transformationscode.com

evangelvalormedia.com

bedsidehomecare.com

novaair.net

privilegetroissecurity.com

elsiepupz.com

yy77kk.com

nt-renewable.com

alyaqoutalabyadhautoparts.com

start-play-now.com

myskew.com

himalaya-finance.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Users\Admin\AppData\Local\Temp\banco_transferencia0280222.exe
      "C:\Users\Admin\AppData\Local\Temp\banco_transferencia0280222.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4440
      • C:\Users\Admin\AppData\Local\Temp\banco_transferencia0280222.exe
        C:\Users\Admin\AppData\Local\Temp\banco_transferencia0280222.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3808
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:3708
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:4276
        • C:\Windows\SysWOW64\autochk.exe
          "C:\Windows\SysWOW64\autochk.exe"
          2⤵
            PID:548
          • C:\Windows\SysWOW64\autochk.exe
            "C:\Windows\SysWOW64\autochk.exe"
            2⤵
              PID:4160
            • C:\Windows\SysWOW64\autochk.exe
              "C:\Windows\SysWOW64\autochk.exe"
              2⤵
                PID:4180
              • C:\Windows\SysWOW64\autofmt.exe
                "C:\Windows\SysWOW64\autofmt.exe"
                2⤵
                  PID:116
                • C:\Windows\SysWOW64\autofmt.exe
                  "C:\Windows\SysWOW64\autofmt.exe"
                  2⤵
                    PID:2800
                  • C:\Windows\SysWOW64\autofmt.exe
                    "C:\Windows\SysWOW64\autofmt.exe"
                    2⤵
                      PID:556
                    • C:\Windows\SysWOW64\autofmt.exe
                      "C:\Windows\SysWOW64\autofmt.exe"
                      2⤵
                        PID:3612
                      • C:\Windows\SysWOW64\msiexec.exe
                        "C:\Windows\SysWOW64\msiexec.exe"
                        2⤵
                        • Blocklisted process makes network request
                        • Suspicious use of SetThreadContext
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: MapViewOfSection
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3656
                        • C:\Windows\SysWOW64\cmd.exe
                          /c del "C:\Users\Admin\AppData\Local\Temp\banco_transferencia0280222.exe"
                          3⤵
                            PID:3672

                      Network

                      MITRE ATT&CK Matrix

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/1552-142-0x00000000026C0000-0x000000000277E000-memory.dmp
                        Filesize

                        760KB

                        Download
                      • memory/1552-151-0x0000000008030000-0x0000000008147000-memory.dmp
                        Filesize

                        1.1MB

                        Download
                      • memory/1552-146-0x0000000007B20000-0x0000000007C4E000-memory.dmp
                        Filesize

                        1.2MB

                        Download
                      • memory/3656-150-0x0000000002E50000-0x0000000002EE0000-memory.dmp
                        Filesize

                        576KB

                        Download
                      • memory/3656-149-0x0000000002FF0000-0x000000000333A000-memory.dmp
                        Filesize

                        3.3MB

                        Download
                      • memory/3656-148-0x0000000000F30000-0x0000000000F59000-memory.dmp
                        Filesize

                        164KB

                        Download
                      • memory/3656-147-0x00000000009E0000-0x00000000009F2000-memory.dmp
                        Filesize

                        72KB

                        Download
                      • memory/3808-141-0x0000000001D00000-0x0000000001D11000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/3808-145-0x0000000003640000-0x0000000003651000-memory.dmp
                        Filesize

                        68KB

                        Download
                      • memory/3808-140-0x000000000041D000-0x000000000041E000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/3808-139-0x00000000018D0000-0x0000000001C1A000-memory.dmp
                        Filesize

                        3.3MB

                        Download
                      • memory/3808-137-0x0000000000400000-0x0000000000429000-memory.dmp
                        Filesize

                        164KB

                        Download
                      • memory/3808-143-0x0000000000400000-0x0000000000429000-memory.dmp
                        Filesize

                        164KB

                        Download
                      • memory/3808-144-0x000000000041D000-0x000000000041E000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/4440-130-0x000000007506E000-0x000000007506F000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/4440-136-0x000000000B8E0000-0x000000000B972000-memory.dmp
                        Filesize

                        584KB

                        Download
                      • memory/4440-135-0x000000000BE90000-0x000000000C434000-memory.dmp
                        Filesize

                        5.6MB

                        Download
                      • memory/4440-134-0x000000000B820000-0x000000000B8D2000-memory.dmp
                        Filesize

                        712KB

                        Download
                      • memory/4440-133-0x000000000B710000-0x000000000B760000-memory.dmp
                        Filesize

                        320KB

                        Download
                      • memory/4440-132-0x0000000005250000-0x0000000005251000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/4440-131-0x0000000000740000-0x0000000000754000-memory.dmp
                        Filesize

                        80KB

                        Download