Overview

overview

10

Static

static

f5G3iGDs25iJjZE.exe

windows7_x64

10

f5G3iGDs25iJjZE.exe

windows10-2004_x64

10

Resubmissions

22-03-2022 08:31

220322-keqg6segf3 10

17-03-2022 12:00

220317-n6d51adcg8 10

Analysis

  • max time kernel
    4294423s
  • max time network
    365s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    22-03-2022 08:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5G3iGDs25iJjZE.exe

  • Size

    1.1MB

  • MD5

    33899614b3fe24bc02dfb4c1f84dabdc

  • SHA1

    8dbc988c06f51cce14e4cc95717241fb1521fac6

  • SHA256

    b36891ab4a7fa6be1680a65614dd5551a3fa8a89052c381a954601eedd82e62c

  • SHA512

    30058e2e8d6da6b5e0db01cdab70cfb9af8bfb93aed69a009cdba0f1be4c9b805472a531a5abd4dc56f46349ff43a6ce797e98123898719a38e5329920aac5ad

Score
10/10
xloaderwdc8loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

wdc8

Decoy

mygotomaid.com

joyoushealthandwellnessspa.com

wefundprojects.com

magicbasketbourse.net

vitos3.xyz

oligopoly.city

beauty-bihada.asia

visitnewrichmond.com

crgeniusworld.biz

bantasis.com

transsexual.pro

casagraph.com

eastjamrecords.com

howtotrainyourmustache.com

heiappropriate.xyz

bataperu.com

ces341.com

prajahitha.com

manuelagattegger.com

wolfpackmotorcycletours.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5G3iGDs25iJjZE.exe
    "C:\Users\Admin\AppData\Local\Temp\f5G3iGDs25iJjZE.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Users\Admin\AppData\Local\Temp\f5G3iGDs25iJjZE.exe
      "C:\Users\Admin\AppData\Local\Temp\f5G3iGDs25iJjZE.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 36
        3⤵
        • Program crash
        PID:1968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/740-54-0x0000000074A50000-0x000000007513E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/740-55-0x0000000000880000-0x000000000099C000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/740-56-0x0000000004BD0000-0x0000000004BD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/740-57-0x0000000000840000-0x0000000000858000-memory.dmp
    Filesize

    96KB

    Download
  • memory/740-58-0x00000000080C0000-0x00000000081B8000-memory.dmp
    Filesize

    992KB

    Download
  • memory/740-59-0x0000000002080000-0x00000000020B0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1620-60-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1620-62-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1620-64-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download