Overview

overview

10

Static

static

fiyat talebi.exe

windows7_x64

10

fiyat talebi.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294209s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    08-04-2022 08:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fiyat talebi.exe

  • Size

    242KB

  • MD5

    cd5a1f00e5069978e2265c76b1ddf25d

  • SHA1

    b995ba1b34b3debabad436b14ad5c94829e6e27b

  • SHA256

    f2b30831e93ef719ecc6b3d7fa88509a1b77d35068d4d6ab2728d9938c8a7859

  • SHA512

    656bca68ff35b4f341f2347af02b0f68cf56b1e3a20629dd446e0abad18d229de2501879a002c7bf99b9b27890fc2e5c1171bb7d585312bf0eaf74827d30200c

Score
10/10
xloadercbgoloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

santesha.com

britneysbeautybar.com

sh-cy17.com

jeffcarveragency.com

3117111.com

sobrehosting.net

ddm123.xyz

toxcompliance.com

auditorydesigns.com

vliftfacial.com

ielhii.com

naameliss.com

ritualchariot.com

solchange.com

quatre-vingts.design

lawnmowermashine.com

braceletsstore.net

admappy.com

tollivercoltd.com

vaidix.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\fiyat talebi.exe
      "C:\Users\Admin\AppData\Local\Temp\fiyat talebi.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exe
        C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exe C:\Users\Admin\AppData\Local\Temp\qhidoqldbb
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exe
          C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exe C:\Users\Admin\AppData\Local\Temp\qhidoqldbb
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:792
          • C:\Windows\SysWOW64\msiexec.exe
            "C:\Windows\SysWOW64\msiexec.exe"
            5⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1348
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exe"
              6⤵
                PID:1652

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\n4ctxmrbh0uoaq3yha
      Filesize

      212KB

      MD5

      0800086693d43f3e3f5248c8789ef97c

      SHA1

      9779f40e0a93bd5825d7f715453924819b9a59e6

      SHA256

      089179b2f01e25d4117e018c7ebe402d2e4c68b9774c15f29fde43fa57aa32df

      SHA512

      8fa85746c74bd7b2361dab36e3228a1c8f27f2d6b9d6a01b10ab97f07212bdc1ba52724d4239cc76b649763be8c2d2f0f298430fbbb1af94d7d4e1f50d52e0f4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\qhidoqldbb
      Filesize

      4KB

      MD5

      4189ad2dedcab199ef7a58a4c490733e

      SHA1

      023179460cc47e1ede06f9e4cc5b7ecfd87dadc2

      SHA256

      513b1e9affe4c24ff16e2156cb1bf14c0e7c75d53b6886341a01474e5c784f3b

      SHA512

      f27292ea85b5f4cf47c982dce736afdc69f9f0893b0a521546803e524e195a72b5a0e5c132a4f7fdcbed96baecfcee22f7e53363c71a309022dd312dee2597dc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exe
      Filesize

      5KB

      MD5

      120556bf1317f6395f13ff5377e308d9

      SHA1

      f36799d4885de8cc8f8c947e4fc28e1a3a39beab

      SHA256

      63b0f72ed3dade8ad655daf220470057fce741dda011d4cfbdd7646460df3f46

      SHA512

      75902aac1f4f6758ac53ab717b6f91eb326a8acf331c495b08cff27c571c31d244d8b30cd812a2ecfd9fbf70c230f673672bdbde0b57ededfd8b1c26200c98dd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exe
      Filesize

      5KB

      MD5

      120556bf1317f6395f13ff5377e308d9

      SHA1

      f36799d4885de8cc8f8c947e4fc28e1a3a39beab

      SHA256

      63b0f72ed3dade8ad655daf220470057fce741dda011d4cfbdd7646460df3f46

      SHA512

      75902aac1f4f6758ac53ab717b6f91eb326a8acf331c495b08cff27c571c31d244d8b30cd812a2ecfd9fbf70c230f673672bdbde0b57ededfd8b1c26200c98dd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exe
      Filesize

      5KB

      MD5

      120556bf1317f6395f13ff5377e308d9

      SHA1

      f36799d4885de8cc8f8c947e4fc28e1a3a39beab

      SHA256

      63b0f72ed3dade8ad655daf220470057fce741dda011d4cfbdd7646460df3f46

      SHA512

      75902aac1f4f6758ac53ab717b6f91eb326a8acf331c495b08cff27c571c31d244d8b30cd812a2ecfd9fbf70c230f673672bdbde0b57ededfd8b1c26200c98dd

      Download Submit
    • \Users\Admin\AppData\Local\Temp\qmzngjtx.exe
      Filesize

      5KB

      MD5

      120556bf1317f6395f13ff5377e308d9

      SHA1

      f36799d4885de8cc8f8c947e4fc28e1a3a39beab

      SHA256

      63b0f72ed3dade8ad655daf220470057fce741dda011d4cfbdd7646460df3f46

      SHA512

      75902aac1f4f6758ac53ab717b6f91eb326a8acf331c495b08cff27c571c31d244d8b30cd812a2ecfd9fbf70c230f673672bdbde0b57ededfd8b1c26200c98dd

      Download Submit
    • \Users\Admin\AppData\Local\Temp\qmzngjtx.exe
      Filesize

      5KB

      MD5

      120556bf1317f6395f13ff5377e308d9

      SHA1

      f36799d4885de8cc8f8c947e4fc28e1a3a39beab

      SHA256

      63b0f72ed3dade8ad655daf220470057fce741dda011d4cfbdd7646460df3f46

      SHA512

      75902aac1f4f6758ac53ab717b6f91eb326a8acf331c495b08cff27c571c31d244d8b30cd812a2ecfd9fbf70c230f673672bdbde0b57ededfd8b1c26200c98dd

      Download Submit
    • memory/792-68-0x0000000000A10000-0x0000000000A21000-memory.dmp
      Filesize

      68KB

      Download
    • memory/792-63-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/792-64-0x000000000041D450-mapping.dmp
      Download
    • memory/792-67-0x0000000000700000-0x0000000000A03000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/792-70-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/792-71-0x00000000022C0000-0x00000000022D1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/804-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1196-80-0x0000000006E40000-0x0000000006FA6000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1196-69-0x0000000004C10000-0x0000000004D6C000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1196-72-0x00000000065F0000-0x000000000673A000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1348-77-0x0000000002260000-0x0000000002563000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1348-75-0x0000000000410000-0x0000000000424000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1348-76-0x0000000000090000-0x00000000000B9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1348-73-0x0000000000000000-mapping.dmp
      Download
    • memory/1348-79-0x0000000001F90000-0x0000000002020000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1652-78-0x0000000000000000-mapping.dmp
      Download
    • memory/2040-54-0x0000000074C91000-0x0000000074C93000-memory.dmp
      Filesize

      8KB

      Download