Overview

overview

10

Static

static

SecuriteIn...24.exe

windows7_x64

10

SecuriteIn...24.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    177s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    11-05-2022 18:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.MSILHeracles.37963.6224.exe

  • Size

    564KB

  • MD5

    79c46056fb002fcd31fba21bae0d9221

  • SHA1

    56280d53bd4c977debbc0e36ff0b7a3f3b3e3786

  • SHA256

    37708373f6b4deb76e61c7a9c65200bba9f9d7ca7ebcd82d09242dd9231fa072

  • SHA512

    75a264463a0d90e10b9c930474d6ab10a3cbc143a4eed82bc5d51f29cb72a27b7743bfb169194e952df8666490eafa8bfbc78637995f4bf7bcd47fac59a80796

Score
10/10
xloadersnjqloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

snjq

Decoy

codezonesoftware.xyz

traexcel.com

smalltowncontractors.com

classicalequestrianacademy.com

jlvip1066.com

ovacup.online

foodcravings2312.com

dbelnlogoro.quest

valeriebeijing.com

steri-spiral.com

envisionpoolsnd.biz

adclw.net

smartaf5.xyz

tech4ad.com

trimilos.info

blockplace.club

gunpowderz.com

nayrajewels.com

fapcxi.xyz

mentication.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.MSILHeracles.37963.6224.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.MSILHeracles.37963.6224.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.MSILHeracles.37963.6224.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.MSILHeracles.37963.6224.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1644-136-0x0000000000000000-mapping.dmp
    Download
  • memory/1644-137-0x0000000000400000-0x000000000042A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/1644-138-0x00000000015B0000-0x00000000018FA000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/2280-130-0x0000000000700000-0x0000000000790000-memory.dmp
    Filesize

    576KB

    Download
  • memory/2280-131-0x00000000056E0000-0x0000000005C84000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2280-132-0x0000000005130000-0x00000000051C2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2280-133-0x00000000052C0000-0x00000000052CA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2280-134-0x0000000000F20000-0x0000000000FBC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2280-135-0x0000000007890000-0x00000000078F6000-memory.dmp
    Filesize

    408KB

    Download