Overview

overview

10

Static

static

tmp.exe

windows7_x64

10

tmp.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-06-2022 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    728KB

  • MD5

    7bf97c78987dee44d858343ed72da24b

  • SHA1

    e2a445bc4e5923b355aa977cfc73a94e08706c36

  • SHA256

    a01581f76331c0d9ac33410544e67422ad99c553d6c15a5d3d526c304c908554

  • SHA512

    d86e85ea50a4e8fc766c48b509d7bcabf43167ce58f731b6273c5b8c385f15b03e4c914bde8c569f508ecd6e9a7ccf5ee21d8558ef60097d7d8581c0318ee27f

Score
10/10
xloaderr007loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

r007

Decoy

trashpandaservice.com

mobileads.network

ascolstore.com

gelsinextra.com

bonestell.net

heitoll.xyz

ceapgis.com

mon-lapin.biz

miq-eva.com

rematedesillas.com

playingonline.xyz

hausense.quest

tnyzw.com

appsdial.com

addcolor.city

hagenoblog.com

michaelwesleyj.com

she-zain.com

lorhsems.com

karmaserena.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3280
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        3⤵
          PID:3568
        • C:\Users\Admin\AppData\Local\Temp\tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3472
      • C:\Windows\SysWOW64\autoconv.exe
        "C:\Windows\SysWOW64\autoconv.exe"
        2⤵
          PID:3372
        • C:\Windows\SysWOW64\control.exe
          "C:\Windows\SysWOW64\control.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5052
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
            3⤵
              PID:2008

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/672-152-0x0000000007670000-0x00000000077AD000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/672-150-0x0000000007670000-0x00000000077AD000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/672-143-0x00000000032E0000-0x0000000003415000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/2008-145-0x0000000000000000-mapping.dmp
          Download
        • memory/3280-130-0x0000000000310000-0x00000000003CC000-memory.dmp
          Filesize

          752KB

          Download
        • memory/3280-131-0x00000000052B0000-0x0000000005854000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/3280-132-0x0000000004D00000-0x0000000004D92000-memory.dmp
          Filesize

          584KB

          Download
        • memory/3280-133-0x0000000004DA0000-0x0000000004E3C000-memory.dmp
          Filesize

          624KB

          Download
        • memory/3280-134-0x0000000004C40000-0x0000000004C4A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/3280-135-0x00000000088F0000-0x0000000008956000-memory.dmp
          Filesize

          408KB

          Download
        • memory/3472-140-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

          Download
        • memory/3472-142-0x0000000001290000-0x00000000012A1000-memory.dmp
          Filesize

          68KB

          Download
        • memory/3472-141-0x00000000015D0000-0x000000000191A000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/3472-138-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

          Download
        • memory/3472-137-0x0000000000000000-mapping.dmp
          Download
        • memory/3568-136-0x0000000000000000-mapping.dmp
          Download
        • memory/5052-144-0x0000000000000000-mapping.dmp
          Download
        • memory/5052-147-0x0000000000330000-0x000000000035A000-memory.dmp
          Filesize

          168KB

          Download
        • memory/5052-146-0x0000000000110000-0x0000000000137000-memory.dmp
          Filesize

          156KB

          Download
        • memory/5052-148-0x0000000002550000-0x000000000289A000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/5052-149-0x0000000002330000-0x00000000023C0000-memory.dmp
          Filesize

          576KB

          Download
        • memory/5052-151-0x0000000000330000-0x000000000035A000-memory.dmp
          Filesize

          168KB

          Download