Overview

overview

10

Static

static

SecuriteIn...18.exe

windows7_x64

10

SecuriteIn...18.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-06-2022 11:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.32118.exe

  • Size

    273KB

  • MD5

    c52ecabaed16aba5fac89d694e7508dc

  • SHA1

    492c8828a332dbcc0f68d5ee5b17d9ae994b48c4

  • SHA256

    276c6876c250e5ebfd761d05937f5a48f7e4c9a6851293a77ab9bf683c8bbf80

  • SHA512

    e8ab6c6c0388f879ba9b2a5628ba1d21b2a21c4c4d99dde017596e8107e5a439b840bc4e751e1af6444fd56046d7a567363aa1edb19d8094329c4324147d777f

Score
10/10
xloadervweqloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

vweq

Decoy

malang-media.com

mrsfence.com

lubetops.com

aitimedia.net

montecryptocapital.com

ahwmedia.com

bvmnc.site

bggearstore.com

bcsantacoloma.online

alltimephotography.com

santacruz-roofings.com

leaplifestyleenterprises.com

censovet.com

similkameenfarms.com

undisclosed.email

thetrinityco.com

rapiturs.com

jedlersdorf.info

mh7jk12e.xyz

flygurlblogwordpress.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.32118.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.32118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1464
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
        3⤵
          PID:1672
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
          3⤵
            PID:956
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
            3⤵
              PID:936
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
              3⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:856
          • C:\Windows\SysWOW64\msiexec.exe
            "C:\Windows\SysWOW64\msiexec.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1656
            • C:\Program Files\Mozilla Firefox\Firefox.exe
              "C:\Program Files\Mozilla Firefox\Firefox.exe"
              3⤵
                PID:964

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/856-64-0x0000000000150000-0x0000000000161000-memory.dmp
            Filesize

            68KB

            Download
          • memory/856-56-0x0000000000400000-0x000000000042B000-memory.dmp
            Filesize

            172KB

            Download
          • memory/856-57-0x0000000000400000-0x000000000042B000-memory.dmp
            Filesize

            172KB

            Download
          • memory/856-63-0x00000000009C0000-0x0000000000CC3000-memory.dmp
            Filesize

            3.0MB

            Download
          • memory/856-59-0x0000000000400000-0x000000000042B000-memory.dmp
            Filesize

            172KB

            Download
          • memory/856-60-0x000000000041F280-mapping.dmp
            Download
          • memory/856-62-0x0000000000400000-0x000000000042B000-memory.dmp
            Filesize

            172KB

            Download
          • memory/1256-73-0x0000000002B50000-0x0000000002C1A000-memory.dmp
            Filesize

            808KB

            Download
          • memory/1256-65-0x0000000006440000-0x0000000006582000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/1256-72-0x0000000002B50000-0x0000000002C1A000-memory.dmp
            Filesize

            808KB

            Download
          • memory/1464-55-0x0000000000520000-0x0000000000554000-memory.dmp
            Filesize

            208KB

            Download
          • memory/1464-54-0x0000000001320000-0x0000000001368000-memory.dmp
            Filesize

            288KB

            Download
          • memory/1656-66-0x0000000000000000-mapping.dmp
            Download
          • memory/1656-67-0x0000000075381000-0x0000000075383000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1656-68-0x0000000000FF0000-0x0000000001004000-memory.dmp
            Filesize

            80KB

            Download
          • memory/1656-69-0x0000000000090000-0x00000000000BB000-memory.dmp
            Filesize

            172KB

            Download
          • memory/1656-70-0x0000000002410000-0x0000000002713000-memory.dmp
            Filesize

            3.0MB

            Download
          • memory/1656-71-0x0000000000A60000-0x0000000000AF0000-memory.dmp
            Filesize

            576KB

            Download