Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21/06/2022, 11:02
Static task
static1
Behavioral task
behavioral1
Sample
AWB_811470484778.exe
Resource
win7-20220414-en
General
-
Target
AWB_811470484778.exe
-
Size
450KB
-
MD5
2dce5b90b3f523aff613693f6d93769c
-
SHA1
d9947b0881ac67b10687b48ed44a49c6198df310
-
SHA256
7e05b0a9ffe1cfbc4cb926477d044ad7b6046352f8734b95037e4f5ef21bca99
-
SHA512
260b2415fe8afcc389d39df5fb50dd73969ac1c45ce3ffd38aefb8260bc36c31c0105275c69806a3fa58239b2aeaf193efd5c9e25ed092593ec6ab8d2a1eda28
Malware Config
Extracted
xloader
2.5
h4st
hawkonline.club
unitedkingdomvoip.site
tbrme.com
ysxol.xyz
oviagrooming.com
pokerdominogame.com
perabett463.com
orderjoessteaks.com
sjczyw.com
christensonbrothers.com
stanegroupe.com
residencialseniorspa.com
eyetechlabs.com
lens-experts.com
69988.club
skateboardlovers.com
ourhighlandacres.net
dskensho343.xyz
dance985.com
iran-style.com
autism-101.com
hdwiz.online
atomcapital.net
seelenmedicus144.com
range4tis.com
affordablebathroomsbyfrank.net
sosienna.com
forge21.xyz
sinergiberkaryabersama.com
christinesyquia.com
newleafremodel.com
doitlive.online
hyiptron.com
hobartiamusic.com
dvfdressoutlet.com
puzzlelux.com
arkdia.xyz
turnerverve.quest
detectorlifestyle.com
milanoineout.com
zjins.com
globalfrances.com
cactus-aio.com
fzl-fs.com
freshiestuning.com
vertiney.com
mayclaim.com
8m1id.online
fiercefantasyshop.com
genesisrofprc.xyz
eventsp.xyz
morningvibecoffee.com
angellogordon.com
peopleonhealth.com
batuhanasut.com
fabianmarin.com
5starrentertainment.com
tauikrychy.space
magnetstudios.global
korenshop.com
mbljbspro.com
takeyourshot3500.pro
sjsteinhardt.com
cabanatvs.com
jenaeeaginshair.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 5 IoCs
resource yara_rule behavioral1/memory/1120-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1120-63-0x000000000041D470-mapping.dmp xloader behavioral1/memory/1120-65-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/968-71-0x0000000000080000-0x00000000000A9000-memory.dmp xloader behavioral1/memory/968-76-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
pid Process 596 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1092 set thread context of 1120 1092 AWB_811470484778.exe 27 PID 1120 set thread context of 1276 1120 AWB_811470484778.exe 13 PID 968 set thread context of 1276 968 help.exe 13 -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1120 AWB_811470484778.exe 1120 AWB_811470484778.exe 968 help.exe 968 help.exe 968 help.exe 968 help.exe 968 help.exe 968 help.exe 968 help.exe 968 help.exe 968 help.exe 968 help.exe 968 help.exe 968 help.exe 968 help.exe 968 help.exe 968 help.exe 968 help.exe 968 help.exe 968 help.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1120 AWB_811470484778.exe 1120 AWB_811470484778.exe 1120 AWB_811470484778.exe 968 help.exe 968 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1120 AWB_811470484778.exe Token: SeDebugPrivilege 968 help.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1092 wrote to memory of 1120 1092 AWB_811470484778.exe 27 PID 1092 wrote to memory of 1120 1092 AWB_811470484778.exe 27 PID 1092 wrote to memory of 1120 1092 AWB_811470484778.exe 27 PID 1092 wrote to memory of 1120 1092 AWB_811470484778.exe 27 PID 1092 wrote to memory of 1120 1092 AWB_811470484778.exe 27 PID 1092 wrote to memory of 1120 1092 AWB_811470484778.exe 27 PID 1092 wrote to memory of 1120 1092 AWB_811470484778.exe 27 PID 1276 wrote to memory of 968 1276 Explorer.EXE 28 PID 1276 wrote to memory of 968 1276 Explorer.EXE 28 PID 1276 wrote to memory of 968 1276 Explorer.EXE 28 PID 1276 wrote to memory of 968 1276 Explorer.EXE 28 PID 968 wrote to memory of 596 968 help.exe 29 PID 968 wrote to memory of 596 968 help.exe 29 PID 968 wrote to memory of 596 968 help.exe 29 PID 968 wrote to memory of 596 968 help.exe 29
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"3⤵
- Deletes itself
PID:596
-
-