Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21/06/2022, 11:02
Static task
static1
Behavioral task
behavioral1
Sample
AWB_811470484778.exe
Resource
win7-20220414-en
General
-
Target
AWB_811470484778.exe
-
Size
450KB
-
MD5
2dce5b90b3f523aff613693f6d93769c
-
SHA1
d9947b0881ac67b10687b48ed44a49c6198df310
-
SHA256
7e05b0a9ffe1cfbc4cb926477d044ad7b6046352f8734b95037e4f5ef21bca99
-
SHA512
260b2415fe8afcc389d39df5fb50dd73969ac1c45ce3ffd38aefb8260bc36c31c0105275c69806a3fa58239b2aeaf193efd5c9e25ed092593ec6ab8d2a1eda28
Malware Config
Extracted
xloader
2.5
h4st
hawkonline.club
unitedkingdomvoip.site
tbrme.com
ysxol.xyz
oviagrooming.com
pokerdominogame.com
perabett463.com
orderjoessteaks.com
sjczyw.com
christensonbrothers.com
stanegroupe.com
residencialseniorspa.com
eyetechlabs.com
lens-experts.com
69988.club
skateboardlovers.com
ourhighlandacres.net
dskensho343.xyz
dance985.com
iran-style.com
autism-101.com
hdwiz.online
atomcapital.net
seelenmedicus144.com
range4tis.com
affordablebathroomsbyfrank.net
sosienna.com
forge21.xyz
sinergiberkaryabersama.com
christinesyquia.com
newleafremodel.com
doitlive.online
hyiptron.com
hobartiamusic.com
dvfdressoutlet.com
puzzlelux.com
arkdia.xyz
turnerverve.quest
detectorlifestyle.com
milanoineout.com
zjins.com
globalfrances.com
cactus-aio.com
fzl-fs.com
freshiestuning.com
vertiney.com
mayclaim.com
8m1id.online
fiercefantasyshop.com
genesisrofprc.xyz
eventsp.xyz
morningvibecoffee.com
angellogordon.com
peopleonhealth.com
batuhanasut.com
fabianmarin.com
5starrentertainment.com
tauikrychy.space
magnetstudios.global
korenshop.com
mbljbspro.com
takeyourshot3500.pro
sjsteinhardt.com
cabanatvs.com
jenaeeaginshair.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
resource yara_rule behavioral2/memory/4148-137-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4148-139-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1300-145-0x0000000000D00000-0x0000000000D29000-memory.dmp xloader behavioral2/memory/1300-149-0x0000000000D00000-0x0000000000D29000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2268 set thread context of 4148 2268 AWB_811470484778.exe 86 PID 4148 set thread context of 2668 4148 AWB_811470484778.exe 39 PID 1300 set thread context of 2668 1300 netsh.exe 39 -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 2268 AWB_811470484778.exe 2268 AWB_811470484778.exe 4148 AWB_811470484778.exe 4148 AWB_811470484778.exe 4148 AWB_811470484778.exe 4148 AWB_811470484778.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe 1300 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2668 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 4148 AWB_811470484778.exe 4148 AWB_811470484778.exe 4148 AWB_811470484778.exe 1300 netsh.exe 1300 netsh.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2268 AWB_811470484778.exe Token: SeDebugPrivilege 4148 AWB_811470484778.exe Token: SeDebugPrivilege 1300 netsh.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2268 wrote to memory of 1200 2268 AWB_811470484778.exe 85 PID 2268 wrote to memory of 1200 2268 AWB_811470484778.exe 85 PID 2268 wrote to memory of 1200 2268 AWB_811470484778.exe 85 PID 2268 wrote to memory of 4148 2268 AWB_811470484778.exe 86 PID 2268 wrote to memory of 4148 2268 AWB_811470484778.exe 86 PID 2268 wrote to memory of 4148 2268 AWB_811470484778.exe 86 PID 2268 wrote to memory of 4148 2268 AWB_811470484778.exe 86 PID 2268 wrote to memory of 4148 2268 AWB_811470484778.exe 86 PID 2268 wrote to memory of 4148 2268 AWB_811470484778.exe 86 PID 2668 wrote to memory of 1300 2668 Explorer.EXE 87 PID 2668 wrote to memory of 1300 2668 Explorer.EXE 87 PID 2668 wrote to memory of 1300 2668 Explorer.EXE 87 PID 1300 wrote to memory of 4424 1300 netsh.exe 88 PID 1300 wrote to memory of 4424 1300 netsh.exe 88 PID 1300 wrote to memory of 4424 1300 netsh.exe 88
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"3⤵PID:1200
-
-
C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"3⤵PID:4424
-
-