Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21/06/2022, 11:07
Static task
static1
Behavioral task
behavioral1
Sample
AWB_811470484778.exe
Resource
win7-20220414-en
General
-
Target
AWB_811470484778.exe
-
Size
450KB
-
MD5
2dce5b90b3f523aff613693f6d93769c
-
SHA1
d9947b0881ac67b10687b48ed44a49c6198df310
-
SHA256
7e05b0a9ffe1cfbc4cb926477d044ad7b6046352f8734b95037e4f5ef21bca99
-
SHA512
260b2415fe8afcc389d39df5fb50dd73969ac1c45ce3ffd38aefb8260bc36c31c0105275c69806a3fa58239b2aeaf193efd5c9e25ed092593ec6ab8d2a1eda28
Malware Config
Extracted
xloader
2.5
h4st
hawkonline.club
unitedkingdomvoip.site
tbrme.com
ysxol.xyz
oviagrooming.com
pokerdominogame.com
perabett463.com
orderjoessteaks.com
sjczyw.com
christensonbrothers.com
stanegroupe.com
residencialseniorspa.com
eyetechlabs.com
lens-experts.com
69988.club
skateboardlovers.com
ourhighlandacres.net
dskensho343.xyz
dance985.com
iran-style.com
autism-101.com
hdwiz.online
atomcapital.net
seelenmedicus144.com
range4tis.com
affordablebathroomsbyfrank.net
sosienna.com
forge21.xyz
sinergiberkaryabersama.com
christinesyquia.com
newleafremodel.com
doitlive.online
hyiptron.com
hobartiamusic.com
dvfdressoutlet.com
puzzlelux.com
arkdia.xyz
turnerverve.quest
detectorlifestyle.com
milanoineout.com
zjins.com
globalfrances.com
cactus-aio.com
fzl-fs.com
freshiestuning.com
vertiney.com
mayclaim.com
8m1id.online
fiercefantasyshop.com
genesisrofprc.xyz
eventsp.xyz
morningvibecoffee.com
angellogordon.com
peopleonhealth.com
batuhanasut.com
fabianmarin.com
5starrentertainment.com
tauikrychy.space
magnetstudios.global
korenshop.com
mbljbspro.com
takeyourshot3500.pro
sjsteinhardt.com
cabanatvs.com
jenaeeaginshair.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 5 IoCs
resource yara_rule behavioral1/memory/1672-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1672-63-0x000000000041D470-mapping.dmp xloader behavioral1/memory/1672-69-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1988-73-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader behavioral1/memory/1988-77-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader -
Deletes itself 1 IoCs
pid Process 1948 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1856 set thread context of 1672 1856 AWB_811470484778.exe 26 PID 1672 set thread context of 1248 1672 AWB_811470484778.exe 18 PID 1988 set thread context of 1248 1988 raserver.exe 18 -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 1672 AWB_811470484778.exe 1672 AWB_811470484778.exe 1988 raserver.exe 1988 raserver.exe 1988 raserver.exe 1988 raserver.exe 1988 raserver.exe 1988 raserver.exe 1988 raserver.exe 1988 raserver.exe 1988 raserver.exe 1988 raserver.exe 1988 raserver.exe 1988 raserver.exe 1988 raserver.exe 1988 raserver.exe 1988 raserver.exe 1988 raserver.exe 1988 raserver.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1672 AWB_811470484778.exe 1672 AWB_811470484778.exe 1672 AWB_811470484778.exe 1988 raserver.exe 1988 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1672 AWB_811470484778.exe Token: SeDebugPrivilege 1988 raserver.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1856 wrote to memory of 1672 1856 AWB_811470484778.exe 26 PID 1856 wrote to memory of 1672 1856 AWB_811470484778.exe 26 PID 1856 wrote to memory of 1672 1856 AWB_811470484778.exe 26 PID 1856 wrote to memory of 1672 1856 AWB_811470484778.exe 26 PID 1856 wrote to memory of 1672 1856 AWB_811470484778.exe 26 PID 1856 wrote to memory of 1672 1856 AWB_811470484778.exe 26 PID 1856 wrote to memory of 1672 1856 AWB_811470484778.exe 26 PID 1248 wrote to memory of 1988 1248 Explorer.EXE 27 PID 1248 wrote to memory of 1988 1248 Explorer.EXE 27 PID 1248 wrote to memory of 1988 1248 Explorer.EXE 27 PID 1248 wrote to memory of 1988 1248 Explorer.EXE 27 PID 1988 wrote to memory of 1948 1988 raserver.exe 28 PID 1988 wrote to memory of 1948 1988 raserver.exe 28 PID 1988 wrote to memory of 1948 1988 raserver.exe 28 PID 1988 wrote to memory of 1948 1988 raserver.exe 28
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"3⤵
- Deletes itself
PID:1948
-
-