Overview

overview

10

Static

static

0fa72e0e60...4f.exe

windows7_x64

10

0fa72e0e60...4f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    23-06-2022 19:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fa72e0e60187e79ab720cf120edab4f.exe

  • Size

    571KB

  • MD5

    0fa72e0e60187e79ab720cf120edab4f

  • SHA1

    0bc9f1238c5560286a7a0273497bee2e19b73d81

  • SHA256

    400cf8fe4f1f1d748f7e6696227fe25164aa51e2c731e5cc621d708d0015065b

  • SHA512

    93e9424a6d2f1c62c19397b835ddb69d48fe448e549222ba49d631467053f92625ddcb2a51c85b3bf202077c8c80e933e38b7a7fcc839c79775180ba10d73f9d

Score
10/10
xloadernekqloaderrat

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

nekq

Decoy

/c9oNOPSc9aX85OuoqU=

OJ273U/T/c7no1jC

oPn68XFXJsCG6JOuoqU=

iAUbpb8k0vTRkUTK

pPasgiv9XQi4ESRJKCjRfGdj

J5jO/Yz6+M7no1jC

XdhiI9HBZsZlyKZ1jPx+JvxZEg==

uKpYHaMJ+OCnb0yGJ5d4Fg==

9/aD58LBdIIAdGJIaaiSTSuqn1/A

Q52txESw1ro3n3NlouzWgmgm06DFAvFR

nv0k5OdLOI8bBbwMrO7Lp059Fw==

NJ3N6nHo3qKAhDZJKCjRfGdj

z0FFAyMlzFonbTkMu79n

IxOiRvLolOiHw2lEcphyDfqqn1/A

Pi0Kkdu8Vr84Fg==

hGmJW4f0Eelq7fRazg3f1qZr

+O+SUb0HHflx55l0J5d4Fg==

raG3zxXI4rgz6Ipsia0=

OZuQHihvYzPayG4Ax70=

EYKIJDSGpYffFZOuoqU=

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fa72e0e60187e79ab720cf120edab4f.exe
    "C:\Users\Admin\AppData\Local\Temp\0fa72e0e60187e79ab720cf120edab4f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\AppData\Local\Temp\0fa72e0e60187e79ab720cf120edab4f.exe
      "C:\Users\Admin\AppData\Local\Temp\0fa72e0e60187e79ab720cf120edab4f.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1612-54-0x0000000001340000-0x00000000013D6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1612-55-0x00000000002F0000-0x000000000030E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1612-56-0x00000000052A0000-0x000000000530A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/1612-57-0x0000000000B90000-0x0000000000BC2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1644-58-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1644-59-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1644-62-0x000000000041F670-mapping.dmp
    Download
  • memory/1644-61-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1644-63-0x0000000000A60000-0x0000000000D63000-memory.dmp
    Filesize

    3.0MB

    Download