Overview

overview

10

Static

static

tmp.exe

windows7_x64

10

tmp.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    05-07-2022 18:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    331KB

  • MD5

    4a80cec907b418a133ad5d3eea96923f

  • SHA1

    b7772efaa512ed3465b17e07af829fedd9a885df

  • SHA256

    54dd1a6be86907485cb1f716306eb8918116f873a9382e10d92f6632491c1074

  • SHA512

    e8af59e857347c22a0cea3981122018b472482382fe11c642c4a67d182fc6aa78ea257f63630b36358b95304cbd07bc1048b35163af72fbb87329f3f1897bb2c

Score
10/10
xloadersk8mloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

sk8m

Decoy

cruisinforabluesin.net

elkntordo.quest

mtmoriginal.com

arespermire.quest

maisoulcolor.com

thegreekfarmerstaverna.com

midlife-fitness.com

uniquelyjessica.com

everybunnyeverybirdy.net

tryafaq.com

aandreashopp.com

selfyou.store

healthtradeusa.com

visiency.com

rainbowshopscom.com

raj-spostitve.com

jupiterflightband.com

haigui.ltd

theparentharbour.com

themutualfriend.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 4 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:240
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:832
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
        3⤵
          PID:1488

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/240-54-0x0000000000D40000-0x0000000000D96000-memory.dmp
      Filesize

      344KB

      Download
    • memory/832-55-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/832-56-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/832-58-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/832-59-0x000000000041D4A0-mapping.dmp
      Download
    • memory/832-61-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/832-62-0x00000000009E0000-0x0000000000CE3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/832-63-0x0000000000280000-0x0000000000291000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1108-69-0x0000000001FA0000-0x00000000022A3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1108-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1108-67-0x00000000006C0000-0x00000000006E2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1108-68-0x0000000000070000-0x0000000000099000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1108-70-0x0000000000580000-0x0000000000610000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1108-73-0x00000000757C1000-0x00000000757C3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1200-64-0x0000000006690000-0x0000000006836000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1200-71-0x0000000007050000-0x00000000071B9000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1200-72-0x0000000007050000-0x00000000071B9000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1488-66-0x0000000000000000-mapping.dmp
      Download