Overview

overview

10

Static

static

214410acd6...c1.exe

windows7_x64

10

214410acd6...c1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-07-2022 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    214410acd621e551b295b93f5e5f61c1.exe

  • Size

    660KB

  • MD5

    214410acd621e551b295b93f5e5f61c1

  • SHA1

    5f6ecc217d61fe0675815eccb242663223c0f947

  • SHA256

    f6b709d4d41b801c2f5df85f05f3396ab9a2d0b1851ebdc5e434b03c184dacd6

  • SHA512

    7788d66004ef9d91faed6aa66c7e6f7bcd3a8d8d27dc6af5c31907165838921f46cdd76eea96b51da5c7b0a6af56a0f1abf3ab419a0844b500214140b19b2485

Score
10/10
xloadera2esloaderrat

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

a2es

Decoy

glutenfreebahrain.com

sportrid.com

js-films.com

cie-revolver.com

outsourcinginstitutebd.com

roboticsdatascience.com

tebrunk.com

needgreatwork.com

df1b8j2iwbl33n.life

voluum-training.com

cherna-roza.com

xiyouap.com

bluefiftyfoundation.com

angolettomc.com

yhcp225.com

keondredejawn.com

ifeelsilky.com

coraorganizing.com

smartmindstutorials.com

tanphucuong.info

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\214410acd621e551b295b93f5e5f61c1.exe
    "C:\Users\Admin\AppData\Local\Temp\214410acd621e551b295b93f5e5f61c1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3740
    • C:\Users\Admin\AppData\Local\Temp\214410acd621e551b295b93f5e5f61c1.exe
      "C:\Users\Admin\AppData\Local\Temp\214410acd621e551b295b93f5e5f61c1.exe"
      2⤵
        PID:3992
      • C:\Users\Admin\AppData\Local\Temp\214410acd621e551b295b93f5e5f61c1.exe
        "C:\Users\Admin\AppData\Local\Temp\214410acd621e551b295b93f5e5f61c1.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4808

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3740-130-0x0000000000970000-0x0000000000A1C000-memory.dmp
      Filesize

      688KB

      Download
    • memory/3740-131-0x0000000005860000-0x0000000005E04000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3740-132-0x00000000053B0000-0x0000000005442000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3740-133-0x0000000005540000-0x000000000554A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3740-134-0x0000000007E90000-0x0000000007F2C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3740-135-0x0000000008050000-0x00000000080B6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3992-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4808-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4808-138-0x0000000000400000-0x000000000042B000-memory.dmp
      Filesize

      172KB

      Download
    • memory/4808-139-0x00000000017A0000-0x0000000001AEA000-memory.dmp
      Filesize

      3.3MB

      Download