Overview

overview

10

Static

static

5ed6b87afc...97.exe

windows7-x64

10

5ed6b87afc...97.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    53s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 12:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ed6b87afc6eddea0e7275496364bb9cc2b0246f7fe36069a69cdf50b6823097.exe

  • Size

    556KB

  • MD5

    e866034515b719467290d53f5919d599

  • SHA1

    8cab0abfaaa087630930df86c8e25d5c9123dc75

  • SHA256

    5ed6b87afc6eddea0e7275496364bb9cc2b0246f7fe36069a69cdf50b6823097

  • SHA512

    a2601cfe472869b73fcec91aa03263ad74e49f2862d5dd22256376acf5002102c4f197a74116ebdafdd95744bf3c57a436c6a2e1850cf85351c3a9aafa48319d

  • SSDEEP

    6144:Kd5DMAYloj1/L8YEAQwgG5hUQf+a/07WbvW17ZdhG3uK1gSySxfcph:Kd5DMAzjN4YEAFdmaM6UjhCu+gSeph

Score
10/10
xloaderh3qoagilenetloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

h3qo

Decoy

dhflow.com

jyindex.com

ezcleanhandle.com

trungtamcongdong.online

simsprotectionagency.com

easylivemeet.com

blackvikingfashionhouse.com

52banxue.com

girlsinit.com

drhemo.com

freethefarmers.com

velvetrosephotography.com

geometricbotaniclas.com

skyandspirit.com

deltacomunicacao.com

mucademy.com

jaboilfieldsolutions.net

howtowinatblackjacknow.com

anytimegrowth.com

simranluthra.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 2 IoCs
    rat
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ed6b87afc6eddea0e7275496364bb9cc2b0246f7fe36069a69cdf50b6823097.exe
    "C:\Users\Admin\AppData\Local\Temp\5ed6b87afc6eddea0e7275496364bb9cc2b0246f7fe36069a69cdf50b6823097.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Users\Admin\AppData\Local\Temp\5ed6b87afc6eddea0e7275496364bb9cc2b0246f7fe36069a69cdf50b6823097.exe
      "C:\Users\Admin\AppData\Local\Temp\5ed6b87afc6eddea0e7275496364bb9cc2b0246f7fe36069a69cdf50b6823097.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/768-59-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/768-60-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/768-62-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/768-63-0x000000000041D0E0-mapping.dmp
    Download
  • memory/768-64-0x0000000000B70000-0x0000000000E73000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1908-54-0x0000000000AE0000-0x0000000000B70000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1908-55-0x00000000753C1000-0x00000000753C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1908-56-0x0000000005240000-0x0000000005268000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1908-57-0x0000000000AD0000-0x0000000000AE4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1908-58-0x0000000000A30000-0x0000000000A36000-memory.dmp
    Filesize

    24KB

    Download