Overview

overview

10

Static

static

d73dfe16ee...e2.exe

windows7-x64

10

d73dfe16ee...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe

  • Size

    984KB

  • MD5

    1451fb0f3e10bfec2ff424da9147c75e

  • SHA1

    1f8e0881fad737fc59d900c53d46ccc937ccdf3a

  • SHA256

    d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2

  • SHA512

    51786f8ef1b6877b872ae2c7e564b52ea731cefef3e037b1b56cc4a363dbf602bfa455d17c09b6c1d9e15e11e11a7e149e885b87ef9c203cbd4aac603e32bf8d

  • SSDEEP

    12288:OWW3hkl/81RWR+5eJ0rGqvcRSvYRPyZVSBWeFkTxv39:ikl0DxeJyGh4YRPLFkJ9

Score
10/10
xloadere68nloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

e68n

Decoy

ds3i.com

integrityconnect.info

jhpaolilo.com

aprilgraberphotography.com

globe-gist.com

blackwellheatingandcooling.com

gossgoddard.com

memoriesmade-l.com

ozsmiwd.icu

pelzerforcongress.com

infinitybytg.com

gczp22.com

logonanet.com

998899sj.com

xn--vhqqb859burbuz7jebh.com

savorysinsation.com

cumykuf.icu

ourbella.com

isurfkarma.com

thepostmail.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
    "C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4556
    • C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
      "C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1700-138-0x0000000000000000-mapping.dmp
    Download
  • memory/1700-139-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1700-140-0x00000000017B0000-0x0000000001AFA000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4556-132-0x0000000000500000-0x00000000005FC000-memory.dmp
    Filesize

    1008KB

    Download
  • memory/4556-133-0x0000000004F90000-0x000000000502C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4556-134-0x0000000005690000-0x0000000005C34000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4556-135-0x00000000050E0000-0x0000000005172000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4556-136-0x0000000005030000-0x000000000503A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4556-137-0x0000000005180000-0x00000000051D6000-memory.dmp
    Filesize

    344KB

    Download