Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/01/2023, 20:28

General

  • Target

    b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe

  • Size

    756KB

  • MD5

    7c59504b9dfb4ff80ed8530c5bce9ed7

  • SHA1

    04aa7316158ef192b45b2501d4d09a73da05474c

  • SHA256

    b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d

  • SHA512

    b0f50962d31a3ffa1f9d259b5ae0f4d5bca9f1be76afcf76f503266ff5ccffafed00789b43fce758dc88ecc94fa636eab3bd8204a98eb4b37f3268c3b9acba4b

  • SSDEEP

    12288:9bodd+JGv9M6HLzLOKqyL4y2lHmKjgnXeZQcXMwxm:9Edd+Q/LRL4fmKkOZc

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ur06

Decoy

philippebrooksdesign.com

cmoorestudio.com

profille-sarina23tammara.club

dqulxe.com

uiffinger.com

nolarapper.com

maconanimalexterminator.com

bisovka.com

loveisloveent.com

datication.com

spxo66.com

drhelpnow.com

ladybug-cle.com

macocome.com

thepoppysocks.com

eldritchparadox.com

mercadolibre.company

ismartfarm.com

kansascarlot.com

kevinld.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe
    "C:\Users\Admin\AppData\Local\Temp\b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3496
    • C:\Users\Admin\AppData\Local\Temp\b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe
      "C:\Users\Admin\AppData\Local\Temp\b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe"
      2⤵
        PID:1968
      • C:\Users\Admin\AppData\Local\Temp\b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe
        "C:\Users\Admin\AppData\Local\Temp\b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1816

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1816-136-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/1816-138-0x00000000017A0000-0x0000000001AEA000-memory.dmp

            Filesize

            3.3MB

          • memory/3496-132-0x0000000074C70000-0x0000000075221000-memory.dmp

            Filesize

            5.7MB

          • memory/3496-133-0x0000000074C70000-0x0000000075221000-memory.dmp

            Filesize

            5.7MB

          • memory/3496-137-0x0000000074C70000-0x0000000075221000-memory.dmp

            Filesize

            5.7MB