Overview

overview

10

Static

static

61f6d8b5f8...2d.exe

windows7-x64

10

61f6d8b5f8...2d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 19:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61f6d8b5f81a50408b7f7651542b288715228f51498fbb8c690d50652e2f212d.exe

  • Size

    782KB

  • MD5

    64b091b2d9a92783188acd0ef73714ef

  • SHA1

    18949cc775d2194689a15dc3f684facfa8de52bc

  • SHA256

    61f6d8b5f81a50408b7f7651542b288715228f51498fbb8c690d50652e2f212d

  • SHA512

    802d31e77469ac3a193f8c1cb00a323b950acb3430cbec1d77e6ed33698899cff77edd62ea4c43aae4bf33f0530cc00b3db65be7f51e4e3a92e0cda7dce2fdc5

  • SSDEEP

    12288:hdyFqZH1iH0Cz85D1EWIxtyMY1WrsdDU/4aW6IqC04MKrqzj/5OfE0N:KFq5m0CYVerxFY4rqUnt4MZ35+

Score
10/10
xloaderd833loaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

d833

Decoy

mediacritiquechic.com

emelinaphotography.com

angieblankpiano.com

dmkjqj.com

groupling.net

domainhustlerco.com

ez2elmer.xyz

cczsn.com

palenciamobley.com

beeplantia.com

theautotechguys.com

divasdealz.com

ndconfident.net

miibu.info

youmisp.info

vogelvrij.net

lugosjourney.com

naturesbesthealthfoodstore.com

sagessetoren.com

linkspetdesk.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61f6d8b5f81a50408b7f7651542b288715228f51498fbb8c690d50652e2f212d.exe
    "C:\Users\Admin\AppData\Local\Temp\61f6d8b5f81a50408b7f7651542b288715228f51498fbb8c690d50652e2f212d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Users\Admin\AppData\Local\Temp\61f6d8b5f81a50408b7f7651542b288715228f51498fbb8c690d50652e2f212d.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1300-137-0x0000000000000000-mapping.dmp
    Download
  • memory/1300-138-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1300-139-0x0000000000F90000-0x00000000012DA000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4640-132-0x00000000000F0000-0x00000000001BA000-memory.dmp
    Filesize

    808KB

    Download
  • memory/4640-133-0x0000000005130000-0x00000000056D4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4640-134-0x0000000004B80000-0x0000000004C12000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4640-135-0x0000000004B60000-0x0000000004B6A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4640-136-0x00000000083C0000-0x000000000845C000-memory.dmp
    Filesize

    624KB

    Download