Overview

overview

10

Static

static

ba80a5efff...cb.exe

windows7-x64

10

ba80a5efff...cb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    37s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2023 19:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba80a5efff5dcb59efb1cd4fd12ac508b6e1fb9774d119893fb721b2d1d8f8cb.exe

  • Size

    2.4MB

  • MD5

    402094b5077f7c94530f78882e1a9def

  • SHA1

    d0d7ac67bba3022b3649d8766402a3f67d84e688

  • SHA256

    ba80a5efff5dcb59efb1cd4fd12ac508b6e1fb9774d119893fb721b2d1d8f8cb

  • SHA512

    7a0204b584706c44edfb031f7713b5589ffa0d4c681355a287920e7758c0b1cfdad2ba7abfaa6f7b928aa7193f04564a6818b9052535ba53ee25076f42ca3075

  • SSDEEP

    49152:RqoZ0ajbQzlK5O+l4QOnn8jeX+l8uvlhfNf5lWLPNyeL9+hw/USGy7Xk/51HwgGF:5X0zli6u4985m0sQ1a7

Score
10/10
xloaderivayloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ivay

Decoy

b4ukid.com

missioncontrol2030.com

chriswhitefoto.com

guepard-marine.com

getlauded.com

jingdonglm.com

clintlove.com

boldstrategicmedia.com

bluebay3dwdmall.com

aishag.com

forexexpoaward.com

basslakedisposal.com

bukannyaterbuai36.com

learntrhc.com

cancunpolo.com

case-cornershop.com

tahiticomplementos.com

dashanzhf.com

wholeholistichealth.com

inass-yassin.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Beds Protector Packer 1 IoCs

    Detects Beds Protector packer used to load .NET malware.

  • Xloader payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba80a5efff5dcb59efb1cd4fd12ac508b6e1fb9774d119893fb721b2d1d8f8cb.exe
    "C:\Users\Admin\AppData\Local\Temp\ba80a5efff5dcb59efb1cd4fd12ac508b6e1fb9774d119893fb721b2d1d8f8cb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Local\Temp\ba80a5efff5dcb59efb1cd4fd12ac508b6e1fb9774d119893fb721b2d1d8f8cb.exe
      "C:\Users\Admin\AppData\Local\Temp\ba80a5efff5dcb59efb1cd4fd12ac508b6e1fb9774d119893fb721b2d1d8f8cb.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1856
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 684
      2⤵
      • Program crash
      PID:1052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1052-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1720-54-0x0000000000B60000-0x0000000000DD8000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1720-55-0x00000000762B1000-0x00000000762B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1720-56-0x0000000005070000-0x00000000052D8000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1720-57-0x0000000000210000-0x0000000000226000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1856-58-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1856-59-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1856-61-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1856-62-0x000000000041D080-mapping.dmp
    Download
  • memory/1856-63-0x0000000000850000-0x0000000000B53000-memory.dmp
    Filesize

    3.0MB

    Download