Overview

overview

10

Static

static

3

SecuriteIn...77.exe

windows7-x64

10

SecuriteIn...77.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2023 10:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe

  • Size

    793KB

  • MD5

    f299a3572c1ca67f5df9c027c50f5488

  • SHA1

    98ae2458837e4f2bc4e518fd867d3edd28c4236f

  • SHA256

    b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a

  • SHA512

    b67592a6fcb8110d41c86bc65141a4138fe251d139009f66235591e60a90905214d2694799f386f7ded8b1e247d38c024e8d102c05fdd645ba8045c81e7de4aa

  • SSDEEP

    12288:MotEJb4xECMrM7I+KA0Z2+8cjtHei+uo0hE/:nCCMrG/R0wTcjtHei+uo0hE/

Score
10/10
xloadermjyvloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mjyv

Decoy

wenyuexuan.com

tropicaldepression.info

healthylifefit.com

reemletenleafy.com

jmrrve.com

mabduh.com

esomvw.com

selfcaresereneneness.com

murdabudz.com

meinemail.online

brandqrcodes.com

live-in-pflege.com

nickrecovery.com

ziototoristorante.com

chatcure.com

corlora.com

localagentlab.com

yogo7.net

krveop.com

heianswer.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1688-54-0x0000000000940000-0x0000000000A0C000-memory.dmp
    Filesize

    816KB

    Download
  • memory/1688-55-0x0000000074010000-0x00000000746FE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1688-56-0x0000000004D50000-0x0000000004D90000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1688-57-0x0000000074010000-0x00000000746FE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1688-58-0x0000000004D50000-0x0000000004D90000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1720-59-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1720-61-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1720-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1720-65-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1720-66-0x0000000000A10000-0x0000000000D13000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1720-67-0x0000000000A10000-0x0000000000D13000-memory.dmp
    Filesize

    3.0MB

    Download