Analysis
-
max time kernel
122s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 03:21
Static task
static1
Behavioral task
behavioral1
Sample
02ae7f4c28fa27bb522b25762a2eacab.exe
Resource
win7-20231215-en
General
-
Target
02ae7f4c28fa27bb522b25762a2eacab.exe
-
Size
271KB
-
MD5
02ae7f4c28fa27bb522b25762a2eacab
-
SHA1
5b49eb9e66a71e42591e4761d17084869ca7f4b2
-
SHA256
79e535de63f31e04e3565e35d8fcad297ff2dd8bda659a15c13ccee4a11a6e30
-
SHA512
78e3ba30d608a1d5a6db1cd5677e62e85b940e8a6422d5bc1ca80f77825534cc97a8b7a80a26a50d72c4e62c213cda4af7673373119993a901929cb9ca35f2e7
-
SSDEEP
6144:OK++hEjavND5MppH7SZebWtvzwYU8bu5pn8kUUXtwjlp1am09h:lMLH7fbAvzwp8bmpn8kUUdmza/
Malware Config
Extracted
xloader
2.3
q6fg
bunny3d.com
sentralboneka.com
g2ekem8w2k.com
woodssilencer.com
tinytrailers4bigadventures.com
sandrafouty.com
brightlightsbuzz.com
macadamiaprinting.com
risentrainingandevent.com
ccuupommdeedesscontooooo.com
yourvotetravels.com
omsharmainsurance.com
automatedgatesmanchester.com
papeleriabooks.com
12580xk.com
illuminategenuinehope.xyz
thedevelopersblog.com
medicretidtcorp.com
therimesofisrael.com
syakira09.xyz
ihbiblestudy.com
728215.com
thevyvd.com
disturbingsickle.life
rennenautomotive.com
virtualportion.com
secretjazzsociety.com
jgjdist.com
escobarinc.info
superfoundersinc.com
virtualtour-hk.com
20poundsledge.com
balletfoundationsd.com
pakjapantv.com
covid19-teruggave.info
beedigi.com
redonioncompany.com
themiriamproject.com
online-destek.club
ibluedotlivewdmall.com
kulscorp.com
emcasacomomundo.com
radioshackhelp.com
institut-armonia.com
neurolink-monitoring.com
goingtheextramitchell.com
purgemaskhalloween.com
bloomingintoyou.com
hollandmitours.com
ringcraftstudios.com
hackensackautorepair.com
iphose.com
swimtrue.com
sleekbycole.com
houstoncarservices.com
daniellemaybach.com
low-zero.com
sexcard.site
getmefuckinghired.com
astoicproducitions.com
xuuch.com
blinbins.com
439yh.com
thetopping.com
sweetmissy.net
Signatures
-
Xloader payload 1 IoCs
resource yara_rule behavioral1/memory/2728-3-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2800 set thread context of 2728 2800 02ae7f4c28fa27bb522b25762a2eacab.exe 17 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2728 02ae7f4c28fa27bb522b25762a2eacab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2800 02ae7f4c28fa27bb522b25762a2eacab.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2800 wrote to memory of 2728 2800 02ae7f4c28fa27bb522b25762a2eacab.exe 17 PID 2800 wrote to memory of 2728 2800 02ae7f4c28fa27bb522b25762a2eacab.exe 17 PID 2800 wrote to memory of 2728 2800 02ae7f4c28fa27bb522b25762a2eacab.exe 17 PID 2800 wrote to memory of 2728 2800 02ae7f4c28fa27bb522b25762a2eacab.exe 17 PID 2800 wrote to memory of 2728 2800 02ae7f4c28fa27bb522b25762a2eacab.exe 17
Processes
-
C:\Users\Admin\AppData\Local\Temp\02ae7f4c28fa27bb522b25762a2eacab.exe"C:\Users\Admin\AppData\Local\Temp\02ae7f4c28fa27bb522b25762a2eacab.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\02ae7f4c28fa27bb522b25762a2eacab.exe"C:\Users\Admin\AppData\Local\Temp\02ae7f4c28fa27bb522b25762a2eacab.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2728
-