Analysis

  • max time kernel
    122s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 03:21

General

  • Target

    02ae7f4c28fa27bb522b25762a2eacab.exe

  • Size

    271KB

  • MD5

    02ae7f4c28fa27bb522b25762a2eacab

  • SHA1

    5b49eb9e66a71e42591e4761d17084869ca7f4b2

  • SHA256

    79e535de63f31e04e3565e35d8fcad297ff2dd8bda659a15c13ccee4a11a6e30

  • SHA512

    78e3ba30d608a1d5a6db1cd5677e62e85b940e8a6422d5bc1ca80f77825534cc97a8b7a80a26a50d72c4e62c213cda4af7673373119993a901929cb9ca35f2e7

  • SSDEEP

    6144:OK++hEjavND5MppH7SZebWtvzwYU8bu5pn8kUUXtwjlp1am09h:lMLH7fbAvzwp8bmpn8kUUdmza/

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

q6fg

Decoy

bunny3d.com

sentralboneka.com

g2ekem8w2k.com

woodssilencer.com

tinytrailers4bigadventures.com

sandrafouty.com

brightlightsbuzz.com

macadamiaprinting.com

risentrainingandevent.com

ccuupommdeedesscontooooo.com

yourvotetravels.com

omsharmainsurance.com

automatedgatesmanchester.com

papeleriabooks.com

12580xk.com

illuminategenuinehope.xyz

thedevelopersblog.com

medicretidtcorp.com

therimesofisrael.com

syakira09.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02ae7f4c28fa27bb522b25762a2eacab.exe
    "C:\Users\Admin\AppData\Local\Temp\02ae7f4c28fa27bb522b25762a2eacab.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Users\Admin\AppData\Local\Temp\02ae7f4c28fa27bb522b25762a2eacab.exe
      "C:\Users\Admin\AppData\Local\Temp\02ae7f4c28fa27bb522b25762a2eacab.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2728-3-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2728-4-0x0000000000B20000-0x0000000000E23000-memory.dmp

    Filesize

    3.0MB

  • memory/2800-1-0x0000000000300000-0x0000000000400000-memory.dmp

    Filesize

    1024KB

  • memory/2800-2-0x00000000000F0000-0x00000000000F2000-memory.dmp

    Filesize

    8KB