Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 06:17

General

  • Target

    0afe819fb6bd54d591e7b5b368920793.exe

  • Size

    1.2MB

  • MD5

    0afe819fb6bd54d591e7b5b368920793

  • SHA1

    e353c08baaaedd5155a9f972cdd9c0deca5eae4f

  • SHA256

    68a5258c5c468efc0102b57b21cf9b641032d37746f510b2876d93a3271b10f2

  • SHA512

    611484b3c0a3131788931304cfddcff402e06a9d73dbe021b2f0cc00794ced7d5631cfe22d6597813942a24c8ad83d811c17cedbe6cf722e4a17b5864e05da00

  • SSDEEP

    24576:MYRTCmt2OsBgo0q4wMlay98EmOfWzY8d:MQ/oHMlaRJ8Sbd

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

wufn

Decoy

rsautoluxe.com

theroseofsharonsalon.com

singnema.com

nathanielwhite108.com

theforumonline.com

iqpt.info

joneshondaservice.com

fafene.com

solanohomebuyerclass.com

zwq.xyz

searchlakeconroehomes.com

briative.com

frystmor.city

systemofyouth.com

sctsmney.com

tv-safetrading.com

thesweetboy.com

occulusblu.com

pawsthemomentpetphotography.com

travelstipsguide.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Xloader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0afe819fb6bd54d591e7b5b368920793.exe
    "C:\Users\Admin\AppData\Local\Temp\0afe819fb6bd54d591e7b5b368920793.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Local\Temp\0afe819fb6bd54d591e7b5b368920793.exe
      "C:\Users\Admin\AppData\Local\Temp\0afe819fb6bd54d591e7b5b368920793.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3016-8-0x0000000002E80000-0x0000000002E92000-memory.dmp

    Filesize

    72KB

  • memory/3016-9-0x00000000750D0000-0x0000000075880000-memory.dmp

    Filesize

    7.7MB

  • memory/3016-2-0x0000000005420000-0x00000000054BC000-memory.dmp

    Filesize

    624KB

  • memory/3016-4-0x0000000005580000-0x0000000005612000-memory.dmp

    Filesize

    584KB

  • memory/3016-5-0x0000000005500000-0x0000000005510000-memory.dmp

    Filesize

    64KB

  • memory/3016-3-0x0000000005A90000-0x0000000006034000-memory.dmp

    Filesize

    5.6MB

  • memory/3016-1-0x0000000000960000-0x0000000000A92000-memory.dmp

    Filesize

    1.2MB

  • memory/3016-7-0x0000000005770000-0x00000000057C6000-memory.dmp

    Filesize

    344KB

  • memory/3016-0-0x00000000750D0000-0x0000000075880000-memory.dmp

    Filesize

    7.7MB

  • memory/3016-6-0x0000000005540000-0x000000000554A000-memory.dmp

    Filesize

    40KB

  • memory/3016-10-0x0000000005500000-0x0000000005510000-memory.dmp

    Filesize

    64KB

  • memory/3016-11-0x0000000006FD0000-0x0000000007048000-memory.dmp

    Filesize

    480KB

  • memory/3016-12-0x0000000007080000-0x00000000070B0000-memory.dmp

    Filesize

    192KB

  • memory/3016-15-0x00000000750D0000-0x0000000075880000-memory.dmp

    Filesize

    7.7MB

  • memory/4292-13-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/4292-17-0x0000000000FB0000-0x00000000012FA000-memory.dmp

    Filesize

    3.3MB