Overview

overview

10

Static

static

3

1f05d929e0...a9.exe

windows7-x64

10

1f05d929e0...a9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f05d929e0288a3d3ce3c53c111cfca9.exe

  • Size

    827KB

  • MD5

    1f05d929e0288a3d3ce3c53c111cfca9

  • SHA1

    679b18c7e7acfbb482bd1f40093db93c94697ae0

  • SHA256

    8441a8b048a19c276e9c25457b681b8167a82f4fdee86dc4722891d0dbb5043a

  • SHA512

    8a6233065618a775805aa44feda8ff98907b64d8b618fe470de15e8b911485d2cefc6cd06f8e333240b25943fb456adfa6c74b49de012c1c53d0fd67bf22d9bb

  • SSDEEP

    24576:YCXflUMjoJLCQM+yYav2OxWcMVz7mo5oFCEkv:vv+CXqaO79Fosv

Score
10/10
xloaderiuemloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

iuem

Decoy

agileatefoundation.com

preheimphotography.com

blueivymart.com

magetu.info

sunayah.com

gulumsecafe.com

belveder.net

pumpkinmangaming.com

playd6plus.com

thuanland.com

blacklivesmatterforreal.com

enviromentalco.com

ferronnstyle.com

mrbeagleshop.com

whmlqx.com

unifiedfederal.com

purest-you.com

ashleymartinonline.com

bayareaportraitphotographer.com

ysnrjelx.icu

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Xloader payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f05d929e0288a3d3ce3c53c111cfca9.exe
    "C:\Users\Admin\AppData\Local\Temp\1f05d929e0288a3d3ce3c53c111cfca9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Users\Admin\AppData\Local\Temp\1f05d929e0288a3d3ce3c53c111cfca9.exe
      "C:\Users\Admin\AppData\Local\Temp\1f05d929e0288a3d3ce3c53c111cfca9.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/220-13-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/220-16-0x0000000001930000-0x0000000001C7A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1868-8-0x00000000028A0000-0x00000000028B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1868-9-0x00000000745C0000-0x0000000074D70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1868-4-0x0000000005040000-0x00000000050D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1868-5-0x0000000004F20000-0x0000000004F30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1868-6-0x0000000004F80000-0x0000000004F8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1868-7-0x0000000005280000-0x00000000052D6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1868-0-0x00000000745C0000-0x0000000074D70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1868-3-0x00000000055F0000-0x0000000005B94000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1868-10-0x0000000004F20000-0x0000000004F30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1868-11-0x0000000008D90000-0x0000000008E0C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1868-12-0x0000000008E10000-0x0000000008E44000-memory.dmp

    Filesize

    208KB

    Download

  • memory/1868-2-0x0000000004FA0000-0x000000000503C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1868-15-0x00000000745C0000-0x0000000074D70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1868-1-0x00000000004B0000-0x0000000000586000-memory.dmp

    Filesize

    856KB

    Download