Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 20:04

General

  • Target

    3a0f86482d12e9d3a275763997708d9b.exe

  • Size

    1.2MB

  • MD5

    3a0f86482d12e9d3a275763997708d9b

  • SHA1

    3f0c0e46ccc58b066331946101c9c8004fa8c9b2

  • SHA256

    b5918ac7fd3c3323260a3158fe0230b58cdb7098bb659285374e5e2dc1c75f7d

  • SHA512

    a2cad015fcb45163fdff6d99b5518d952635c7b0e19a47b31f8736f8a12ba21df1f13f0fa79e6e749dce826aeda0aa7e1ab42fd6138e96992fce59368bf52b5a

  • SSDEEP

    12288:NYokHiZLn+XEPxm8lh0CmGIwV3r5lUtWeiQR2q0+aeSj1fZ0SW64+mRyK033kwsG:NYccCmDGOsBgo0q4wM3L2q/rKLh3HzM

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

u3r5

Decoy

alashan.ltd

demopagephequan.online

garxznql.icu

unetart.com

dajiangzhibo15.com

influencer.fund

beverlyhills.city

strefafryzur.net

giftboxhawaii.com

ecotiare.com

homeandgardenradioshow.com

sageandsandco.com

laflesoley.com

icipatanegra.online

autovistoriapredial.net

xn--polenezkypark-pmb.com

cbdamic.com

aaronandmarissa.com

datasoma.digital

theclosetology.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Xloader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a0f86482d12e9d3a275763997708d9b.exe
    "C:\Users\Admin\AppData\Local\Temp\3a0f86482d12e9d3a275763997708d9b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Users\Admin\AppData\Local\Temp\3a0f86482d12e9d3a275763997708d9b.exe
      "C:\Users\Admin\AppData\Local\Temp\3a0f86482d12e9d3a275763997708d9b.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4876-8-0x0000000004900000-0x0000000004912000-memory.dmp

    Filesize

    72KB

  • memory/4876-9-0x0000000074A30000-0x00000000751E0000-memory.dmp

    Filesize

    7.7MB

  • memory/4876-2-0x0000000004F00000-0x0000000004F9C000-memory.dmp

    Filesize

    624KB

  • memory/4876-3-0x0000000005550000-0x0000000005AF4000-memory.dmp

    Filesize

    5.6MB

  • memory/4876-4-0x0000000005040000-0x00000000050D2000-memory.dmp

    Filesize

    584KB

  • memory/4876-5-0x0000000005010000-0x0000000005020000-memory.dmp

    Filesize

    64KB

  • memory/4876-7-0x0000000005230000-0x0000000005286000-memory.dmp

    Filesize

    344KB

  • memory/4876-6-0x0000000005000000-0x000000000500A000-memory.dmp

    Filesize

    40KB

  • memory/4876-0-0x0000000000430000-0x0000000000570000-memory.dmp

    Filesize

    1.2MB

  • memory/4876-10-0x0000000005010000-0x0000000005020000-memory.dmp

    Filesize

    64KB

  • memory/4876-1-0x0000000074A30000-0x00000000751E0000-memory.dmp

    Filesize

    7.7MB

  • memory/4876-11-0x0000000006900000-0x0000000006978000-memory.dmp

    Filesize

    480KB

  • memory/4876-15-0x0000000074A30000-0x00000000751E0000-memory.dmp

    Filesize

    7.7MB

  • memory/4876-12-0x0000000006AB0000-0x0000000006AE0000-memory.dmp

    Filesize

    192KB

  • memory/4888-13-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/4888-16-0x0000000000F40000-0x000000000128A000-memory.dmp

    Filesize

    3.3MB

  • memory/4888-17-0x0000000000F40000-0x000000000128A000-memory.dmp

    Filesize

    3.3MB