Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27/12/2023, 22:36

General

  • Target

    b8ae19595ed2b1c06372f904f28c8983.exe

  • Size

    703KB

  • MD5

    b8ae19595ed2b1c06372f904f28c8983

  • SHA1

    4a1255c9a563cca8f7fa8c5e466900dac63669c3

  • SHA256

    2fbe2f9ceef4deca8b67d6cb32dc3cd8ebd422a95c24cf4392837f95ad560473

  • SHA512

    8792c9aadb77edc94b50fde8d638df3b234e9ea00dc558a21789c2791de99afbbcb4dd375fdbb9d43f4b7fb96c2d6469814de9e52617e88e01ded2e63bdbbc21

  • SSDEEP

    12288:9xZPU97PU9GkY3Mv5ux2BxOsBgo0q4wMbWDYSkijDWbA/AqBqDcibYvw/oyo/F3:9xAx2BxOsBgo0q4wMq79ScAoUcGEw+/F

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

uqf5

Decoy

suiddock.com

sweetgyalshop.com

puterigarden.com

orangestoreusa.com

prostirkarpat.com

ajierfoods.com

mindlablearning.com

factiive.net

beautifulbrokenhearts.com

direcionalreservapraca.com

tvhoki.com

themoderncoachinstitute.com

classactionwalgreens.com

haloog.com

sachinkaushik.com

daleearnhardtjrchevyvip.com

disconight.net

ocyslibes.icu

encounterfy.com

infamoudpapertrail.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Xloader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8ae19595ed2b1c06372f904f28c8983.exe
    "C:\Users\Admin\AppData\Local\Temp\b8ae19595ed2b1c06372f904f28c8983.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Users\Admin\AppData\Local\Temp\b8ae19595ed2b1c06372f904f28c8983.exe
      "C:\Users\Admin\AppData\Local\Temp\b8ae19595ed2b1c06372f904f28c8983.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2488-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2488-14-0x00000000008F0000-0x0000000000BF3000-memory.dmp

    Filesize

    3.0MB

  • memory/2488-8-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2488-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2488-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2916-3-0x00000000003C0000-0x00000000003D2000-memory.dmp

    Filesize

    72KB

  • memory/2916-6-0x0000000005300000-0x000000000537C000-memory.dmp

    Filesize

    496KB

  • memory/2916-7-0x0000000000530000-0x0000000000564000-memory.dmp

    Filesize

    208KB

  • memory/2916-5-0x0000000000570000-0x00000000005B0000-memory.dmp

    Filesize

    256KB

  • memory/2916-4-0x0000000074710000-0x0000000074DFE000-memory.dmp

    Filesize

    6.9MB

  • memory/2916-13-0x0000000074710000-0x0000000074DFE000-memory.dmp

    Filesize

    6.9MB

  • memory/2916-0-0x0000000000FE0000-0x0000000001096000-memory.dmp

    Filesize

    728KB

  • memory/2916-2-0x0000000000570000-0x00000000005B0000-memory.dmp

    Filesize

    256KB

  • memory/2916-1-0x0000000074710000-0x0000000074DFE000-memory.dmp

    Filesize

    6.9MB