Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

1b58203ecd...15.exe

windows7-x64

10

1b58203ecd...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 14:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b58203ecd7ef5d31ea39a5218b40115.exe

  • Size

    490KB

  • MD5

    1b58203ecd7ef5d31ea39a5218b40115

  • SHA1

    2770e86784c8e3bc62f59a02c92390bd74b6dc98

  • SHA256

    f5e9658f44135be66cc2cb4862c67326c803871e49a73b0376b266cb95c41f52

  • SHA512

    1f5e3a616713cf8daa6778ab6a895ed488ac294bf677b967ff68dec9a8fd0a14c679f4e0d79131640566f95f27cbf0bebf9f5291f70b7cd26e405a05b296fe9e

  • SSDEEP

    12288:dtfEdMQEJJMkdBvd1Zy8OfGPAE9Zsi4hdStfDWc8Q2tZsi:dtsdoJuEBvd1g5fGPP9Zsf

Score
10/10
xloaderk8b5loaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

k8b5

Decoy

sardamedicals.com

reelectkendavis4council.com

coreconsultation.com

fajarazhary.com

mybitearner.com

brightpet.info

voicewithchoice.com

bailbondscompany.xyz

7133333333.com

delights.info

gawlvegdr.icu

sdqhpm.com

we2savvyok.com

primallifeathlete.com

gdsinglecell.com

isokineticmachines.com

smartneckrelax.com

gardenvintage.com

hiphopvolume.com

medicapoint.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b58203ecd7ef5d31ea39a5218b40115.exe
    "C:\Users\Admin\AppData\Local\Temp\1b58203ecd7ef5d31ea39a5218b40115.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Users\Admin\AppData\Local\Temp\1b58203ecd7ef5d31ea39a5218b40115.exe
      "C:\Users\Admin\AppData\Local\Temp\1b58203ecd7ef5d31ea39a5218b40115.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4968

Network

  • flag-us
    DNS
    17.53.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.53.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    194.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.178.17.96.in-addr.arpa
    IN PTR
    Response
    194.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-194deploystaticakamaitechnologiescom
  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.241.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.241.123.92.in-addr.arpa
    IN PTR
    Response
    104.241.123.92.in-addr.arpa
    IN PTR
    a92-123-241-104deploystaticakamaitechnologiescom
  • flag-us
    DNS
    180.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.178.17.96.in-addr.arpa
    IN PTR
    Response
    180.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-180deploystaticakamaitechnologiescom
  • flag-us
    DNS
    119.110.54.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    119.110.54.20.in-addr.arpa
    IN PTR
    Response
  • flag-gb
    DNS
    Remote address:
    96.17.178.174:80
    Response
    HTTP/1.1 206 Partial Content
    Cache-Control: public, max-age=17280000
    Accept-Ranges: bytes
    X-AspNetMvc-Version: 5.2
    MS-CorrelationId: 109db4c0-4020-4910-9a33-b50fc482bfa5
    MS-RequestId: 15b02fe7-1fdd-411d-97bf-4acd8b288dfb
    MS-CV: JSoXw8DG40uXIcEU.1.0.2.1.1.0.0.20.1.1.6.1.1.1.0
    Content-Disposition: attachment; filename=Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x64__8wekyb3d8bbwe.Msix
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    X-Powered-By: ARR/3.0
    X-Powered-By: ASP.NET
    X-Azure-Ref-OriginShield: Ref A: 5FA6B13DFB4E4840971617AD80AFBDEF Ref B: MNZ221060607023 Ref C: 2023-03-15T18:24:31Z
    X-MSEdge-Ref: Ref A: A2AF8FDEBAA0471B8728CAB368EA24B9 Ref B: MEX30EDGE1207 Ref C: 2023-03-15T18:24:31Z
    Last-Modified: Wed, 15 Mar 2023 18:19:22 GMT
    ETag: "zz/eo+4uyTK7KXfTFIC318u927g="
    Date: Mon, 01 Jan 2024 02:16:26 GMT
    Content-Type: multipart/byteranges; boundary=6311D6B0A39E5CA4
    Connection: close
    X-CID: 2
    X-CCC: GB
  • 138.91.171.81:80
    156 B
     3
  • 204.79.197.200:443
    9.9kB
     293.2kB
     212
    212
  • 96.16.110.114:80
    46 B
     40 B
     1
    1
  • 20.123.104.105:443
  • 40.127.169.103:443
  • 96.16.110.41:443
  • 192.229.221.95:80
  • 96.16.110.114:80
  • 20.123.104.105:443
  • 40.127.169.103:443
  • 40.127.169.103:443
  • 40.127.169.103:443
  • 40.127.169.103:443
  • 20.114.59.183:443
  • 93.184.221.240:80
  • 204.79.197.200:443
  • 204.79.197.200:443
  • 204.79.197.200:443
  • 204.79.197.200:443
  • 192.229.221.95:80
  • 96.16.110.114:80
  • 96.17.178.180:80
  • 96.17.178.180:80
  • 92.123.241.104:80
  • 92.123.241.104:80
  • 20.123.104.105:443
  • 20.54.110.119:443
  • 96.16.110.114:80
  • 96.16.110.114:80
  • 93.184.221.240:80
  • 93.184.221.240:80
  • 93.184.221.240:80
  • 96.16.110.114:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 93.184.221.240:80
  • 93.184.221.240:80
  • 93.184.221.240:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 93.184.221.240:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 93.184.221.240:80
  • 93.184.221.240:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 93.184.221.240:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
    http
    3.7kB
     230.6kB
     81
    167

    HTTP Response

    206
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
    19.5kB
     438.7kB
     292
    315
  • 96.17.178.174:80
  • 96.17.178.174:80
    5.1kB
     308.7kB
     110
    221
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 93.184.221.240:80
  • 93.184.221.240:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 96.17.178.174:80
  • 93.184.221.240:80
  • 93.184.221.240:80
  • 93.184.221.240:80
  • 93.184.221.240:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 88.221.134.32:80
  • 88.221.134.32:80
  • 93.184.221.240:80
  • 93.184.221.240:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 20.50.80.209:443
  • 192.229.221.95:80
  • 93.184.221.240:80
  • 93.184.221.240:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 93.184.221.240:80
  • 93.184.221.240:80
  • 96.17.178.176:80
  • 96.17.178.176:80
  • 8.8.8.8:53
    17.53.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    17.53.126.40.in-addr.arpa

  • 8.8.8.8:53
    194.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    194.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    59.128.231.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    59.128.231.4.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
    180.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    180.178.17.96.in-addr.arpa

  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
    104.241.123.92.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    104.241.123.92.in-addr.arpa

  • 8.8.8.8:53
    119.110.54.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    119.110.54.20.in-addr.arpa

  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2540-7-0x0000000008870000-0x000000000890C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2540-10-0x0000000008580000-0x00000000085E8000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2540-2-0x00000000075B0000-0x0000000007B54000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2540-3-0x00000000070B0000-0x0000000007142000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2540-4-0x0000000007080000-0x0000000007090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2540-5-0x0000000007190000-0x000000000719A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2540-1-0x0000000000180000-0x0000000000200000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2540-8-0x0000000074D70000-0x0000000075520000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2540-0-0x0000000074D70000-0x0000000075520000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2540-9-0x0000000007080000-0x0000000007090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2540-6-0x0000000007360000-0x000000000737C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2540-11-0x0000000004680000-0x00000000046B6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2540-14-0x0000000074D70000-0x0000000075520000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4968-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/4968-15-0x0000000001AB0000-0x0000000001DFA000-memory.dmp

    Filesize

    3.3MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.