Overview

overview

10

Static

static

3

443cdabab0...be.exe

windows7-x64

10

443cdabab0...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2024 19:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    443cdabab07bf375f119a8c22e2114be.exe

  • Size

    842KB

  • MD5

    443cdabab07bf375f119a8c22e2114be

  • SHA1

    2e155cb516dd9071271785a3f991e9255929e4ac

  • SHA256

    a57f84d7e89cc76408c67fbcc2c8e3c03bf98a8daa93209f3650ebffa09faabb

  • SHA512

    e224471cfffadd1c68b190ec8600b95e34c5618c26b8b2dbb4d902028025957f2cc68d3acbb8b3768a9176a22c00bc70456b8caa978b837ead45cb36b7642cb9

  • SSDEEP

    12288:rgDc9F3nC0Py3gAhMa0L7Gyf0fQbN7CGfyCwgztRfVZiEm28cn4OvNG:rnnMf27o7afVZzBG

Score
10/10
xloaderwufnloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

wufn

Decoy

rsautoluxe.com

theroseofsharonsalon.com

singnema.com

nathanielwhite108.com

theforumonline.com

iqpt.info

joneshondaservice.com

fafene.com

solanohomebuyerclass.com

zwq.xyz

searchlakeconroehomes.com

briative.com

frystmor.city

systemofyouth.com

sctsmney.com

tv-safetrading.com

thesweetboy.com

occulusblu.com

pawsthemomentpetphotography.com

travelstipsguide.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\443cdabab07bf375f119a8c22e2114be.exe
    "C:\Users\Admin\AppData\Local\Temp\443cdabab07bf375f119a8c22e2114be.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4556
    • C:\Users\Admin\AppData\Local\Temp\443cdabab07bf375f119a8c22e2114be.exe
      "C:\Users\Admin\AppData\Local\Temp\443cdabab07bf375f119a8c22e2114be.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4048-12-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4048-16-0x0000000001530000-0x000000000187A000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4048-15-0x0000000001530000-0x000000000187A000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4556-5-0x0000000005C60000-0x0000000005C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4556-3-0x0000000005FB0000-0x0000000006554000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4556-7-0x0000000005BF0000-0x0000000005C46000-memory.dmp
    Filesize

    344KB

    Download
  • memory/4556-6-0x0000000005920000-0x000000000592A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4556-0-0x0000000000E60000-0x0000000000F38000-memory.dmp
    Filesize

    864KB

    Download
  • memory/4556-8-0x00000000086D0000-0x00000000086E8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/4556-9-0x00000000745E0000-0x0000000074D90000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4556-10-0x00000000088A0000-0x000000000893E000-memory.dmp
    Filesize

    632KB

    Download
  • memory/4556-11-0x0000000006FC0000-0x0000000006FEE000-memory.dmp
    Filesize

    184KB

    Download
  • memory/4556-1-0x00000000745E0000-0x0000000074D90000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4556-2-0x0000000005960000-0x00000000059FC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4556-14-0x00000000745E0000-0x0000000074D90000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4556-4-0x0000000005A00000-0x0000000005A92000-memory.dmp
    Filesize

    584KB

    Download