Overview

overview

10

Static

static

7

53b8c0b31a...bc.exe

windows7-x64

10

53b8c0b31a...bc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2024 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53b8c0b31af3ba5de658c119e39f73bc.exe

  • Size

    585KB

  • MD5

    53b8c0b31af3ba5de658c119e39f73bc

  • SHA1

    946d13ae1bcc275b3b1e3542b08f04803a93b50a

  • SHA256

    4311e97e616734f94d1aa4d38f37679749ae84513d132aee134fbc364d25b6ec

  • SHA512

    a2963aeca88f486c519fec957878616182c62ff7fb5f2fda36816678594a4b54192abe56088666328142ddef7479621222de66c5e74a52f69f9756463e417436

  • SSDEEP

    12288:WXe9PPlowWX0t6mOQwg1Qd15CcYk0We10dOi0I9xkhHnSumVWvc/dNNcEUKc:rhloDX0XOf4pI9mhHisENWj

Score
10/10
xloadernoi6loaderratupx

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

noi6

Decoy

yow.today

rkdreamcreations.com

etheriumtech.com

stretchwrench.com

kiddiecruise.com

stickforward.com

videocineproduccion.com

roofinginamerica.com

amarillasnuevomexico.com

armfieldmillerripley.com

macyburn.club

lvbaoshan.com

shopshelponline.com

thebunnybrands.com

newsxplor.com

momunani.com

rebelnqueen.com

tusguitarras.com

nexab2b.com

e3office.express

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 1 IoCs
    rat
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53b8c0b31af3ba5de658c119e39f73bc.exe
    "C:\Users\Admin\AppData\Local\Temp\53b8c0b31af3ba5de658c119e39f73bc.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Users\Admin\AppData\Local\Temp\53b8c0b31af3ba5de658c119e39f73bc.exe
      "C:\Users\Admin\AppData\Local\Temp\53b8c0b31af3ba5de658c119e39f73bc.exe"
      2⤵
        PID:2032

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\oynspbvpsror
      Filesize

      216KB

      MD5

      0fe362b1c6d19ce9a16a63a18b31235c

      SHA1

      00201f7b6d9b2d1f7b0c05ff2ff64b041bb80dda

      SHA256

      01d97f5906f0ddb907de1e6d72358977c524fa4c49e847d22a6a3be3e4438ce8

      SHA512

      3c2ee0179f6a198f9b7eb88f0753eb70911f90e6291328a0c431122c84dfb02e0c2f122c5a16ac8dfbb6526dd6595e0e392db7791f25e3dd565455915f0d9aff

      Download Submit
    • memory/2032-10-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2956-0-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2956-11-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2956-9-0x0000000003630000-0x0000000003784000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2956-8-0x0000000000990000-0x0000000000992000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2956-7-0x0000000000980000-0x0000000000981000-memory.dmp
      Filesize

      4KB

      Download