Overview

overview

10

Static

static

3

58f2fc9e3b...3d.exe

windows7-x64

10

58f2fc9e3b...3d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2024, 12:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    58f2fc9e3b1e045d4f6040e0b15e7b3d.exe

  • Size

    1.3MB

  • MD5

    58f2fc9e3b1e045d4f6040e0b15e7b3d

  • SHA1

    3fd996467fc1b057e9f0fe436dd7f46cf460e688

  • SHA256

    5d73a302ff09dd9d39420703dc50c9530ac6e78b55c762f9c03df76be39d6c2c

  • SHA512

    a4d0627fedf36e64aca0dd5154189d0fd280f212adc8e700c3e01ce6a4fe818454b7f3afe79ae37d45b990573be9eaf8d9d3ef58aed2cb19f27d66c64c94d044

  • SSDEEP

    24576:l7rkW5oaXpcB7mVSaccPuvcd5OGQT/1/0nS+7n4SYwqK4zf3RTsAHWAgqChJ+huE:lbiecHHgtrszyaNQuiNB/e

Score
10/10
xloaderp596loaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

p596

Decoy

ushistorical.com

lovepropertylondon.com

acupress-the-point.com

3772548.com

ambientabuse.com

primaveracm.com

themidwestmomblog.com

havasavunma.com

rockyroadbrand.com

zzphys.com

masque-inclusif.com

myeonyeokplus.com

linkernet.pro

zezirma.com

mysiniar.com

andreamall.com

mattesonauto.com

wandopowerinc.com

casaurgence.com

salishseaquilts.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58f2fc9e3b1e045d4f6040e0b15e7b3d.exe
    "C:\Users\Admin\AppData\Local\Temp\58f2fc9e3b1e045d4f6040e0b15e7b3d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Users\Admin\AppData\Local\Temp\58f2fc9e3b1e045d4f6040e0b15e7b3d.exe
      "C:\Users\Admin\AppData\Local\Temp\58f2fc9e3b1e045d4f6040e0b15e7b3d.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2976

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2752-6-0x0000000005330000-0x00000000053A6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2752-13-0x0000000074490000-0x0000000074B7E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2752-2-0x0000000000570000-0x00000000005B0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2752-3-0x0000000074490000-0x0000000074B7E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2752-4-0x0000000000570000-0x00000000005B0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2752-5-0x00000000004B0000-0x00000000004E6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2752-7-0x0000000000A20000-0x0000000000A50000-memory.dmp

          Filesize

          192KB

          Download

        • memory/2752-0-0x0000000000A90000-0x0000000000BE2000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2752-1-0x0000000074490000-0x0000000074B7E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2976-9-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

          Download

        • memory/2976-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2976-12-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

          Download

        • memory/2976-8-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

          Download

        • memory/2976-14-0x0000000000BF0000-0x0000000000EF3000-memory.dmp

          Filesize

          3.0MB

          Download