Overview

overview

10

Static

static

3

IMG_38575943.exe

windows7-x64

10

IMG_38575943.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    205s
  • max time network
    206s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-04-2024 17:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG_38575943.exe

  • Size

    341KB

  • MD5

    2a11ef715093c4429cd05dc3950c7f89

  • SHA1

    3199e3c72fc349d9cce951c2c8830d88a8da4454

  • SHA256

    50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158

  • SHA512

    24f2d7a608d421258334144217e97dccdeb023d5e621774f213eda210a8937df0c7d12cfd02e8c96d5951011d6142a320ca3b40bedb8ac6ad5f95ccc6d3d2d0a

  • SSDEEP

    6144:HqPwmYdAbc0C3LFDDOQmjUi0GL9jDAlPMKpPbd6j62AeI4KR0VoFtDFF7g:HqPwmYdAbc0CboQmjIGN6Pzd6j6/eWtU

Score
10/10
xloaderc6siloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

c6si

Decoy

tristateinc.construction

americanscaregroundstexas.com

kanimisoshiru.com

wihling.com

fishcheekstosa.com

parentsfuid.com

greenstandmarket.com

fc8fla8kzq.com

gametwist-83.club

jobsncvs.com

directrealtysells.com

avida2015.com

conceptasite.net

arkaneattire.com

indev-mobility.info

2160centurypark412.com

valefloor.com

septembership.com

stackflix.com

jimc0sales.net

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\IMG_38575943.exe
      "C:\Users\Admin\AppData\Local\Temp\IMG_38575943.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Users\Admin\AppData\Local\Temp\IMG_38575943.exe
        "C:\Users\Admin\AppData\Local\Temp\IMG_38575943.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2028
    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
        "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
        3⤵
          PID:2664
      • C:\Windows\SysWOW64\help.exe
        "C:\Windows\SysWOW64\help.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:576
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\IMG_38575943.exe"
          3⤵
          • Deletes itself
          PID:2628
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        2⤵
          PID:2136
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x1a8
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2772

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp34639.WMC\allservices.xml
        Filesize

        546B

        MD5

        df03e65b8e082f24dab09c57bc9c6241

        SHA1

        6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

        SHA256

        155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

        SHA512

        ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp35996.WMC\serviceinfo.xml
        Filesize

        523B

        MD5

        d58da90d6dc51f97cb84dfbffe2b2300

        SHA1

        5f86b06b992a3146cb698a99932ead57a5ec4666

        SHA256

        93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

        SHA512

        7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

        Download Submit
      • memory/576-37-0x0000000000880000-0x0000000000B83000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/576-39-0x00000000004B0000-0x0000000000540000-memory.dmp
        Filesize

        576KB

        Download
      • memory/576-34-0x0000000000870000-0x0000000000876000-memory.dmp
        Filesize

        24KB

        Download
      • memory/576-35-0x0000000000870000-0x0000000000876000-memory.dmp
        Filesize

        24KB

        Download
      • memory/576-36-0x00000000000C0000-0x00000000000E9000-memory.dmp
        Filesize

        164KB

        Download
      • memory/576-38-0x00000000000C0000-0x00000000000E9000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1196-40-0x00000000037F0000-0x00000000038F0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1196-47-0x0000000006F70000-0x00000000070C9000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1196-42-0x0000000006F70000-0x00000000070C9000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1196-43-0x0000000006F70000-0x00000000070C9000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1196-33-0x0000000006180000-0x000000000622F000-memory.dmp
        Filesize

        700KB

        Download
      • memory/1196-61-0x000007FF5EFB0000-0x000007FF5EFBA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1196-44-0x0000000006180000-0x000000000622F000-memory.dmp
        Filesize

        700KB

        Download
      • memory/1196-60-0x000007FEF51B0000-0x000007FEF52F3000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1912-18-0x0000000004E00000-0x0000000004E40000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1912-0-0x0000000000C30000-0x0000000000C8C000-memory.dmp
        Filesize

        368KB

        Download
      • memory/1912-1-0x0000000073FB0000-0x000000007469E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1912-2-0x0000000004E00000-0x0000000004E40000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1912-27-0x0000000073FB0000-0x000000007469E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1912-3-0x0000000000520000-0x000000000052C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1912-10-0x0000000073FB0000-0x000000007469E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1912-19-0x0000000002100000-0x000000000215E000-memory.dmp
        Filesize

        376KB

        Download
      • memory/2028-20-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/2028-22-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/2028-30-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/2028-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2028-26-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/2028-28-0x0000000000C90000-0x0000000000F93000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/2028-31-0x0000000000140000-0x0000000000151000-memory.dmp
        Filesize

        68KB

        Download