Overview

overview

10

Static

static

3

AgroAG0080...df.exe

windows7-x64

10

AgroAG0080...df.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

ncvh5f0cmlhy.dll

windows7-x64

1

ncvh5f0cmlhy.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    03-07-2024 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AgroAG008021921doc_pdf.exe

  • Size

    296KB

  • MD5

    8c17ba485d997f4613ae37d2ae89d724

  • SHA1

    910883faa1ea6c99da8e26e44e3a9b29a6b21021

  • SHA256

    c1fa41f10a15d258d2edf7c06648ad2413ca25d7e2b4de2b45acfde204b1cf45

  • SHA512

    36a771bdfa3657a2bd606707267ef442a84cfb236d548efe189049aa2f3656b3a0f70289653ce49b885240ab081c68cbd17ba0c3c6e019e9086b10a4896ee8f6

  • SSDEEP

    6144:2x/MjiVFI8EXfPGUN237w78+0JSuYWuvXIqQeMjXSVE:K1o8EX2Uw3UY1JkhTQeMDJ

Score
10/10
xloadergzcjloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

gzcj

Decoy

localzhops.com

cfsb114.com

sweetiefilms.com

cyclewatts.com

bubblesportsevent.com

halloween-r-us.com

rcdzsm.com

reelatioens.com

uniquegranitebenefits.com

chainlinkdex.com

topcoolhlist.com

ivy-apps.com

shopmajesticqueendom.com

ddiesels.com

ventajuguetessexuales.online

daylight93245.com

heiyingxitong.com

personalfashion.guru

usadrugfree.com

beyondcareersuccess.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\AgroAG008021921doc_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\AgroAG008021921doc_pdf.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Users\Admin\AppData\Local\Temp\AgroAG008021921doc_pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\AgroAG008021921doc_pdf.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2248
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:2624
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\AgroAG008021921doc_pdf.exe"
          3⤵
          • Deletes itself
          PID:2876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\ncvh5f0cmlhy.dll
      Filesize

      10KB

      MD5

      69d7a8b09151eed513bb240305f08c1b

      SHA1

      9de884849a301ad036c2491246cde2157e2f63b1

      SHA256

      c237c5d665f8fd074c3d2cbbe2da7751f5841ba56be8d103abf86a07bdd961e9

      SHA512

      b6a4011cef892dff62a9a40aa035f6cf749750962e61d30dd754fc4e268587cbe87a92cb3e218b4fe50baebbba9aa2d7c2bfecc172dc13ef66cdb18576c90f62

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsi1B2F.tmp\System.dll
      Filesize

      11KB

      MD5

      fccff8cb7a1067e23fd2e2b63971a8e1

      SHA1

      30e2a9e137c1223a78a0f7b0bf96a1c361976d91

      SHA256

      6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

      SHA512

      f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

      Download Submit

    • memory/1192-20-0x0000000005020000-0x000000000512B000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1192-28-0x0000000005020000-0x000000000512B000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1192-16-0x0000000006750000-0x000000000688A000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1192-18-0x0000000006750000-0x000000000688A000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1960-11-0x0000000010000000-0x0000000010005000-memory.dmp

      Filesize

      20KB

      Download

    • memory/1960-13-0x0000000010000000-0x0000000010005000-memory.dmp

      Filesize

      20KB

      Download

    • memory/2248-12-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2248-19-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2248-15-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2696-23-0x0000000000190000-0x0000000000411000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2696-24-0x0000000000190000-0x0000000000411000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2696-25-0x00000000000C0000-0x00000000000E9000-memory.dmp

      Filesize

      164KB

      Download