Overview

overview

10

Static

static

3

PO-090221.exe

windows7-x64

10

PO-090221.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

yrcvb.dll

windows7-x64

1

yrcvb.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    145s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    12-07-2024 08:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO-090221.exe

  • Size

    221KB

  • MD5

    ca11f896143acf2168b383b5532ef812

  • SHA1

    fe4cf4a32e0633b9e47869a0850369c7854ec6d7

  • SHA256

    1fa8e3489567519f9ed48d1323d7316118bfd2f5f6434a942202e4ccc64f8fbf

  • SHA512

    c2d103eefae3afc47eec34210b3aa90283c13f9819c328334474caee8e0ea68dd17e6daa623fdb22af824c14083f53acdb37af84d189820b0406d52bfec41ee4

  • SSDEEP

    3072:oBkfJpRXATwMdFCcmbA94/P32S+INSyftupOxoit6HC77zaDrxehjkEXdN9Nt:oqjIeA94HDN8pOOM6HCmDQkIPnt

Score
10/10
xloadergzcjloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

gzcj

Decoy

localzhops.com

cfsb114.com

sweetiefilms.com

cyclewatts.com

bubblesportsevent.com

halloween-r-us.com

rcdzsm.com

reelatioens.com

uniquegranitebenefits.com

chainlinkdex.com

topcoolhlist.com

ivy-apps.com

shopmajesticqueendom.com

ddiesels.com

ventajuguetessexuales.online

daylight93245.com

heiyingxitong.com

personalfashion.guru

usadrugfree.com

beyondcareersuccess.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\PO-090221.exe
      "C:\Users\Admin\AppData\Local\Temp\PO-090221.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Users\Admin\AppData\Local\Temp\PO-090221.exe
        "C:\Users\Admin\AppData\Local\Temp\PO-090221.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1996
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PO-090221.exe"
        3⤵
        • Deletes itself
        PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsoF91F.tmp\System.dll
    Filesize

    11KB

    MD5

    fccff8cb7a1067e23fd2e2b63971a8e1

    SHA1

    30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    SHA256

    6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    SHA512

    f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\yrcvb.dll
    Filesize

    11KB

    MD5

    ce58ee918da61b9ad6d17ea883108b75

    SHA1

    ba22489f71b94f0593bb02a89668aa293ce4ca8b

    SHA256

    1175fe7473ab4675f5197a3a5271c095f2a0ad01ee5e55a728c0f208adaeef01

    SHA512

    fa452aeffcb848f4e62a7f3df2ae10dfdc75bb49e3b80e8af076056ea648b438a98a625d951c4b769cc2ffa85742d150aa45290749779dbdc7005bbacdd0ef7a

    Download Submit

  • memory/1244-17-0x0000000006E10000-0x0000000006FAB000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1244-26-0x0000000006E10000-0x0000000006FAB000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1996-13-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1996-16-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2352-20-0x00000000006F0000-0x0000000000706000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2352-22-0x00000000006F0000-0x0000000000706000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2352-23-0x0000000000080000-0x00000000000A9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3040-12-0x0000000074DD0000-0x0000000074DD6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3040-14-0x0000000074DD0000-0x0000000074DD6000-memory.dmp

    Filesize

    24KB

    Download