Xulace[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Xulace.exe
Size

16.3MB
MD5

7667328084d8862b561992a8ce4f0972
SHA1

994db1d548d87a1a008a35bb067a46c03d429a34
SHA256

6f18e0dd21bb635d5b36c14b744d7222f02598dbc7adc12ddf6178a30ce9b265
SHA512

0964129b33c211654eaeec047c44854acf6a39b70e6efae6c21210871b1f7eca8ea88c69419db7fa9ae96115aaa8d97f9797241f1ff4e1aed1f7363f7179918f
SSDEEP

393216:oGKoYuClnhnIFRRdx9X0OAMroSdabRxeqBOh4:oGIhnazX0OA+oSdwRxeqBOh4

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
sample	upx

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Xulace.exe

Files

Xulace.exe
.exe windows:6 windows x64 arch:x64

dabb54211033a4ee8c3cb3094453411a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\projects\XulaceLoader\Loader.pdb

Imports

kernel32

K32GetModuleBaseNameW
GetModuleHandleW
GetCurrentThread
GetCurrentProcessId
Sleep
SetFileTime
GetFileTime
K32GetModuleBaseNameA
WriteConsoleW
CreateProcessW
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
CreateWaitableTimerExA
GetWindowsDirectoryA
SetWaitableTimerEx
ReadFile
FindNextFileW
FindFirstFileW
FindClose
CreateFileW
LoadLibraryExA
VirtualAlloc
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
GetConsoleWindow
VirtualQueryEx
OpenProcess
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
SetEndOfFile
SetStdHandle
GetTimeZoneInformation
SetFilePointerEx
FlushFileBuffers
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
EnterCriticalSection
GetProcessHeap
RtlUnwind
CompareStringW
GetTimeFormatW
GetDateFormatW
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetConsoleOutputCP
ReadConsoleW
GetConsoleMode
ExitProcess
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetDriveTypeW
GetFileType
GetModuleHandleExW
FreeLibraryAndExitThread
ExitThread
CreateThread
VirtualQuery
VirtualProtect
LoadLibraryExW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
RtlUnwindEx
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
GetLastError
DecodePointer
FreeLibrary
QueryPerformanceFrequency
QueryPerformanceCounter
VerSetConditionMask
LoadLibraryA
GetProcAddress
GetModuleHandleA
WaitForSingleObject
WideCharToMultiByte
MultiByteToWideChar
GlobalFree
GlobalLock
GlobalUnlock
GlobalAlloc
WriteConsoleA
GetModuleFileNameA
TerminateProcess
RtlPcToFileHeader
DeleteFileW
DeleteFileA
SetFilePointer
GetLogicalDrives
GetVolumeInformationByHandleW
GetExitCodeProcess
CreateProcessA
RaiseException
OutputDebugStringW
InitializeSListHead
GetStartupInfoW
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetFileSizeEx
VerifyVersionInfoA
GetCurrentProcess
GetStdHandle
CloseHandle
WriteFile
CreateFileA
K32GetModuleFileNameExW
GetEnvironmentVariableA
MoveFileExA
FormatMessageW
SetLastError
LocalFree
FormatMessageA
GetLocaleInfoEx
WaitForSingleObjectEx
GetCurrentThreadId
GetExitCodeThread
GetNativeSystemInfo
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
TryAcquireSRWLockExclusive
GetStringTypeW
SetCurrentDirectoryW
GetCurrentDirectoryW
CreateDirectoryW
FindFirstFileExW
GetFileAttributesW
GetFileAttributesExW
GetFileInformationByHandle
GetFullPathNameW
SetFileAttributesW
SetFileInformationByHandle
GetTempPathW
AreFileApisANSI
DeviceIoControl
MoveFileExW
GetFileInformationByHandleEx
CreateThreadpoolWork
SubmitThreadpoolWork
WaitForThreadpoolWorkCallbacks
CloseThreadpoolWork
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableSRW
GetSystemTimeAsFileTime
EncodePointer
LCMapStringEx
IsProcessorFeaturePresent
CompareStringEx
GetCPInfo
LockFileEx
UnlockFileEx
GetModuleFileNameW
GetComputerNameW
ReleaseMutex
CreateMutexW
CreateTimerQueueTimer
DeleteTimerQueueTimer
InitializeCriticalSection
GetSystemInfo
GetTickCount
VirtualLock
VirtualUnlock
GlobalMemoryStatus
Heap32ListFirst
Heap32ListNext
Heap32First
Heap32Next
Thread32First
Thread32Next
Module32FirstW
Module32NextW
SleepEx
GetSystemDirectoryA

user32

CloseClipboard
SetClipboardData
GetClipboardData
EmptyClipboard
TrackMouseEvent
GetKeyState
GetCapture
OpenClipboard
ReleaseCapture
GetForegroundWindow
GetClientRect
SetCursorPos
SetCursor
GetCursorPos
ClientToScreen
ScreenToClient
LoadCursorA
TranslateMessage
DispatchMessageA
PeekMessageA
SendMessageA
PostMessageA
GetCaretPos
GetInputState
GetMessageTime
GetMessagePos
DefWindowProcA
PostQuitMessage
IsWindow
ShowWindow
SetWindowPos
SetCapture
GetAsyncKeyState
GetWindowRect

gdi32

GetObjectA
DeleteObject

advapi32

OpenProcessToken
CryptCreateHash
CryptHashData
CryptDestroyHash
RegOpenKeyExA
RegDeleteTreeW
LookupPrivilegeValueW
RegRenameKey
FreeSid
SetNamedSecurityInfoW
SetEntriesInAclW
AllocateAndInitializeSid
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
ConvertStringSecurityDescriptorToSecurityDescriptorW
QueryServiceStatus
OpenServiceA
OpenSCManagerA
CloseServiceHandle
RegSetValueExW
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyExW
GetUserNameW
SetFileSecurityW
RegCloseKey
RegOpenKeyA
LookupAccountNameW
RegEnumKeyExW
RegQueryInfoKeyW
ConvertSidToStringSidW
DuplicateTokenEx
RegQueryValueExA
RegSetValueExA
RegCreateKeyA
LookupPrivilegeValueA
AdjustTokenPrivileges
CryptGenRandom

ole32

CreateStreamOnHGlobal
CoCreateInstance
CoUninitialize
CoSetProxyBlanket
CoInitialize

d3d11

D3D11CreateDeviceAndSwapChain

d3dx11_43

D3DX11CreateShaderResourceViewFromMemory

ntdll

NtQueryInformationProcess
RtlInitUnicodeString
NtQuerySystemInformation
RtlAdjustPrivilege

winhttp

WinHttpGetProxyForUrl
WinHttpCloseHandle
WinHttpGetIEProxyConfigForCurrentUser
WinHttpOpen

ws2_32

WSAGetLastError
closesocket
bind
send
recv
getpeername
getsockname
getsockopt
htons
ntohs
setsockopt
socket
WSASetLastError
WSAIoctl
WSAStartup
WSACleanup
__WSAFDIsSet
select
connect
htonl
listen
ioctlsocket
getaddrinfo
freeaddrinfo
accept

crypt32

CertOpenStore
CertCloseStore
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension

imm32

ImmSetCompositionWindow
ImmSetCandidateWindow
ImmAssociateContextEx
ImmGetContext
ImmReleaseContext

d3dcompiler_43

D3DCompile

gdiplus

GdipDisposeImage
GdipSaveImageToStream
GdiplusShutdown
GdipCreateBitmapFromHBITMAP
GdipGetImageEncodersSize
GdipGetImageEncoders
GdiplusStartup
GdipFree
GdipAlloc
GdipCloneImage
GdipCreateBitmapFromScan0

wininet

HttpQueryInfoA
InternetCloseHandle
InternetOpenA
InternetReadFile

urlmon

URLDownloadToFileA

iphlpapi

GetIfTable
GetIpNetTable2
FreeMibTable
GetAdaptersAddresses
GetAdaptersInfo

shell32

SHFileOperationW
SHGetFolderPathW

oleaut32

SysAllocString
SysFreeString
VariantClear
SafeArrayGetElement
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayDestroy

shlwapi

PathFileExistsW

Sections

.text
Size: 15.5MB - Virtual size: 15.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.UPX1
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.mm
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 621KB - Virtual size: 621KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 39KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 95KB - Virtual size: 95KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

dabb54211033a4ee8c3cb3094453411a

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

gdi32

advapi32

ole32

d3d11

d3dx11_43

ntdll

winhttp

ws2_32

crypt32

imm32

d3dcompiler_43

gdiplus

wininet

urlmon

iphlpapi

shell32

oleaut32

shlwapi

Sections

.text Size: 15.5MB - Virtual size: 15.5MB

.UPX1 Size: 6KB - Virtual size: 5KB

.mm Size: 43KB - Virtual size: 42KB

.rdata Size: 621KB - Virtual size: 621KB

.data Size: 39KB - Virtual size: 69KB

.pdata Size: 95KB - Virtual size: 95KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: - Virtual size: 6KB

.text
Size: 15.5MB - Virtual size: 15.5MB

.UPX1
Size: 6KB - Virtual size: 5KB

.mm
Size: 43KB - Virtual size: 42KB

.rdata
Size: 621KB - Virtual size: 621KB

.data
Size: 39KB - Virtual size: 69KB

.pdata
Size: 95KB - Virtual size: 95KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: - Virtual size: 6KB