Overview

overview

10

Static

static

3

69d6130e88...0N.exe

windows7-x64

10

69d6130e88...0N.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

NBProjects...in.exe

windows7-x64

7

NBProjects...in.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27-08-2024 19:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69d6130e88b7f0157c2c24ceb2cc4a40N.exe

  • Size

    416KB

  • MD5

    69d6130e88b7f0157c2c24ceb2cc4a40

  • SHA1

    041718d23c5b77e72dc65490279cb1f34b4bcced

  • SHA256

    07fb86d2d29812a93d65900435235baf42de5cd83e6dfe381f099a1967746aa2

  • SHA512

    f4403c609138c87c8de4da0f36995efe3f1e81289c0840e97d3e4fd35274350ff320cb05747236a3c6f8fd57a2022d6f95c69c3178914f7c2cbc75f800d28e63

  • SSDEEP

    6144:/QqJb5mFCQcGNYpmUIfvlQdFMkbkz13XQCbbGJJPH4hErRqUHvB:z5mFvcyYQhfvWMkbu1nQdJ8OvB

Score
10/10
xloaderor4idiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

or4i

Decoy

cylindberg.com

qsmpy.world

hairmaxxclinic.com

teesfitpro.com

changethecompany.net

painteredmond.com

shebagholdings.com

wasteexport.com

salesclerkadage.life

rainboxs.com

lingoblasterdiscount.com

booweats.com

topcasino-111.com

downtoearthwork.com

carry-hai.com

nassaustreetcorp.com

directflence.com

basictrainningphothos.com

virtualayurveda.com

dar-sanidad.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 1 IoCs
    rat
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69d6130e88b7f0157c2c24ceb2cc4a40N.exe
    "C:\Users\Admin\AppData\Local\Temp\69d6130e88b7f0157c2c24ceb2cc4a40N.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Users\Admin\AppData\Local\Temp\69d6130e88b7f0157c2c24ceb2cc4a40N.exe
      "C:\Users\Admin\AppData\Local\Temp\69d6130e88b7f0157c2c24ceb2cc4a40N.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nstB932.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • memory/808-12-0x00000000003F0000-0x00000000003F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2196-13-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download