Overview

overview

10

Static

static

3

c8d7ee1fa1...f5.exe

windows7-x64

10

c8d7ee1fa1...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 21:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c8d7ee1fa1df3177eeeae7bf891bb8bf5487bbec5e907d805095cea6bcbabbf5.exe

  • Size

    490KB

  • MD5

    6b5c151262e7e04e414579b38108a1d1

  • SHA1

    f151bd3fb1cae8e597f8341e381be15ef7154b04

  • SHA256

    c8d7ee1fa1df3177eeeae7bf891bb8bf5487bbec5e907d805095cea6bcbabbf5

  • SHA512

    11644469db984f4afbd6eeb320f2a4a6893b96eb864b20233bc115209d9e83dbb61eef25311bce92146731bf0109ccc627698944b74f13b06a0ce7eec8d07fea

  • SSDEEP

    6144:1GxhLwIa+v2TgTxWyYZW2uPxJgpjt61mAKc4WzJCZNozJztmz:0ftwgTx2W2upJgVmBKuzggtmz

Score
10/10
xloadern8crdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

n8cr

Decoy

mainponsel.com

twdesignacreation.com

obsidianfields.net

biologik.education

australianmeatandwine.com

metaverse360.biz

tenlog034.xyz

retryb.com

darbodrum.com

ouranos.xyz

equityreleaseshelpukweb.com

buck100.com

cfip-plongee.com

sundindustrial.com

godigitalwithpavitra.com

exodiguis.com

ncxogt.com

medyncity.store

bseafacepharma.online

dellmoor.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8d7ee1fa1df3177eeeae7bf891bb8bf5487bbec5e907d805095cea6bcbabbf5.exe
    "C:\Users\Admin\AppData\Local\Temp\c8d7ee1fa1df3177eeeae7bf891bb8bf5487bbec5e907d805095cea6bcbabbf5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4480
    • C:\Users\Admin\AppData\Local\Temp\c8d7ee1fa1df3177eeeae7bf891bb8bf5487bbec5e907d805095cea6bcbabbf5.exe
      "C:\Users\Admin\AppData\Local\Temp\c8d7ee1fa1df3177eeeae7bf891bb8bf5487bbec5e907d805095cea6bcbabbf5.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4416-11-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/4416-14-0x00000000011B0000-0x00000000014FA000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4480-6-0x0000000005720000-0x000000000572E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4480-2-0x0000000005740000-0x0000000005CE4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4480-5-0x0000000005140000-0x000000000514A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4480-4-0x0000000074BB0000-0x0000000075360000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4480-0-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4480-7-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4480-8-0x0000000074BB0000-0x0000000075360000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4480-9-0x0000000008150000-0x00000000081EC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4480-10-0x0000000008240000-0x0000000008292000-memory.dmp

    Filesize

    328KB

    Download

  • memory/4480-3-0x0000000005080000-0x0000000005112000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4480-13-0x0000000074BB0000-0x0000000075360000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4480-1-0x0000000000620000-0x00000000006A0000-memory.dmp

    Filesize

    512KB

    Download