Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 22:30

General

  • Target

    3d2aeedacfc41b9882494188059bcf1c81160920d4e83fc1f604d0381bca9ea7.exe

  • Size

    892KB

  • MD5

    4c19f4bccaada36995fb7f26629df873

  • SHA1

    8c04357daf3d64a5f2fac82310472273d46373ac

  • SHA256

    3d2aeedacfc41b9882494188059bcf1c81160920d4e83fc1f604d0381bca9ea7

  • SHA512

    42c48f74ba8a194982c96623e0348d49f96768d1115ad9ce22a1db6221b1165e1de722d8c41ab34292117f3efe81007240d7f284fcca929f8dad4dc7e536705f

  • SSDEEP

    24576:Dwpoi9hGoNIEooPVkAUQBEXPrFx8clMEmsx:DaqEoSBwfcOMEv

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m8gc

Decoy

nelsonleeoffers.com

profi-markets.com

bdstoancau.info

aminsfy.com

longshifa.online

sqadminnplan.net

0el.biz

fortnitegamers.website

28687jr.com

contentandconverting.com

069superbetin.com

kyono-butsuryu.com

lewandosli.online

8herzelstreet.com

doofsmile.com

kreditnekarticehr.com

usalandia.com

mysmartoffice.tech

bens-coaching.com

catlyshop.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader family
  • Xloader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d2aeedacfc41b9882494188059bcf1c81160920d4e83fc1f604d0381bca9ea7.exe
    "C:\Users\Admin\AppData\Local\Temp\3d2aeedacfc41b9882494188059bcf1c81160920d4e83fc1f604d0381bca9ea7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Users\Admin\AppData\Local\Temp\3d2aeedacfc41b9882494188059bcf1c81160920d4e83fc1f604d0381bca9ea7.exe
      "C:\Users\Admin\AppData\Local\Temp\3d2aeedacfc41b9882494188059bcf1c81160920d4e83fc1f604d0381bca9ea7.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:5068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4268-6-0x0000000005470000-0x0000000005480000-memory.dmp

    Filesize

    64KB

  • memory/4268-8-0x0000000074FF0000-0x00000000757A0000-memory.dmp

    Filesize

    7.7MB

  • memory/4268-2-0x0000000005790000-0x0000000005D34000-memory.dmp

    Filesize

    5.6MB

  • memory/4268-3-0x00000000051E0000-0x0000000005272000-memory.dmp

    Filesize

    584KB

  • memory/4268-4-0x00000000051A0000-0x00000000051AA000-memory.dmp

    Filesize

    40KB

  • memory/4268-5-0x0000000074FF0000-0x00000000757A0000-memory.dmp

    Filesize

    7.7MB

  • memory/4268-1-0x00000000007F0000-0x00000000008D4000-memory.dmp

    Filesize

    912KB

  • memory/4268-7-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

    Filesize

    4KB

  • memory/4268-0-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

    Filesize

    4KB

  • memory/4268-9-0x0000000006BE0000-0x0000000006C7C000-memory.dmp

    Filesize

    624KB

  • memory/4268-10-0x0000000006DF0000-0x0000000006E9E000-memory.dmp

    Filesize

    696KB

  • memory/4268-11-0x0000000006EA0000-0x0000000006ED0000-memory.dmp

    Filesize

    192KB

  • memory/4268-14-0x0000000074FF0000-0x00000000757A0000-memory.dmp

    Filesize

    7.7MB

  • memory/5068-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/5068-15-0x00000000018D0000-0x0000000001C1A000-memory.dmp

    Filesize

    3.3MB