Overview

overview

10

Static

static

3

cabb80e608...77.exe

windows7-x64

10

cabb80e608...77.exe

windows10-2004-x64

7

xbgsaxgvtq.exe

windows7-x64

3

xbgsaxgvtq.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    73s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cabb80e60885c678211fa4a1653e92f98d9383ee9c31b2576ec507153585d477.exe

  • Size

    304KB

  • MD5

    c9070047ab2475ee0a972aa35e607d6b

  • SHA1

    c6147247f9f048a4260293c3ffd38504f47a3e7d

  • SHA256

    cabb80e60885c678211fa4a1653e92f98d9383ee9c31b2576ec507153585d477

  • SHA512

    fbb9c1f00c4826ee08e04b864a2b84fcef0c1935a258dd229173170cca52d0d364c48cb9de458b89ea1f41811fe42dea3549ce1aa34235648902b7adc1e239cc

  • SSDEEP

    6144:1xDNXvMZdAkGun7Q4cu7uTpBz0hs9V4SGrPyQaL1S:xXEX9849uTMhA4SC7aLg

Score
10/10
xloaderordvdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ordv

Decoy

boliden-ab.com

internationalinsurace.com

young-shop.online

accesshaiti.online

kelloggsvideos.com

allanglessurveillance.com

valentina-gil.com

unforgettablekreations.com

freedommontesorri.com

yp890.info

nifaji.com

ocopusa.com

urbanmastic.com

andrialimran.com

scpartnersgroup.com

plumbersguild.enterprises

pepr.xyz

leysy-y-nazareno.com

listodates.com

flw.ink

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\cabb80e60885c678211fa4a1653e92f98d9383ee9c31b2576ec507153585d477.exe
      "C:\Users\Admin\AppData\Local\Temp\cabb80e60885c678211fa4a1653e92f98d9383ee9c31b2576ec507153585d477.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Users\Admin\AppData\Local\Temp\xbgsaxgvtq.exe
        C:\Users\Admin\AppData\Local\Temp\xbgsaxgvtq.exe C:\Users\Admin\AppData\Local\Temp\brsrmerpn
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2164
        • C:\Users\Admin\AppData\Local\Temp\xbgsaxgvtq.exe
          C:\Users\Admin\AppData\Local\Temp\xbgsaxgvtq.exe C:\Users\Admin\AppData\Local\Temp\brsrmerpn
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2212
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:2964
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2312
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 272
          3⤵
          • Program crash
          PID:2180

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\brsrmerpn
      Filesize

      4KB

      MD5

      68811df78ba2b483fa9017f7608d66a7

      SHA1

      aca606388306f830e04776ced65c92076a44c8b8

      SHA256

      c1e5b6b3632bab050f44e99373408954c82aad38787a4b79b4d1f1fb51d8af09

      SHA512

      689b469ee753ae4efba2d1fd3b782212d96571d453c402703fe34097e0fc65e85f7baa1842de56eb27e2fa0ce8f458815d5ab01da9c618d87022703e7f086b69

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tssjhtz0mqxw2l
      Filesize

      214KB

      MD5

      35067408289533597691ee34f51606e3

      SHA1

      2ba18281e842683a5fb37acaa5e737bea02920fa

      SHA256

      2d6813cc79094c70a56d820fe897d1b8deab36cb5caafd78fac59b6335e2c663

      SHA512

      97828ec11fee617b415f61a4333ba9e663260d4a86ddab4c8af41b3c4739086cefa08d3c9548d5e8239e0df26a22dc6e457f7d516b4f7c042629cdae02a2ac9d

      Download Submit

    • \Users\Admin\AppData\Local\Temp\xbgsaxgvtq.exe
      Filesize

      6KB

      MD5

      2ba1a350b5a4deba2dd52d84c03534b4

      SHA1

      ba6baa55c68ee4b7979ee3fccc2c54878c705a2f

      SHA256

      95ecc7f27ad29fed67b107020ab9291ec6115bd6a375306331de7d98deda578b

      SHA512

      5575e7e591f3f3e6dc461f8ef9203decc1c1295f9588b70ae9c2e0c85bf7116b60ea15718cf3875969b261aa2f8e874bc361bb5130b5c7e3bc2aeee2797dca0b

      Download Submit

    • memory/1212-20-0x0000000007860000-0x00000000079F9000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1212-16-0x0000000003E50000-0x0000000003EFF000-memory.dmp

      Filesize

      700KB

      Download

    • memory/1212-19-0x0000000003E50000-0x0000000003EFF000-memory.dmp

      Filesize

      700KB

      Download

    • memory/1212-29-0x0000000007860000-0x00000000079F9000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2164-11-0x0000000000250000-0x0000000000252000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2212-12-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2212-15-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2212-18-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2312-23-0x0000000000820000-0x0000000000834000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2312-24-0x0000000000820000-0x0000000000834000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2312-26-0x0000000000820000-0x0000000000834000-memory.dmp

      Filesize

      80KB

      Download