Overview

overview

10

Static

static

3

5aa2c01a64...83.exe

windows7-x64

10

5aa2c01a64...83.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5aa2c01a644cd991b9cc0056f03a0a5462ea4ce6f241d1ad78f9e0b6e042c183.exe

  • Size

    222KB

  • MD5

    0235e629abad14322f70eadc59394bba

  • SHA1

    6fa7ccf3bf7bd29e61f2a43a6ce453520a0c65bd

  • SHA256

    5aa2c01a644cd991b9cc0056f03a0a5462ea4ce6f241d1ad78f9e0b6e042c183

  • SHA512

    dbb1b0bb8bcd0d87bc2d122b4d90e522fe26fc9901ec564e5a03793be220efce812fab868011a8ac67d7e2172fa8bcfbdae59bff6b7f1b1a3b53f3b958b9ed9a

  • SSDEEP

    6144:qNVs7YrLmcv5r3177kM4QoqmQAMMMiVJyx4c6:qNGYrHtZToRQAGY5c6

Score
10/10
xloadervc6ediscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

vc6e

Decoy

123lejeu.com

services-ti.com

iseekwithin.com

linkdbs.com

bibproductions.com

chaybo247.com

bondiblond.com

amandawilsonfamilylawyers.com

kbihualhamdaniyah.com

littletykesonline.com

circleofrepair.com

kingcartermusic.com

axqal2.com

dscfpro.xyz

cooltoysshop.com

enzocatering.com

skertyl.club

precommgateway.com

maddie-blake.com

malvinasargentina.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5aa2c01a644cd991b9cc0056f03a0a5462ea4ce6f241d1ad78f9e0b6e042c183.exe
    "C:\Users\Admin\AppData\Local\Temp\5aa2c01a644cd991b9cc0056f03a0a5462ea4ce6f241d1ad78f9e0b6e042c183.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3380
    • C:\Users\Admin\AppData\Local\Temp\5aa2c01a644cd991b9cc0056f03a0a5462ea4ce6f241d1ad78f9e0b6e042c183.exe
      "C:\Users\Admin\AppData\Local\Temp\5aa2c01a644cd991b9cc0056f03a0a5462ea4ce6f241d1ad78f9e0b6e042c183.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3932
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 316
      2⤵
      • Program crash
      PID:2828
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3380 -ip 3380
    1⤵
      PID:756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3380-1-0x0000000000570000-0x0000000000576000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3380-0-0x0000000000573000-0x0000000000574000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3932-3-0x0000000000570000-0x0000000000576000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3932-2-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download