Overview

overview

10

Static

static

3

Purchase o...01.exe

windows7-x64

10

Purchase o...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase order 4500447701.exe

  • Size

    559KB

  • MD5

    2dc28d7d605c0da46b7c7f767561a057

  • SHA1

    300f76a7cc13648f00ffb3baa12c51a71adb8395

  • SHA256

    7ed1db0b1bfb7845bc63e83b7408bd8c475f3173cb0942325663cda742de0a26

  • SHA512

    875c7ed14b4b47e1cc56876871153ec3f47374e759aca8e9fba9ac681baf19a96b47233f0159327c37dadf2c9d70817acfeb90e70bf6eda9d60616ddf941375f

  • SSDEEP

    12288:5Xs1g8To3GZrA/XWLXYzTHTpNzfSNmc7seOep6K:dnzpNzqNh77

Score
10/10
xloaderh6fediscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

h6fe

Decoy

fortirecon.com

owlions.com

openrhodes.net

hannahjohnston.com

legacyfreshmarket.com

themedicareenroll.com

hpondsmarket.com

2manyads.com

kiralikservis.com

oxfordprinters.com

yamalo.club

apagyms.com

gulsahdevarsiv.com

employmentpakistan.com

insidegamez.com

curiget.xyz

pinturayanexo.com

myltcpool.com

greenfirewoodash.com

gabrielaalcantarperiodista.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Users\Admin\AppData\Local\Temp\Purchase order 4500447701.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase order 4500447701.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4808
      • C:\Users\Admin\AppData\Local\Temp\Purchase order 4500447701.exe
        "C:\Users\Admin\AppData\Local\Temp\Purchase order 4500447701.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2292
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Purchase order 4500447701.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2292-14-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2292-19-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2292-20-0x0000000001300000-0x0000000001310000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2292-17-0x0000000001460000-0x00000000017AA000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3060-25-0x00000000012F0000-0x0000000001319000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3060-22-0x0000000000020000-0x000000000002E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3060-24-0x0000000000020000-0x000000000002E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3484-31-0x0000000002EF0000-0x0000000002F91000-memory.dmp

    Filesize

    644KB

    Download

  • memory/3484-29-0x0000000002EF0000-0x0000000002F91000-memory.dmp

    Filesize

    644KB

    Download

  • memory/3484-28-0x0000000002EF0000-0x0000000002F91000-memory.dmp

    Filesize

    644KB

    Download

  • memory/3484-26-0x0000000008C60000-0x0000000008DF0000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3484-21-0x0000000008C60000-0x0000000008DF0000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4808-6-0x00000000052A0000-0x00000000052F6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4808-8-0x00000000752C0000-0x0000000075A70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4808-12-0x0000000000FE0000-0x0000000001058000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4808-16-0x00000000752C0000-0x0000000075A70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4808-11-0x00000000752C0000-0x0000000075A70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4808-10-0x00000000752CE000-0x00000000752CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4808-9-0x0000000007F80000-0x0000000007F8C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4808-13-0x0000000000B50000-0x0000000000B82000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4808-7-0x00000000752C0000-0x0000000075A70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4808-0-0x00000000752CE000-0x00000000752CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4808-5-0x0000000002D80000-0x0000000002D8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4808-4-0x00000000051A0000-0x0000000005232000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4808-3-0x0000000005750000-0x0000000005CF4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4808-2-0x0000000005100000-0x000000000519C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4808-1-0x0000000000640000-0x00000000006D2000-memory.dmp

    Filesize

    584KB

    Download