Overview

overview

10

Static

static

3

Petrogulf 108-22.exe

windows7-x64

10

Petrogulf 108-22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 19:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Petrogulf 108-22.exe

  • Size

    778KB

  • MD5

    265e12d9de5e962b90ab8d8dd39e3a66

  • SHA1

    2799490cd1831593b1c2694978c1dbec849bf96e

  • SHA256

    28c28db28e96276f72ce38a60d04f0711388d3f93ecb34d4721dc94fc2bf9f07

  • SHA512

    151e6a34dacd3a0371b7c9e5d88ecdc596074a2efc14dc834f0cf75ca5e7947224c961e985f6c32f6e6166853caff80b595c858c69088dea1866e9f4d9d2c481

  • SSDEEP

    12288:WkgFEJgYYz0wnHZHEQRmYIso2huSWCL9xLEmSAQ31nPq2oK9PO/Z:q9jRdlIsvuSN5p2q2oKg/

Score
10/10
xloaderw8n5discoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

w8n5

Decoy

abolpij.space

secured-service-only.com

themoihay.com

uganda-info.com

readytrove.com

nehaandrajb.com

scuolapadelroma.store

childrensartcafe.com

intelldat.com

jinxedjesterdesigns.com

smallbusinessadminfunds.com

woody.email

effetasolutions.com

miied.com

oxszdt.biz

cdxgkj.com

thebestgpstracker.com

damancavexclusive.com

digitalboat.cloud

eyelikesystems.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3452
    • C:\Users\Admin\AppData\Local\Temp\Petrogulf 108-22.exe
      "C:\Users\Admin\AppData\Local\Temp\Petrogulf 108-22.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:436
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/436-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/436-17-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/436-18-0x0000000001120000-0x0000000001131000-memory.dmp

    Filesize

    68KB

    Download

  • memory/436-15-0x00000000015B0000-0x00000000018FA000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2412-20-0x0000000000A30000-0x0000000000B6A000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2412-23-0x0000000000590000-0x00000000005B9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2412-22-0x0000000000A30000-0x0000000000B6A000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3452-19-0x0000000008BE0000-0x0000000008D37000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3452-31-0x0000000008D40000-0x0000000008E47000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3452-29-0x0000000008D40000-0x0000000008E47000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3452-28-0x0000000008D40000-0x0000000008E47000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3452-24-0x0000000008BE0000-0x0000000008D37000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/5064-10-0x0000000008590000-0x0000000008640000-memory.dmp

    Filesize

    704KB

    Download

  • memory/5064-14-0x00000000749C0000-0x0000000075170000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5064-3-0x00000000052C0000-0x0000000005352000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5064-2-0x0000000005960000-0x0000000005F04000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5064-1-0x0000000000980000-0x0000000000A48000-memory.dmp

    Filesize

    800KB

    Download

  • memory/5064-4-0x0000000005360000-0x000000000536A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5064-0-0x00000000749CE000-0x00000000749CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5064-11-0x0000000008360000-0x0000000008390000-memory.dmp

    Filesize

    192KB

    Download

  • memory/5064-5-0x00000000749C0000-0x0000000075170000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5064-9-0x0000000008270000-0x000000000830C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5064-8-0x00000000749C0000-0x0000000075170000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5064-7-0x00000000749CE000-0x00000000749CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5064-6-0x0000000005920000-0x0000000005930000-memory.dmp

    Filesize

    64KB

    Download