Overview

overview

10

Static

static

3

balance in...df.exe

windows7-x64

10

balance in...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    balance invoice-3547542428_pdf.exe

  • Size

    848KB

  • MD5

    c3dee40777d198b0c2b202efa09544ca

  • SHA1

    844ecd0e8303ee9c0d0a478d8fb9bb8b7bf5f2a4

  • SHA256

    b496f743cf4cd880575f37fef2db5c36b857c36afd77f578fc80a19b02cd8b30

  • SHA512

    c4a60605584b531cdc6b8d35c3067b19e401c78ff1ee32ba8e8e7d1a82c1e74a5d3957d636d41bbb0b8617cfb91533616491eecf3315128272376d4afd6956ae

  • SSDEEP

    6144:xfWbU6Uq/ejSo047vgI9y0zJIbjG8YCsxqFsGsLgM03YFfi9hcaHv1b7nCLBgXIk:1kUmNEzgInlYxPsx2P9hcE1HCVp4

Score
10/10
xloaderiwtrdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

iwtr

Decoy

srikrishnadental.com

outthedoorinfive.com

batamgle.com

leela-13senses.com

iyhouse.space

brazzalb.com

camperinnrv.com

hageteruossan.com

alicepassion.com

wearethecardclinics.com

thenortherntechgroup.com

akademiarelacji.com

garu.club

brandscoop.net

ejassatulima.xyz

cdo-latam.com

noireimpactcollective.com

poquitotodo.com

g04urs14.com

mgytekstil.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Users\Admin\AppData\Local\Temp\balance invoice-3547542428_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\balance invoice-3547542428_pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\balance invoice-3547542428_pdf.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2580
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\balance invoice-3547542428_pdf.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1156-23-0x00000000063C0000-0x0000000006543000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1156-19-0x00000000063C0000-0x0000000006543000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1156-18-0x0000000000010000-0x0000000000020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1204-13-0x0000000074090000-0x000000007477E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1204-1-0x0000000000840000-0x000000000091A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/1204-2-0x0000000074090000-0x000000007477E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1204-3-0x0000000000510000-0x0000000000524000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1204-4-0x000000007409E000-0x000000007409F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1204-5-0x0000000074090000-0x000000007477E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1204-6-0x0000000004BC0000-0x0000000004C3E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/1204-7-0x00000000006B0000-0x00000000006E0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1204-0-0x000000007409E000-0x000000007409F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2580-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2580-14-0x0000000000BF0000-0x0000000000EF3000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2580-17-0x0000000000140000-0x0000000000151000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2580-16-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2580-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2580-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2580-8-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2884-20-0x0000000000E60000-0x0000000000E78000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2884-21-0x0000000000E60000-0x0000000000E78000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2884-22-0x0000000000080000-0x00000000000A9000-memory.dmp

    Filesize

    164KB

    Download