Overview

overview

10

Static

static

3

52a3e7f0c2...00.exe

windows7-x64

10

52a3e7f0c2...00.exe

windows10-2004-x64

7

$PLUGINSDI...un.dll

windows7-x64

3

$PLUGINSDI...un.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 19:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52a3e7f0c298bd3fac67f953c5528ef41060e708a336c9f3c9c5e6e347ff3f00.exe

  • Size

    304KB

  • MD5

    4251d6e3ac2866a8087ca3f682cadbdf

  • SHA1

    fc0c6d7b8f39b388ff64c0e15d35c136bef5a79b

  • SHA256

    52a3e7f0c298bd3fac67f953c5528ef41060e708a336c9f3c9c5e6e347ff3f00

  • SHA512

    e8936b50782ba9b6e50109f04b645049e33d978c77f39f45fcf3730d4f71b55b08bf777118a17c728b191f982d21ccbbb9ddc0b01c1ca96b58e0ce3df60d2e97

  • SSDEEP

    6144:rGiCbmp18OIycnYCh22kriWLF0DJS/b4cAtTynWn206zambrBetaDX/1:1V/dChOcSTUtT3cagrMaDX/1

Score
10/10
xloaderxa9ediscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

xa9e

Decoy

shellthatsells.com

ocelotsdigital.com

worldladder.com

florapac.com

midnight-express.biz

pantherproduct.com

cumits.com

dittamd.com

w388bet.store

muyuanshengshi.com

scrappedmovie.com

investordefence.com

coupdefoudres.com

sideralmkt.online

travwhizz.com

daniellestienstra.com

corbelladvocats.com

annocadans.quest

gabrycancio.com

petrocan.online

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 1 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52a3e7f0c298bd3fac67f953c5528ef41060e708a336c9f3c9c5e6e347ff3f00.exe
    "C:\Users\Admin\AppData\Local\Temp\52a3e7f0c298bd3fac67f953c5528ef41060e708a336c9f3c9c5e6e347ff3f00.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Users\Admin\AppData\Local\Temp\52a3e7f0c298bd3fac67f953c5528ef41060e708a336c9f3c9c5e6e347ff3f00.exe
      "C:\Users\Admin\AppData\Local\Temp\52a3e7f0c298bd3fac67f953c5528ef41060e708a336c9f3c9c5e6e347ff3f00.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nstB1F2.tmp\tcjngvzun.dll
    Filesize

    156KB

    MD5

    5b93103b861e156f69643e0c7ac84017

    SHA1

    5050ab7ffbf02899505ae533b8879d3db076d3d4

    SHA256

    fe4ef7dd57a355df3cf0bf52fb3d0409e4370178a507639fc0ea179cc4ea6843

    SHA512

    91484cbc4bcbff8e00ec20ce4fa54c1affc07c6889ad52246f7f1d7a2700c1a59b4c38cff2a16464b2403a610112f2ff488a6a52eb2756917d0bdbc96c5e664d

    Download Submit

  • memory/2556-9-0x0000000000090000-0x0000000000190000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2604-10-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download