Overview

overview

10

Static

static

3

mcb.exe

windows7-x64

10

mcb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 20:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mcb.exe

  • Size

    532KB

  • MD5

    ce3fe162f65754238f56df135ddd43e5

  • SHA1

    9cc55a9bc87bde222243c4fe0075288f0ede3d89

  • SHA256

    1a2da8f660bf2273096bf34961d2cd0573eae10717e7259c30e96195d2485597

  • SHA512

    e80e4304d3a7fc711c7d80785e92d6392fc9a4d54c0a96b16f8030fc4d48546416c771ae151c27f4de641817035a24c47095a4e05f44c13c3a30186fe9edd97d

  • SSDEEP

    12288:slc9Drw8FSZCWyr72w4n4e7PWP9G0bxJLg6IybwvFSMozH9prwPRD:sCt4ZjyP2w4n4Jc6TQSMU/rgD

Score
10/10
xloaderfg6sdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

fg6s

Decoy

fairshakeforfarmers.com

pierpontlaw.com

expertnomad.com

ishhs.xyz

quotextaiwan.com

thaivisapro.com

madrassat-al-manahil.com

whf5.xyz

dutchpetfelt.com

wizard-nt.store

edfneu.com

zf0.net

hbxft.com

hugevari.com

websitefast.online

maisoncb.com

lghl56.com

donajisf.com

alexandertaylorforhiggins.com

evaz2.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Users\Admin\AppData\Local\Temp\mcb.exe
      "C:\Users\Admin\AppData\Local\Temp\mcb.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Users\Admin\AppData\Local\Temp\mcb.exe
        "C:\Users\Admin\AppData\Local\Temp\mcb.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2828
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\mcb.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1248-3-0x0000000004D80000-0x0000000004E7A000-memory.dmp

    Filesize

    1000KB

    Download

  • memory/1248-10-0x0000000004D80000-0x0000000004E7A000-memory.dmp

    Filesize

    1000KB

    Download

  • memory/1248-11-0x0000000002F30000-0x0000000003030000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2760-6-0x0000000000CD0000-0x0000000000CE8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2760-8-0x0000000000CD0000-0x0000000000CE8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2760-9-0x0000000000090000-0x00000000000B9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2828-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2828-2-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2848-0-0x0000000000442000-0x000000000044B000-memory.dmp

    Filesize

    36KB

    Download