Overview

overview

10

Static

static

3

PAYMENT-PO...05.exe

windows7-x64

10

PAYMENT-PO...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 20:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAYMENT-PO6331-105.exe

  • Size

    853KB

  • MD5

    b639a37ca3c7bc94ae81fc2cc4b7da44

  • SHA1

    c13c81065409f452a424ca3620906ccda0192910

  • SHA256

    87616feaef4b9ca318abb0c4da6f7c7b1bd625706e6217a1b2a22f9cb618ea1a

  • SHA512

    fe70bf637a93a50a745d5cc18cbc4018ac7789135ec84baffdaac63a3354d76b461a4731ff35c177463d5d47e62dbe5e31b415cfc93a8937f78335c191ffe3ab

  • SSDEEP

    12288:5ANXMzYSSwTLMJX20dk/FRGaBp4hu6G3RNv8eF43RR9VCZ6vHRjN:zfSwTLMJX2jqQOp6RNUeF4DxjN

Score
10/10
xloadero84ddiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

o84d

Decoy

thetrendsharks.com

chaufagiste.com

lskuro.com

wasteconnectionsmyworkday.com

loveontrack28.com

tusder.com

now-focus.com

southerndrawfi.com

brattylipz.com

computip.com

thecreatingcouple.com

fuhrerscheinstelle.com

stally.club

leniure.com

cgoutsourcingservices.com

2055outpost.com

oujerseys.com

petsitandstrut.com

nerddotget.com

standvisuales.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3432
      • C:\Users\Admin\AppData\Local\Temp\PAYMENT-PO6331-105.exe
        "C:\Users\Admin\AppData\Local\Temp\PAYMENT-PO6331-105.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4788
        • C:\Users\Admin\AppData\Local\Temp\PAYMENT-PO6331-105.exe
          "C:\Users\Admin\AppData\Local\Temp\PAYMENT-PO6331-105.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2532
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\SysWOW64\cmd.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1500
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Users\Admin\AppData\Local\Temp\PAYMENT-PO6331-105.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:452
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:5108
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:1840
          • C:\Windows\SysWOW64\autofmt.exe
            "C:\Windows\SysWOW64\autofmt.exe"
            2⤵
              PID:4104
            • C:\Windows\SysWOW64\autofmt.exe
              "C:\Windows\SysWOW64\autofmt.exe"
              2⤵
                PID:3704
              • C:\Windows\SysWOW64\autofmt.exe
                "C:\Windows\SysWOW64\autofmt.exe"
                2⤵
                  PID:752
                • C:\Windows\SysWOW64\autofmt.exe
                  "C:\Windows\SysWOW64\autofmt.exe"
                  2⤵
                    PID:5068
                  • C:\Windows\SysWOW64\autofmt.exe
                    "C:\Windows\SysWOW64\autofmt.exe"
                    2⤵
                      PID:4568
                    • C:\Windows\SysWOW64\autofmt.exe
                      "C:\Windows\SysWOW64\autofmt.exe"
                      2⤵
                        PID:2460
                      • C:\Windows\SysWOW64\autofmt.exe
                        "C:\Windows\SysWOW64\autofmt.exe"
                        2⤵
                          PID:4580

                      Network

                      • flag-us
                        DNS
                        8.8.8.8.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        8.8.8.8.in-addr.arpa
                        IN PTR
                        Response
                        8.8.8.8.in-addr.arpa
                        IN PTR
                        dnsgoogle
                      • flag-us
                        DNS
                        217.106.137.52.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        217.106.137.52.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        99.209.201.84.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        99.209.201.84.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        73.159.190.20.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        73.159.190.20.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        95.221.229.192.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        95.221.229.192.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        58.55.71.13.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        58.55.71.13.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        196.249.167.52.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        196.249.167.52.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        53.210.109.20.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        53.210.109.20.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        198.187.3.20.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        198.187.3.20.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        107.36.72.23.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        107.36.72.23.in-addr.arpa
                        IN PTR
                        Response
                        107.36.72.23.in-addr.arpa
                        IN PTR
                        a23-72-36-107deploystaticakamaitechnologiescom
                      • flag-us
                        DNS
                        168.36.72.23.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        168.36.72.23.in-addr.arpa
                        IN PTR
                        Response
                        168.36.72.23.in-addr.arpa
                        IN PTR
                        a23-72-36-168deploystaticakamaitechnologiescom
                      • flag-us
                        DNS
                        198.181.100.95.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        198.181.100.95.in-addr.arpa
                        IN PTR
                        Response
                        198.181.100.95.in-addr.arpa
                        IN PTR
                        a95-100-181-198deploystaticakamaitechnologiescom
                      • flag-us
                        DNS
                        29.243.111.52.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        29.243.111.52.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        www.stally.club
                        Remote address:
                        8.8.8.8:53
                        Request
                        www.stally.club
                        IN A
                        Response
                      No results found
                      • 8.8.8.8:53
                        8.8.8.8.in-addr.arpa
                        dns
                        66 B
                         90 B
                         1
                        1

                        DNS Request

                        8.8.8.8.in-addr.arpa

                      • 8.8.8.8:53
                        217.106.137.52.in-addr.arpa
                        dns
                        73 B
                         147 B
                         1
                        1

                        DNS Request

                        217.106.137.52.in-addr.arpa

                      • 8.8.8.8:53
                        99.209.201.84.in-addr.arpa
                        dns
                        72 B
                         132 B
                         1
                        1

                        DNS Request

                        99.209.201.84.in-addr.arpa

                      • 8.8.8.8:53
                        73.159.190.20.in-addr.arpa
                        dns
                        72 B
                         158 B
                         1
                        1

                        DNS Request

                        73.159.190.20.in-addr.arpa

                      • 8.8.8.8:53
                        95.221.229.192.in-addr.arpa
                        dns
                        73 B
                         144 B
                         1
                        1

                        DNS Request

                        95.221.229.192.in-addr.arpa

                      • 8.8.8.8:53
                        58.55.71.13.in-addr.arpa
                        dns
                        70 B
                         144 B
                         1
                        1

                        DNS Request

                        58.55.71.13.in-addr.arpa

                      • 8.8.8.8:53
                        196.249.167.52.in-addr.arpa
                        dns
                        73 B
                         147 B
                         1
                        1

                        DNS Request

                        196.249.167.52.in-addr.arpa

                      • 8.8.8.8:53
                        53.210.109.20.in-addr.arpa
                        dns
                        72 B
                         158 B
                         1
                        1

                        DNS Request

                        53.210.109.20.in-addr.arpa

                      • 8.8.8.8:53
                        198.187.3.20.in-addr.arpa
                        dns
                        71 B
                         157 B
                         1
                        1

                        DNS Request

                        198.187.3.20.in-addr.arpa

                      • 8.8.8.8:53
                        107.36.72.23.in-addr.arpa
                        dns
                        71 B
                         135 B
                         1
                        1

                        DNS Request

                        107.36.72.23.in-addr.arpa

                      • 8.8.8.8:53
                        168.36.72.23.in-addr.arpa
                        dns
                        71 B
                         135 B
                         1
                        1

                        DNS Request

                        168.36.72.23.in-addr.arpa

                      • 8.8.8.8:53
                        198.181.100.95.in-addr.arpa
                        dns
                        73 B
                         139 B
                         1
                        1

                        DNS Request

                        198.181.100.95.in-addr.arpa

                      • 8.8.8.8:53
                        29.243.111.52.in-addr.arpa
                        dns
                        72 B
                         158 B
                         1
                        1

                        DNS Request

                        29.243.111.52.in-addr.arpa

                      • 8.8.8.8:53
                        www.stally.club
                        dns
                        61 B
                         128 B
                         1
                        1

                        DNS Request

                        www.stally.club

                      • 8.8.8.8:53

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/1500-20-0x0000000000410000-0x000000000046A000-memory.dmp

                        Filesize

                        360KB

                        Download

                      • memory/1500-22-0x00000000003C0000-0x00000000003E9000-memory.dmp

                        Filesize

                        164KB

                        Download

                      • memory/1500-18-0x0000000000410000-0x000000000046A000-memory.dmp

                        Filesize

                        360KB

                        Download

                      • memory/2532-5-0x0000000000400000-0x0000000000429000-memory.dmp

                        Filesize

                        164KB

                        Download

                      • memory/2532-14-0x0000000000400000-0x0000000000429000-memory.dmp

                        Filesize

                        164KB

                        Download

                      • memory/2532-15-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2532-11-0x00000000007D0000-0x00000000007E0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2532-8-0x0000000001050000-0x000000000139A000-memory.dmp

                        Filesize

                        3.3MB

                        Download

                      • memory/2532-10-0x0000000000400000-0x0000000000429000-memory.dmp

                        Filesize

                        164KB

                        Download

                      • memory/3432-21-0x0000000002A40000-0x0000000002B36000-memory.dmp

                        Filesize

                        984KB

                        Download

                      • memory/3432-12-0x0000000002980000-0x0000000002A31000-memory.dmp

                        Filesize

                        708KB

                        Download

                      • memory/3432-28-0x0000000007FE0000-0x00000000080EB000-memory.dmp

                        Filesize

                        1.0MB

                        Download

                      • memory/3432-26-0x0000000007FE0000-0x00000000080EB000-memory.dmp

                        Filesize

                        1.0MB

                        Download

                      • memory/3432-16-0x0000000002A40000-0x0000000002B36000-memory.dmp

                        Filesize

                        984KB

                        Download

                      • memory/3432-17-0x0000000002980000-0x0000000002A31000-memory.dmp

                        Filesize

                        708KB

                        Download

                      • memory/3432-25-0x0000000007FE0000-0x00000000080EB000-memory.dmp

                        Filesize

                        1.0MB

                        Download

                      • memory/4788-3-0x0000000074C42000-0x0000000074C43000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4788-2-0x0000000074C40000-0x00000000751F1000-memory.dmp

                        Filesize

                        5.7MB

                        Download

                      • memory/4788-1-0x0000000074C40000-0x00000000751F1000-memory.dmp

                        Filesize

                        5.7MB

                        Download

                      • memory/4788-7-0x0000000074C40000-0x00000000751F1000-memory.dmp

                        Filesize

                        5.7MB

                        Download

                      • memory/4788-4-0x0000000074C40000-0x00000000751F1000-memory.dmp

                        Filesize

                        5.7MB

                        Download

                      • memory/4788-0-0x0000000074C42000-0x0000000074C43000-memory.dmp

                        Filesize

                        4KB

                        Download

                      We care about your privacy.

                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.