Overview

overview

10

Static

static

3

E-Invoice ...90.exe

windows7-x64

10

E-Invoice ...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 20:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E-Invoice No 11073490.exe

  • Size

    628KB

  • MD5

    b6ff5bcf0679b7eb84b8c555c75e084b

  • SHA1

    1d239a9a29f315832324795cb9c9a783bf420c26

  • SHA256

    302f8d5292f11a4fb79650e41ee803bc2a0ff6a79666f39ad6033c4827eacba8

  • SHA512

    147e3656519006209e6380f3a6e01f1011e4db49b4a0569465b1a29819ddfd1b7c3682ed56f82be0553bc7135cf351ad02ceea1376d57b3bdf9fc42e8d9ced60

  • SSDEEP

    12288:C13Su/Dwg9Y0kuBXHyLA5ePOnhEWIlDr:CNScMWSOSRv

Score
10/10
xloader3voa8discoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

3voa8

Decoy

artgamble.ltd

schoolq8.com

cartaporte.digital

vinetes.com

maxicashprogfd.xyz

motometics.com

uperiousa.com

chipwaterfrontresort.com

worldspeeddriven.com

thedefiantheathen.com

apurvamehrotra.com

dhaliwallabser.com

cheapestflightsindia.com

rs23.club

at247.tech

flypilotdigital.com

ruiheedu.xyz

lazarotools.com

heistick.xyz

precisalogistica.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 5 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3420
    • C:\Users\Admin\AppData\Local\Temp\E-Invoice No 11073490.exe
      "C:\Users\Admin\AppData\Local\Temp\E-Invoice No 11073490.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Users\Admin\AppData\Local\Temp\E-Invoice No 11073490.exe
        "{path}"
        3⤵
          PID:4108
        • C:\Users\Admin\AppData\Local\Temp\E-Invoice No 11073490.exe
          "{path}"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4712
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3436
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\E-Invoice No 11073490.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3420-25-0x0000000008BE0000-0x0000000008CFE000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3420-41-0x0000000009180000-0x0000000009249000-memory.dmp

      Filesize

      804KB

      Download

    • memory/3420-40-0x0000000009180000-0x0000000009249000-memory.dmp

      Filesize

      804KB

      Download

    • memory/3420-38-0x0000000009180000-0x0000000009249000-memory.dmp

      Filesize

      804KB

      Download

    • memory/3420-24-0x0000000009010000-0x0000000009178000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3420-34-0x0000000009010000-0x0000000009178000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3420-20-0x0000000008BE0000-0x0000000008CFE000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3436-33-0x0000000000F10000-0x0000000000F39000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3436-31-0x0000000000F10000-0x0000000000F39000-memory.dmp

      Filesize

      164KB

      Download

    • memory/3436-28-0x0000000000380000-0x0000000000392000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3436-30-0x0000000000380000-0x0000000000392000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3436-26-0x0000000000380000-0x0000000000392000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3436-32-0x00000000030A0000-0x00000000033EA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3436-36-0x0000000002F00000-0x0000000002F90000-memory.dmp

      Filesize

      576KB

      Download

    • memory/4356-8-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4356-7-0x0000000074EC0000-0x0000000075670000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4356-1-0x0000000000040000-0x00000000000E2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/4356-2-0x0000000004B10000-0x0000000004BAC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4356-15-0x0000000074EC0000-0x0000000075670000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4356-3-0x0000000005160000-0x0000000005704000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4356-4-0x0000000004BB0000-0x0000000004C42000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4356-5-0x0000000004AA0000-0x0000000004AAA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4356-12-0x0000000006530000-0x0000000006560000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4356-11-0x00000000064A0000-0x0000000006522000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4356-10-0x0000000074EC0000-0x0000000075670000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4356-9-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4356-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4356-6-0x0000000004E00000-0x0000000004E56000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4712-16-0x0000000001040000-0x000000000138A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4712-22-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/4712-23-0x0000000001010000-0x0000000001021000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4712-13-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/4712-19-0x0000000000FB0000-0x0000000000FC1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4712-18-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download