Overview

overview

10

Static

static

3

65b8d28cc9...ff.exe

windows7-x64

10

65b8d28cc9...ff.exe

windows10-2004-x64

7

$PLUGINSDI...ds.dll

windows7-x64

10

$PLUGINSDI...ds.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 20:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65b8d28cc93ef078954f569422e9292298e638a11a6bb681c85065c84e042bff.exe

  • Size

    251KB

  • MD5

    5da62bdb6889d90f395efd87681ebdc7

  • SHA1

    d6d8cfb0f3bec3b693b805a8bdeefe3651b6d509

  • SHA256

    65b8d28cc93ef078954f569422e9292298e638a11a6bb681c85065c84e042bff

  • SHA512

    5c896c8506557c8df0fe44272557e40c3c312458ceea7dfdcd8449438f6b51de0a25aa0d128c77a534142bfa1c345b65075f7e353e515e477693a75aa54d99c8

  • SSDEEP

    6144:p8LxBntcE0yoInozz1mZOoEFmAckF5rTKqdacxIiSgIF3CFbW:EuE0yAVsI4yPbaQBSgIFyFi

Score
10/10
xloaderoqxsdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

oqxs

Decoy

northkoreamatrimony.com

we11studio.net

ekviraonewaycab.com

biakbiak.com

pdmclinic.com

biophots.com

shaydd.com

uplandpro.com

newcrestredchrisltd.com

aventuragaming.com

righteousrewards.com

pengwinz.com

ganey-hn.com

gz-bbe.com

xicauyb.com

historyfive.com

racofix.net

teetimeforyou.com

perfumeriadeverano.com

electrumkeys.works

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 1 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65b8d28cc93ef078954f569422e9292298e638a11a6bb681c85065c84e042bff.exe
    "C:\Users\Admin\AppData\Local\Temp\65b8d28cc93ef078954f569422e9292298e638a11a6bb681c85065c84e042bff.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Users\Admin\AppData\Local\Temp\65b8d28cc93ef078954f569422e9292298e638a11a6bb681c85065c84e042bff.exe
      "C:\Users\Admin\AppData\Local\Temp\65b8d28cc93ef078954f569422e9292298e638a11a6bb681c85065c84e042bff.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nso72C1.tmp\gbywalds.dll
    Filesize

    12KB

    MD5

    5b7950419e981b94f2d78ba5f70b8f47

    SHA1

    007b19f9267c8634a7b4b488770ae1f667655c20

    SHA256

    6e11a5bb985683f9d03865289565124c11ce2c481a9a505866602cc950c80f5e

    SHA512

    03d2a63385fa404e3fec62b16af9baa3ae93c26250e3ab1b104b6bb42542a7690d182faa50c5f27e89d4a8d00306ba252a188df9109667ca964ba80640882e65

    Download Submit

  • memory/1420-8-0x0000000074FA3000-0x0000000074FA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2744-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download