Analysis

  • max time kernel
    94s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 20:42

General

  • Target

    daaefbbdddac6178d9d71fa1617d02705c4614c62cf981ed4534d33d60e0b5d6.exe

  • Size

    1.0MB

  • MD5

    f58a8ef45fa7a4e7ffbf1dcb3eded720

  • SHA1

    5e83a6c72104a3af601565fe7646eb83f3703585

  • SHA256

    daaefbbdddac6178d9d71fa1617d02705c4614c62cf981ed4534d33d60e0b5d6

  • SHA512

    a8dddc5fd4e8f0dcf2ac5c0a244b83b39b8c8a7477894df5d56e107bfc4efa29624e9f2ef394ec9054333a105ad01d53e5681502f08317d490080190c3c2e57e

  • SSDEEP

    24576:YdBqCebfeuXVgOvrMb1krGy7FzpS+dI66+4ZTg+remT3:YdBqCafeEVprp7bq6OZTgI7

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

w8rr

Decoy

musimack.agency

stockdatai.com

obsidianfields.net

idahogunpros.com

leochun.com

tancal.cat

theselfishbrandofficial.com

undegenerateness.info

nhanoon.com

y566.top

arabfinasgodes.com

goldenmetaverse.com

adilafinpay.com

biblicalcaffeine365.com

golgesiz.net

hsshengri.com

bydarcy.net

sevichhar.com

sanjeshgaraneh.com

femdomfilms.biz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader family
  • Xloader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\daaefbbdddac6178d9d71fa1617d02705c4614c62cf981ed4534d33d60e0b5d6.exe
    "C:\Users\Admin\AppData\Local\Temp\daaefbbdddac6178d9d71fa1617d02705c4614c62cf981ed4534d33d60e0b5d6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4532
    • C:\Users\Admin\AppData\Local\Temp\daaefbbdddac6178d9d71fa1617d02705c4614c62cf981ed4534d33d60e0b5d6.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/752-13-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/752-16-0x0000000001440000-0x000000000178A000-memory.dmp

    Filesize

    3.3MB

  • memory/4532-8-0x0000000005A10000-0x0000000005A1A000-memory.dmp

    Filesize

    40KB

  • memory/4532-9-0x000000007530E000-0x000000007530F000-memory.dmp

    Filesize

    4KB

  • memory/4532-4-0x0000000005880000-0x0000000005912000-memory.dmp

    Filesize

    584KB

  • memory/4532-5-0x0000000005820000-0x000000000582A000-memory.dmp

    Filesize

    40KB

  • memory/4532-6-0x0000000075300000-0x0000000075AB0000-memory.dmp

    Filesize

    7.7MB

  • memory/4532-7-0x0000000005A70000-0x0000000005AC6000-memory.dmp

    Filesize

    344KB

  • memory/4532-0-0x000000007530E000-0x000000007530F000-memory.dmp

    Filesize

    4KB

  • memory/4532-3-0x0000000005D90000-0x0000000006334000-memory.dmp

    Filesize

    5.6MB

  • memory/4532-10-0x0000000075300000-0x0000000075AB0000-memory.dmp

    Filesize

    7.7MB

  • memory/4532-11-0x00000000064F0000-0x0000000006572000-memory.dmp

    Filesize

    520KB

  • memory/4532-12-0x00000000065B0000-0x00000000065E0000-memory.dmp

    Filesize

    192KB

  • memory/4532-2-0x0000000005740000-0x00000000057DC000-memory.dmp

    Filesize

    624KB

  • memory/4532-15-0x0000000075300000-0x0000000075AB0000-memory.dmp

    Filesize

    7.7MB

  • memory/4532-1-0x0000000000C90000-0x0000000000D9A000-memory.dmp

    Filesize

    1.0MB