Overview

overview

10

Static

static

3

INV#94049.exe

windows7-x64

10

INV#94049.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INV#94049.exe

  • Size

    624KB

  • MD5

    11b99a9ebfbd6815ea25e451aaadb5c2

  • SHA1

    300ebe536afb18ab95386c59b569da3a3ac39bfa

  • SHA256

    79f465b8846c4bd2865defb9a608d2ca089f94352abd3c765558f6ecfcbd5555

  • SHA512

    433152236bbbc7267c9ad3abdb577dda11007f866d690361cecd8d55d24f3f88ca0635fa11f0ac498b4ed81ddd032864de10d89383fa53a6d6cf16c89636acf5

  • SSDEEP

    12288:l3H2iNLBD7hYI1o4rb8t5S3PRgkFOi6b0:ZH1/eqbo

Score
10/10
xloaderfo8qdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

fo8q

Decoy

idesignbymadelinefl.com

finleygoods.com

hfxyyq.com

jjhh9656.com

superstarcoding.com

synergybridges.com

fantom.art

zebramovie.com

keephimmine.com

cmbego.com

shreegurudattaenterprises.com

appcoinsupport.services

roysecitystorage.com

gentlemensstories.com

hubinternationalinnovation.com

letscleartheairnow.com

strueyouneedto.space

schoolofsevens.com

cannaonline.net

slimmersite.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\INV#94049.exe
      "C:\Users\Admin\AppData\Local\Temp\INV#94049.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Users\Admin\AppData\Local\Temp\INV#94049.exe
        "C:\Users\Admin\AppData\Local\Temp\INV#94049.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2964
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\INV#94049.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:3000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1196-18-0x0000000003D50000-0x0000000003E50000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1196-25-0x0000000000250000-0x0000000000350000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1196-23-0x0000000005080000-0x0000000005134000-memory.dmp

    Filesize

    720KB

    Download

  • memory/1196-19-0x0000000005080000-0x0000000005134000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2952-22-0x0000000000080000-0x00000000000A9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2952-20-0x0000000000AD0000-0x0000000000ADD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2952-21-0x0000000000AD0000-0x0000000000ADD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2964-16-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2964-17-0x00000000001D0000-0x00000000001E1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2964-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2964-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2964-8-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2964-14-0x0000000000A20000-0x0000000000D23000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3036-7-0x00000000020A0000-0x00000000020C9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3036-13-0x0000000074400000-0x0000000074AEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3036-0-0x000000007440E000-0x000000007440F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3036-6-0x0000000004BB0000-0x0000000004BFE000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3036-5-0x0000000074400000-0x0000000074AEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3036-4-0x000000007440E000-0x000000007440F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3036-3-0x0000000000420000-0x000000000042C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3036-2-0x0000000074400000-0x0000000074AEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3036-1-0x0000000000310000-0x00000000003B2000-memory.dmp

    Filesize

    648KB

    Download