Overview

overview

10

Static

static

3

00094C5F5F...3B.exe

windows7-x64

3

00094C5F5F...3B.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2024 13:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe

  • Size

    857KB

  • MD5

    db0596af906c0293eeb802af1bc3ba4c

  • SHA1

    60540d0eedf061c4b22a3144f36cc8a23dfaab9c

  • SHA256

    00094c5f5f67e1a091ddbdf88ea507bae9ee4bdb06a0306e27ba4b9285c6e13b

  • SHA512

    032eadb161523bd15650823bc9b50e51c3d73d8c247c489199cfa800511cecf5568bdb7b5531acf430973a8b5cd0cd109087c85446311486c0b23575fdc7f4ed

  • SSDEEP

    12288:Pay+JMdzTJnZU55m7hDZ/JY1JKuqMs5JPxpn8RzgiH59UhSY:iTJs/vUulYyuNs5Jxpn8RHZ

Score
10/10
xloaderahgediscoveryevasionloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahge

Decoy

zlh.biz

suddennnnnnnnnnnn11.xyz

okanliving.com

shopeuphoricapparel.com

hcifo.com

haciendalosangeleslaguna.com

shineshaft.online

monclerjacketsusa.biz

uwuplay.com

psychicdeb.com

adonlet.com

theprogressivehomesteaders.com

ammaninstitute.com

sqpod.com

tropicbaywatergardens.net

yna901.net

3christinez.online

tastemon.com

karansabberwal.com

delegif.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Xloader payload 4 IoCs
    rat
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Users\Admin\AppData\Local\Temp\00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe
      "C:\Users\Admin\AppData\Local\Temp\00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1048
      • C:\Windows\SysWOW64\mstsc.exe
        "C:\Windows\SysWOW64\mstsc.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2364
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:2844
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:3552
        • C:\Windows\SysWOW64\chkdsk.exe
          "C:\Windows\SysWOW64\chkdsk.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2264
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Windows\SysWOW64\mstsc.exe"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:3144

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1048-0-0x000000007467E000-0x000000007467F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1048-15-0x00000000730E5000-0x00000000730E6000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1048-16-0x0000000074670000-0x0000000074E20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1048-3-0x0000000004DD0000-0x0000000004E88000-memory.dmp

        Filesize

        736KB

        Download

      • memory/1048-4-0x0000000074670000-0x0000000074E20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1048-5-0x0000000004CD0000-0x0000000004CFE000-memory.dmp

        Filesize

        184KB

        Download

      • memory/1048-6-0x0000000006810000-0x0000000006DB4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1048-7-0x0000000006310000-0x0000000006376000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1048-2-0x0000000004D30000-0x0000000004DCC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1048-1-0x00000000002A0000-0x000000000037A000-memory.dmp

        Filesize

        872KB

        Download

      • memory/2264-22-0x0000000000E40000-0x0000000000E4A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2264-23-0x0000000000E40000-0x0000000000E4A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2264-24-0x0000000000E90000-0x0000000000EB9000-memory.dmp

        Filesize

        164KB

        Download

      • memory/2364-12-0x00000000010E0000-0x00000000010F1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2364-11-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/2364-8-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/2364-19-0x0000000001130000-0x0000000001141000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2364-18-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/2364-9-0x0000000001240000-0x000000000158A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3488-13-0x00000000027B0000-0x00000000028D7000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3488-21-0x00000000027B0000-0x00000000028D7000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3488-20-0x00000000082C0000-0x0000000008438000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3488-25-0x00000000082C0000-0x0000000008438000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3488-28-0x0000000002690000-0x000000000274C000-memory.dmp

        Filesize

        752KB

        Download

      • memory/3488-30-0x0000000002690000-0x000000000274C000-memory.dmp

        Filesize

        752KB

        Download

      • memory/3488-31-0x0000000002690000-0x000000000274C000-memory.dmp

        Filesize

        752KB

        Download