Overview

overview

10

Static

static

8

Order.exe

windows7-x64

5

Order.exe

windows10-2004-x64

5

төлем...DF.exe

windows7-x64

10

төлем...DF.exe

windows10-2004-x64

10

87597.exe

windows7-x64

10

87597.exe

windows10-2004-x64

10

29146c1ccd...70.exe

windows7-x64

7

29146c1ccd...70.exe

windows10-2004-x64

7

2cc3b42957...8e.exe

windows7-x64

10

2cc3b42957...8e.exe

windows10-2004-x64

10

RICHIESTA ...TA.exe

windows7-x64

10

RICHIESTA ...TA.exe

windows10-2004-x64

10

39c1e12e0a...25c.js

windows7-x64

3

39c1e12e0a...25c.js

windows10-2004-x64

3

3f46e10e5f...3b.exe

windows7-x64

10

3f46e10e5f...3b.exe

windows10-2004-x64

10

53074094ad...95dbec

debian-12-mipsel

10

632cfc71bd...b1.doc

windows7-x64

10

632cfc71bd...b1.doc

windows10-2004-x64

10

685dce7a17...03.exe

windows7-x64

6

685dce7a17...03.exe

windows10-2004-x64

10

6c4aab4c3b...e2.exe

windows7-x64

10

6c4aab4c3b...e2.exe

windows10-2004-x64

10

73a52a4c60...c0.exe

windows7-x64

3

73a52a4c60...c0.exe

windows10-2004-x64

3

Inv_7623980.exe

windows7-x64

10

Inv_7623980.exe

windows10-2004-x64

10

8954739d96...a8.ps1

windows7-x64

3

8954739d96...a8.ps1

windows10-2004-x64

8

USD $.exe

windows7-x64

10

USD $.exe

windows10-2004-x64

10

91d079d937...b9.exe

windows7-x64

Analysis

  • max time kernel
    146s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 20:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    USD $.exe

  • Size

    1.0MB

  • MD5

    7098068c07032900ff073b55a8ad8e0b

  • SHA1

    5bdda0bc06b935689f29d55b297d0523d82c6bfa

  • SHA256

    2d7aac32ea8a8329262ead70ec2f030c1a4061e4edafdf03e605bb9ce606836e

  • SHA512

    c5568a37cd6cfa600af5742acd1143d434035e2b5d7caa515ccbf182c6f72030e28a3562ee9f5e9341bcc5aeef45f498434fb8ff6835bc07c04220440d0aaf39

  • SSDEEP

    12288:WA72Z5kzykTvNYf3ACtYKWBAZcQEuanCJ4ZTuWnCT2EypSTU0KfOgzUhr2X0GSGl:WAaZ5k7TvqfwCqiZ9149O21FCWZ

Score
10/10
xloaderwenidiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

weni

Decoy

sdmdwang.com

konversationswithkoshie.net

carap.club

eagldeream.com

856380585.xyz

elgallocoffee.com

magetu.info

lovertons.com

theichallenge.com

advancedautorepairsonline.com

wingsstyling.info

tapdaugusta.com

wiloasbanhsgtarewdasc.solutions

donjrisdumb.com

experienceddoctor.com

cloverhillconsultants.com

underwear.show

karensgonewild2020.com

arodsr.com

thefucktardmanual.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Users\Admin\AppData\Local\Temp\USD $.exe
      "C:\Users\Admin\AppData\Local\Temp\USD $.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2680
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1280-18-0x0000000007380000-0x00000000074DB000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1280-17-0x0000000002DA0000-0x0000000002EA0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1280-24-0x0000000006CA0000-0x0000000006D6F000-memory.dmp

    Filesize

    828KB

    Download

  • memory/1280-28-0x0000000006CA0000-0x0000000006D6F000-memory.dmp

    Filesize

    828KB

    Download

  • memory/1680-4-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1680-5-0x0000000073F60000-0x000000007464E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1680-6-0x0000000007540000-0x00000000075CC000-memory.dmp

    Filesize

    560KB

    Download

  • memory/1680-7-0x0000000002210000-0x000000000224A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1680-3-0x00000000004D0000-0x00000000004D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1680-0-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1680-2-0x0000000073F60000-0x000000007464E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1680-19-0x0000000073F60000-0x000000007464E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1680-1-0x00000000009F0000-0x0000000000AF6000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2200-27-0x00000000001F0000-0x0000000000218000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2200-25-0x0000000000220000-0x0000000000242000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2200-26-0x0000000000220000-0x0000000000242000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2680-13-0x00000000009A0000-0x0000000000CA3000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2680-15-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2680-22-0x00000000002C0000-0x00000000002D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2680-21-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2680-16-0x0000000000180000-0x0000000000190000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2680-9-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2680-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2680-12-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2680-8-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download