Overview

overview

10

Static

static

3

Scan_00003...56.exe

windows7-x64

10

Scan_00003...56.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2024 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Scan_00003984849905654356.exe

  • Size

    365KB

  • MD5

    29eaa8092a2847b8b13922f9e97441a0

  • SHA1

    36ef99adb92e1ed025a47c5edb9a8a373dbafb0e

  • SHA256

    9c24cb754ba7bd9c72075bb67b4254763a891a0086316f9217c3f247d84cff61

  • SHA512

    b37099aff517abe64c7f1837e82a90ab767c0215947159c84ef91de55018006e13fdad7a2eb64a59a6ae7fa9d39c2c0f018b8d22496661551b0ae9dae314393b

  • SSDEEP

    6144:UPAObj0k20+ZfFzB5xNb47b1AMGXX9WjMilj/OojjE7T1DpnwmNfSle8Vdv3j/:UP1bY8+ZfFzBtbYAt9EMiF/o7pFwmNfC

Score
10/10
xloaderer3bdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

er3b

Decoy

mapaccelerated.com

deanartpg.com

southboundsisters.com

ocstutoriales.com

sappe2france.com

morethanentertained.com

kees3d.com

jjsuzuki.com

heroldmion.com

globeheattreaters.com

ompassionatetelemedicine.com

pacificwestsurrogacy.com

eaplsy.com

lccdqrvgw.icu

collectorcarshop.com

438tamarack.com

gokuid.com

jessicavelasquez.com

avanthomeinspections.com

thebrushstory.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\Scan_00003984849905654356.exe
      "C:\Users\Admin\AppData\Local\Temp\Scan_00003984849905654356.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Users\Admin\AppData\Local\Temp\Scan_00003984849905654356.exe
        "C:\Users\Admin\AppData\Local\Temp\Scan_00003984849905654356.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2692
    • C:\Windows\SysWOW64\wuapp.exe
      "C:\Windows\SysWOW64\wuapp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Scan_00003984849905654356.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1188-11-0x0000000004610000-0x00000000046CB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/1188-7-0x0000000004610000-0x00000000046CB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/1188-15-0x00000000043D0000-0x000000000446B000-memory.dmp

    Filesize

    620KB

    Download

  • memory/1188-17-0x00000000043D0000-0x000000000446B000-memory.dmp

    Filesize

    620KB

    Download

  • memory/1188-18-0x00000000043D0000-0x000000000446B000-memory.dmp

    Filesize

    620KB

    Download

  • memory/2652-9-0x0000000000FA0000-0x0000000000FAB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2652-8-0x0000000000FA0000-0x0000000000FAB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2652-10-0x0000000000110000-0x0000000000138000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2664-1-0x0000000000260000-0x0000000000360000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2692-2-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2692-3-0x0000000000A00000-0x0000000000D03000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2692-6-0x0000000000130000-0x0000000000141000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2692-5-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download