Overview

overview

10

Static

static

5

INQ8593.exe

windows7-x64

10

INQ8593.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2024 04:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INQ8593.exe

  • Size

    689KB

  • MD5

    a23fbcbae306780f4c604238423ffc5c

  • SHA1

    28f95c0f8ad0c220549a529dd993b234d8e4a053

  • SHA256

    6f1865688d1744c4b955e994613d042146f366732e420290da38623c23a24fd1

  • SHA512

    79311359d95217a2c91fb8ff5020bb053e3c761a9198ac6901505d3fbd70eb4308e5644b1673ce5808c748b16b71a29d600b339020b658f8cd33e376f89a4d7a

  • SSDEEP

    12288:oXe9PPlowWX0t6mOQwg1Qd15CcYk0We1nF0uxjFhHgoYokcXkfT4/9c:lhloDX0XOf4vYpc+Gy

Score
10/10
xloaderrvoediscoveryloaderratupx

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

rvoe

Decoy

frogsstoreonline.com

emprendedorasdehogar.com

buseselvi.com

test-chase.com

redevelopment37subhashnagar.com

teacheex.com

trabzonlife.com

pfriendship.com

wholesomepantrys.com

chrislambright.com

companysoftwaresmount.com

daylamiagency.com

emoblow.com

lesbicas.online

muhamadruli.com

lkpayonline.com

aymankatwa.com

illuumi.com

finegoodses.store

patcoins.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 1 IoCs
    rat
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INQ8593.exe
    "C:\Users\Admin\AppData\Local\Temp\INQ8593.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Users\Admin\AppData\Local\Temp\INQ8593.exe
      "C:\Users\Admin\AppData\Local\Temp\INQ8593.exe"
      2⤵
        PID:2472

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\qbotuhzfgolr
      Filesize

      218KB

      MD5

      2ed5f45a495a567b60c13dd4f63955b6

      SHA1

      425eb94d866fb43d991ae00091c03ac984f11664

      SHA256

      664c717982430dfc67ddad302f818f0b4c15e85a557a7417c864979cbe01d3d3

      SHA512

      f387a5e945a0b4adfbf931867acca50c89f8460388351d0b944b61b712c03b3819824ea2746f13daf6a38a91bc2f463ad4c284644ef2d5518603c80a68a14a24

      Download Submit

    • memory/1392-0-0x0000000000400000-0x0000000000588000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1392-8-0x0000000000A40000-0x0000000000A42000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1392-7-0x00000000009F0000-0x00000000009F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1392-10-0x0000000000400000-0x0000000000588000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2472-9-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download