Overview

overview

10

Static

static

3

Order Spec...35.exe

windows7-x64

10

Order Spec...35.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/03/2025, 08:55 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order Specification Requirement With Ref. AMABINIF38535.exe

  • Size

    558KB

  • MD5

    ec44d0c4ec44347f9f8ee63b4bec5210

  • SHA1

    362eda0fa5bd2cd4f50d0f7e9cf0cc641a08b163

  • SHA256

    ed6182df3469dfdc4084aea0aca3714a90498401d608c7a0ab818329c42ab21f

  • SHA512

    ee7e79980421b97fccdbe453c5daa98798fc82e8951c3d6aee49a939a1721e2c885ad22c69721488644f277e719d60d2fd1a8f595ceb370d29d899bbca7e1338

  • SSDEEP

    6144:AO6oVJ59N2c3FEyohRbTnIkwcDku8dQDKfcQqUwSLjiXTkgQ:ASJ59r3F0bTnlwcDkuzMcfSLYTTQ

Score
10/10
xloaderutaudiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.2

Campaign

utau

Decoy

frenchtogether.info

thefriendsofmaryc.com

meridianconversation.com

pleasingpleasure.com

relliant-rehab.com

meunegocioonlineoficial.com

jutuiess.site

sorelshopitalia.com

minnesotaunited.club

meditationmateau.com

wisheskennel.com

nothingbeatsagreatstory.com

equityinengineering.com

designantageuk.com

towstate.com

floridapremierestates.com

qianwanshang.com

mamentos.info

coraltechnologygroup.com

guoyijidian.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\Order Specification Requirement With Ref. AMABINIF38535.exe
        "C:\Users\Admin\AppData\Local\Temp\Order Specification Requirement With Ref. AMABINIF38535.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2284
        • C:\Users\Admin\AppData\Local\Temp\Order Specification Requirement With Ref. AMABINIF38535.exe
          "C:\Users\Admin\AppData\Local\Temp\Order Specification Requirement With Ref. AMABINIF38535.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1720
          • C:\Windows\SysWOW64\colorcpl.exe
            "C:\Windows\SysWOW64\colorcpl.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1660
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Users\Admin\AppData\Local\Temp\Order Specification Requirement With Ref. AMABINIF38535.exe"
              5⤵
              • Deletes itself
              • System Location Discovery: System Language Discovery
              PID:2892

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1216-10-0x0000000005110000-0x0000000005249000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1216-15-0x0000000005110000-0x0000000005249000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1216-6-0x0000000004F10000-0x0000000005079000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1216-11-0x0000000004F10000-0x0000000005079000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1660-14-0x00000000000D0000-0x00000000000F9000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1660-13-0x0000000000410000-0x0000000000428000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1660-12-0x0000000000410000-0x0000000000428000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1720-9-0x0000000000350000-0x0000000000361000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1720-8-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1720-7-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1720-2-0x0000000000D30000-0x0000000000D98000-memory.dmp

      Filesize

      416KB

      Download

    • memory/1720-1-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2284-0-0x0000000000D62000-0x0000000000D65000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2284-3-0x0000000000D62000-0x0000000000D65000-memory.dmp

      Filesize

      12KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.