MALICIOUS
Classifications: Spyware
Threat Names:
XLoader Mal/Generic-S Dropped:Trojan.GenericKD.47516107 Trojan.GenericKD.47516107 Gen:Variant.Razy.977233
Verdict Reason: -
Sample Type Windows Exe (x86-32)
File Name e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe
ID #3070454
MD5 aecda0b8180c160b02af1c5dfb591268
SHA1 cdd29b27e32f4771fa8374a6a8e40648f2617e6c
SHA256 e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01
File Size 340.33 KB
Report Created 2021-11-30 12:08 (UTC+1)
Target Environment win10_64_th2_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 15
OVERVIEW
VMRay Threat Identifiers (13 rules, 24 matches)
Score Category Operation Count Classification
5/5 YARA Malicious content matched by YARA rules 2 Spyware
Rule "XLoader_Win32" from ruleset "Malware" has matched on a memory dump for (process #2) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe.
Rule "XLoader_Win32" from ruleset "Malware" has matched on a memory dump for (process #1) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe.
•
•
4/5 Reputation Known malicious file 2 -
The sample itself is a known malicious file.
Reputation analysis labels file "C:\Users\RDHJ0C~1\AppData\Local\Temp\nst84F6.tmp\cadpepxazc.dll" as "Mal/Generic-S".
•
•
4/5 Antivirus Malicious content was detected by heuristic scan 4 -
Built-in AV detected the sample itself as "Dropped:Trojan.GenericKD.47516107".
Built-in AV detected the dropped file C:\Users\RDHJ0C~1\AppData\Local\Temp\nst84F6.tmp\cadpepxazc.dll as "Trojan.GenericKD.47516107".
Built-in AV detected a memory dump of (process #2) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe as "Gen:Variant.Razy.977233".
Built-in AV detected a memory dump of (process #1) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe as "Gen:Variant.Razy.977233".
•
•
•
•
2/5 Anti Analysis Tries to detect kernel debugger 1 -
(Process #2) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe tries to detect a kernel debugger via API "NtQuerySystemInformation".
•
2/5 Anti Analysis Tries to detect debugger 1 -
(Process #2) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe tries to detect a debugger via API "NtQueryInformationProcess".
•
2/5 Injection Writes into the memory of a process started from a created or modified executable 1 -
(Process #1) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe modifies memory of (process #2) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe.
•
2/5 Injection Modifies control flow of a process started from a created or modified executable 1 -
(Process #1) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe alters context of (process #2) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe.
•
2/5 Anti Analysis Makes direct system call to possibly evade hooking based sandboxes 7 -
(Process #1) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe makes a direct system call to "NtUnmapViewOfSection".
(Process #1) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe makes a direct system call to "NtWriteVirtualMemory".
(Process #1) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe makes a direct system call to "NtResumeThread".
(Process #2) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe makes a direct system call to "NtQuerySystemInformation".
(Process #2) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe makes a direct system call to "NtQueryInformationProcess".
(Process #2) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe makes a direct system call to "NtAllocateVirtualMemory".
(Process #2) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe makes a direct system call to "NtFreeVirtualMemory".
•
•
•
•
•
•
•
1/5 Hide Tracks Creates process with hidden window 1 -
(Process #1) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe starts (process #2) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe with a hidden window.
•
1/5 Obfuscation Reads from memory of another process 1 -
(Process #1) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe reads from (process #2) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe.
•
X-Ray Vision for Malware - www.vmray.com 2 / 15
Score Category Operation Count Classification
1/5 Obfuscation Creates a page with write and execute permissions 1 -
(Process #1) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
•
1/5 Execution Drops PE file 1 -
(Process #1) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\nst84F6.tmp\cadpepxazc.dll".
•
1/5 Execution Executes itself 1 -
(Process #1) e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe executes a copy of the sample at C:
\Users\RDhJ0CNFevzX\Desktop\e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe.
•
X-Ray Vision for Malware - www.vmray.com 3 / 15
Mitre ATT&CK Matrix
Initial Access Execution Persistence Privilege Escalation
Defense Evasion
Credential
Access Discovery Lateral
Movement Collection Command
and Control Exfiltration Impact
#T1143 Hidden Window
#T1045 Software Packing
X-Ray Vision for Malware - www.vmray.com 4 / 15
Sample Information
Analysis Information
ID #3070454
MD5 aecda0b8180c160b02af1c5dfb591268
SHA1 cdd29b27e32f4771fa8374a6a8e40648f2617e6c
SHA256 e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01
SSDeep 6144:QGi9fvS1T8JN8K9VQcV6EUknce4AfbX7Cmx35sc7PjLyYDbzrOKggDc4N:oqoJR9JRUyvNWE3y0bKgDc4N
ImpHash 7fa974366048f9c551ef45714595665e
File Name e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe
File Size 340.33 KB
Sample Type Windows Exe (x86-32)
Has Macros
Creation Time 2021-11-30 12:08 (UTC+1)
Analysis Duration 00:00:51
Termination Reason All processes terminated
Number of Monitored Processes 2
Execution Successful False
Reputation Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 4
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 2
X-Ray Vision for Malware - www.vmray.com 5 / 15
X-Ray Vision for Malware - www.vmray.com 6 / 15
X-Ray Vision for Malware - www.vmray.com 7 / 15
NETWORK
General
DNS
HTTP/S
0 bytes total sent0 bytes total received 0 ports
0 contacted IP addresses
0 URLs extracted 0 files downloaded
0 malicious hosts detected
0 DNS requests for 0 domains 0 nameservers contacted
0 total requests returned errors
0 URLs contacted, 0 servers
0 sessions, 0 bytes sent, 0 bytes received
X-Ray Vision for Malware - www.vmray.com 8 / 15
BEHAVIOR
Process Graph
Sample Start #1
e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe #2
e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe Modify Memory
Modify Control Flow Child Process
X-Ray Vision for Malware - www.vmray.com 9 / 15
Process #1: e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe
Dropped Files (3)
File Name File Size SHA256 YARA Match
Host Behavior
Type Count
ID 1
File Name c:\users\rdhj0cnfevzx\desktop\e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe Command Line "C:\Users\RDhJ0CNFevzX\Desktop\e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 62997, Reason: Analysis Target Unmonitor End Time End Time: 103951, Reason: Terminated
Monitor duration 40.95s
Return Code 0
PID 2020
Parent PID 1600
Bitness 32 Bit
C:\Users\RDHJ0C~1\AppData\Local\Temp\nst84F6.tmp 0 bytes e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852 b855
C:\Users\RDHJ0C~1\AppData\Local\Temp\5s203cutmo67 211.59 KB b7c466a5a7d7b932e69d08d7ec28c42cbb6cb47956eb6808588685fa6c0 18c7f
C:
\Users\RDHJ0C~1\AppData\Local\Temp\nst84F6.tmp\cadpepxazc.dll 97.00 KB cb0b173a5a913bb701d85e01b92c90faa77166a4f1cf58f0798313c02114 9be8
Module 16
File 267
System 50
Process 1
- 3
- 5
X-Ray Vision for Malware - www.vmray.com 10 / 15
Process #2: e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe
Injection Information (4)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
Host Behavior
Type Count
ID 2
File Name c:\users\rdhj0cnfevzx\desktop\e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe Command Line "C:\Users\RDhJ0CNFevzX\Desktop\e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46f9e01.exe"
Initial Working Directory C:\Users\RDHJ0C~1\AppData\Local\Temp\
Monitor Start Time Start Time: 100997, Reason: Child Process Unmonitor End Time End Time: 104021, Reason: Terminated
Monitor duration 3.02s
Return Code 0
PID 2852
Parent PID 2020
Bitness 32 Bit
Modify Memory
#1: c:
\users\rdhj0cnfevzx\desktop
\e8e8ecf349599cbd169ec45 c9ab1044c3344eedebc9db8 16291b198da46f9e01.exe
0x834 0x400000(4194304) 0x200 1
Modify Memory
#1: c:
\users\rdhj0cnfevzx\desktop
\e8e8ecf349599cbd169ec45 c9ab1044c3344eedebc9db8 16291b198da46f9e01.exe
0x834 0x401000(4198400) 0x27c00 1
Modify Memory
#1: c:
\users\rdhj0cnfevzx\desktop
\e8e8ecf349599cbd169ec45 c9ab1044c3344eedebc9db8 16291b198da46f9e01.exe
0x834 0x30e008(3203080) 0x4 1
Modify Control Flow
#1: c:
\users\rdhj0cnfevzx\desktop
\e8e8ecf349599cbd169ec45 c9ab1044c3344eedebc9db8 16291b198da46f9e01.exe
0x834 / 0x694 0x77968fe0(2006355936) - 1
File 5
- 1
- 1
System 2
X-Ray Vision for Malware - www.vmray.com 11 / 15
ARTIFACTS
File
SHA256 File Names Category File Size MIME Type Operations Verdict
Filename
File Name Category Operations Verdict
Process
Process Name Commandline Verdict
e8e8ecf349599cbd169ec45c 9ab1044c3344eedebc9db81 6291b198da46f9e01
C:
\Users\RDhJ0CNFevzX\Desktop\e8e 8ecf349599cbd169ec45c9ab1044c334 4eedebc9db816291b198da46f9e01.exe
Sample File 340.33 KB application/
vnd.microsoft.portable-
executable Read, Access MALICIOUS
cb0b173a5a913bb701d85e0 1b92c90faa77166a4f1cf58f0 798313c021149be8
C:
\Users\RDHJ0C~1\AppData\Local\Te
mp\nst84F6.tmp\cadpepxazc.dll Dropped File 97.00 KB application/
vnd.microsoft.portable-
executable Write, Create, Access MALICIOUS
b7c466a5a7d7b932e69d08d 7ec28c42cbb6cb47956eb68 08588685fa6c018c7f
C:
\Users\RDHJ0C~1\AppData\Local\Te
mp\5s203cutmo67 Dropped File 211.59 KB application/octet-stream Write, Create, Read, Access CLEAN
C:\Users\RDHJ0C~1\AppData\Local\Temp\ Accessed File Create, Access CLEAN
C:\Users\RDHJ0C~1\AppData\Local\Temp\nsl7E1F.tmp Accessed File Create, Delete, Access CLEAN
C:
\Users\RDhJ0CNFevzX\Desktop\e8e8ecf349599cbd169ec45c9ab104
4c3344eedebc9db816291b198da46f9e01.exe Sample File Read, Access CLEAN
C:\Users\RDHJ0C~1\AppData\Local\Temp\nst84F6.tmp Accessed File Create, Delete, Access CLEAN
C:\Users Accessed File Create, Access CLEAN
C:\Users\RDHJ0C~1 Accessed File Create, Access CLEAN
C:\Users\RDHJ0C~1\AppData Accessed File Create, Access CLEAN
C:\Users\RDHJ0C~1\AppData\Local Accessed File Create, Access CLEAN
C:\Users\RDHJ0C~1\AppData\Local\Temp Accessed File Create, Access CLEAN
C:\Users\RDHJ0C~1\AppData\Local\Temp\5s203cutmo67 Dropped File Write, Create, Read, Access CLEAN
C:
\Users\RDHJ0C~1\AppData\Local\Temp\nst84F6.tmp\cadpepxazc.dll Dropped File Write, Create, Access CLEAN
C:\Windows\SYSTEM32\ntdll.dll Accessed File Read, Access CLEAN
\??\C:\Windows\SYSTEM32\ntdll.dll Accessed File Create, Read, Access CLEAN
e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198da46 f9e01.exe
"C:
\Users\RDhJ0CNFevzX\Desktop\e8e8ecf349599cbd169ec45c9ab1044c3344eedebc9db816291b198d
a46f9e01.exe" MALICIOUS
X-Ray Vision for Malware - www.vmray.com 12 / 15
YARA / AV
YARA (2)
Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict
Antivirus (4)
File Type Threat Name File Name Verdict
Malware XLoader_Win32 XLoader Win32 Memory Dump - Spyware 5/5
Malware XLoader_Win32 XLoader Win32 Memory Dump - Spyware 5/5
Sample File Dropped:Trojan.GenericKD.47516107 C:
\Users\RDhJ0CNFevzX\Desktop\e8e8ecf349599cbd169ec45c9ab104 4c3344eedebc9db816291b198da46f9e01.exe
MALICIOUS
Dropped File Trojan.GenericKD.47516107 C:
\Users\RDHJ0C~1\AppData\Local\Temp\nst84F6.tmp\cadpepxazc.dll MALICIOUS
Memory Dump Gen:Variant.Razy.977233 - MALICIOUS
Memory Dump Gen:Variant.Razy.977233 - MALICIOUS
X-Ray Vision for Malware - www.vmray.com 13 / 15
ENVIRONMENT
Virtual Machine Information
Platform Information
Anti Virus Information
Software Information
System Information
Name win10_64_th2_en_mso2016
Description win10_64_th2_en_mso2016
Architecture x86 64-bit
Operating System Windows 10 Threshold 2
Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Platform Version 4.3.1
Dynamic Engine Version 4.3.1 / 11/09/2021 04:55
Static Engine Version 4.3.1.0 / 2021-11-09 04:00:13
AV Exceptions Version 4.3.1.6 / 2021-09-21 13:25:28 Link Detonation Heuristics Version 4.3.1.23 / 2021-11-15 15:11:35
Signature Trust Store Version 4.3.1.6 / 2021-09-21 13:25:28
VMRay Threat Identifiers Version 4.3.1.24 / 2021-11-19 15:51:18 YARA Built-in Ruleset Version 4.3.1.20
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021) Built-in AV Database Update Release
Date 2021-11-30 09:10:45+00:00
Built-in AV Database Records 10581088
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Hangul Office Not installed
Hangul Office Version Not installed
Internet Explorer Version 11.0.10586.0
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
Sample Directory C:\Users\RDhJ0CNFevzX\Desktop
Computer Name XC64ZB
User Domain XC64ZB
X-Ray Vision for Malware - www.vmray.com 14 / 15
User Name RDhJ0CNFevzX
User Profile C:\Users\RDhJ0CNFevzX
Temp Directory C:\Users\RDHJ0C~1\AppData\Local\Temp
System Root C:\Windows
