XLoader | 5bbe0096493e

\??\C:\Users\RDhJ0CNFevzX\Desktop\SGmo.exe

Sample File

Binary

»

Also Known As	C:\Users\RDhJ0CNFevzX\AppData\Roaming\JYXvRPgLySw.exe (Accessed File) C:\Users\RDhJ0CNFevzX\Desktop\SGmo.exe (Sample File, Accessed File, VM File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	628.00 KB
MD5	feccae6a309bb8f7e8737652a76d0c18
SHA1	2dc8e118b255236f538584f2c6b2d98a3c840de4
SHA256	5bbe0096493e0297f0880810ef5141b5905168ce5e5a11f5e16c7c08a3abfa15
SSDeep	12288:hSEzKI6t0t+fmxsfVwGPm2lo6iAboY0vZKf2sRDG3JYECJ:ZNt++Wdwz2loVOQof2y4JD
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

File Reputation Information

»

Verdict	Malicious
Names	Mal/Generic-S

PE Information

»

Image Base	0x00400000
Entry Point	0x0049E4E2
Size Of Code	0x0009C600
Size Of Initialized Data	0x00000800
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2023-06-30 05:30 (UTC)

Version Information (11)

»

Comments	-
CompanyName	-
FileDescription	WindowsFormsApp1
FileVersion	1.0.0.0
InternalName	SGmo.exe
LegalCopyright	Copyright © 2019
LegalTrademarks	-
OriginalFilename	SGmo.exe
ProductName	WindowsFormsApp1
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Sections (3)

»

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00402000	0x0009C4E8	0x0009C600	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.54
.rsrc	0x004A0000	0x000005BC	0x00000600	0x0009C800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.11
.reloc	0x004A2000	0x0000000C	0x00000200	0x0009CE00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.1

Imports (1)

»

mscoree.dll (1)

»

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x00402000	0x0009E4B6	0x0009C6B6	0x00000000

Memory Dumps (20)

»

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
sgmo.exe	1	0x004C0000	0x00563FFF	Relevant Image	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00980000	0x00986FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x02210000	0x02215FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x066F0000	0x06759FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
sgmo.exe	1	0x004C0000	0x00563FFF	Final Dump	32-bit	-	... Actions Go to Process Download Dump
buffer	7	0x00400000	0x0042FFFF	First Execution	32-bit	0x00401380	... Actions Go to Process Download Dump
sgmo.exe	7	0x00DF0000	0x00E93FFF	Relevant Image	32-bit	-	... Actions Go to Process Download Dump
sgmo.exe	1	0x004C0000	0x00563FFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	7	0x00400000	0x0042FFFF	Content Changed	32-bit	0x00409D33	... Actions Go to Process Download Dump
buffer	7	0x00400000	0x0042FFFF	Content Changed	32-bit	0x00427E23	... Actions Go to Process Download Dump
buffer	7	0x00400000	0x0042FFFF	Content Changed	32-bit	0x0040E0B3	... Actions Go to Process Download Dump
buffer	7	0x01390000	0x01689FFF	First Execution	32-bit	0x01407000	... Actions Go to Process Download Dump
buffer	7	0x00400000	0x0042FFFF	Content Changed	32-bit	0x0041F90E	... Actions Go to Process Go to YARA Match Download Dump
buffer	7	0x00F10000	0x00F16FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	7	0x00EE0000	0x00F0CFFF	Marked Executable	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	7	0x00400000	0x0042FFFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	7	0x005D0000	0x006CFFFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	7	0x01390000	0x01689FFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump
sgmo.exe	7	0x00DF0000	0x00E93FFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	7	0x00EB0000	0x00EDCFFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump

d1b9a4d35a60828fe266909d61e197521d3ea7ec859e99c01959bd13286aa0f3

Memory Dump

Binary

»

MIME Type	application/vnd.microsoft.portable-executable
File Size	192.00 KB
MD5	b9dd4025e8d947998fcc3954233c5604
SHA1	cc88a855117738c63b372cae4e410787d935b49b
SHA256	d1b9a4d35a60828fe266909d61e197521d3ea7ec859e99c01959bd13286aa0f3
SSDeep	3072:9GvZCgkMfoEwIr7vFD/fHr8OOgoAULSmHBveCkoRzOeNlMfroG4z:9GvV8Ef7vVL8vlLSA9H9zhj2roG4z
ImpHash	-

PE Information

»

Image Base	0x00400000
Entry Point	0x00401380
Size Of Code	0x0002EA00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2005-12-30 08:55 (UTC)

Sections (1)

»

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00401000	0x0002E9E4	0x0002EA00	0x00001000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.41

YARA Matches (1)

»

Rule Name	Rule Description	Classification	Score	Actions
XLoader_3	XLoader	Spyware	5/5	... Actions Show Ruleset Show Match

d2752cd3622a843c53fea3bdc96fc23e250ed8de0dc24933d2bb4cddfe923833

Memory Dump

Stream

»

MIME Type	application/octet-stream
File Size	724.00 KB
MD5	dc26a51b966a076b5b55561482709906
SHA1	8167c3b8a5a3a1aebba585c02a6b1d980976cdfc
SHA256	d2752cd3622a843c53fea3bdc96fc23e250ed8de0dc24933d2bb4cddfe923833
SSDeep	3072:yvZCgkMfoEwIr7vFD/fHr8OOgoAULSmZBveCkoRzOGz:yvV8Ef7vVL8vlLSK9H9zdz
ImpHash	-

7373aa7a9326bd96aa2bbeef335d632ba2c2a6105a7ae0ece30d1cef312ff599

Memory Dump

Stream

»

MIME Type	application/octet-stream
File Size	724.00 KB
MD5	888296507c4aa01d06c23f94b47703ac
SHA1	6cddd5b9dd6fb7b345d0c51b60b0612f44921e39
SHA256	7373aa7a9326bd96aa2bbeef335d632ba2c2a6105a7ae0ece30d1cef312ff599
SSDeep	3072:yvZCgkMfoEwIr7vFD/fHr8OOgoAULSmZBveCkoRzOGzR:yvV8Ef7vVL8vlLSK9H9zdz
ImpHash	-

5fa5f8e9f2e9bd0320994792a88cde4d62f62f08ed1350966e8f867d634947f4

Memory Dump

Stream

»

MIME Type	application/octet-stream
File Size	180.00 KB
MD5	1a49a5a6e745996313bfd0090b46ac32
SHA1	c6899cd083769df86686a2f833027bd47be83e78
SHA256	5fa5f8e9f2e9bd0320994792a88cde4d62f62f08ed1350966e8f867d634947f4
SSDeep	3072:2kZCgRMfoEwIr7vFD/fHr8OOgoAULSmZBveCkoRzOeNlMfroG4z:2kVXEf7vVL8vlLSK9H9zhj2roG4z
ImpHash	-

4e4f4e3f107bf15c6cf7b9f3161026bdc01e9ea69747e61c8761ef9450d6da78

Memory Dump

Stream

»

MIME Type	application/octet-stream
File Size	180.00 KB
MD5	5d36a09e7b8f831e1acc8c8748862971
SHA1	6aee57bbc00439faf70bcd9246f2ea13c81f1a06
SHA256	4e4f4e3f107bf15c6cf7b9f3161026bdc01e9ea69747e61c8761ef9450d6da78
SSDeep	3072:2y2ZCXMfoEwIr7vFD/fHr8OOgoAULSmZBveCko4zOeNlMfroG4z:2naEf7vVL8vlLSK9HEzhj2roG4z
ImpHash	-

3f422b16293595d23b84979113009a2cba898053e718395d9040343786540fec

Memory Dump

Stream

»

MIME Type	application/octet-stream
File Size	180.00 KB
MD5	ee53e67de243a85942fc2c1fef2d1e87
SHA1	a3fed9bb30d837560814612a29f3e9036c0f301d
SHA256	3f422b16293595d23b84979113009a2cba898053e718395d9040343786540fec
SSDeep	1536:SnRzffhRXg/DBZCw+RMf9HSDlfX7t42u5RmIBcG7FxFPr/ELSOQKZBvi2GCkNuRC:SkZCxMfoEwIr7vFD/ELSmZBveCkoRzO
ImpHash	-

563839ad6290a2dbf21398fe39f3d7f2d01c43eda8cff1dd218f8057dcd1ef82

Memory Dump

Stream

»

MIME Type	application/octet-stream
File Size	180.00 KB
MD5	1b38bc5f6a7aea3a0ad73ab550ab77c9
SHA1	931f7372513d2293d871ec37c343bcf03006f96e
SHA256	563839ad6290a2dbf21398fe39f3d7f2d01c43eda8cff1dd218f8057dcd1ef82
SSDeep	3072:ikZCgkMfoEwIr7vFD/fHr8OOgoAULSmZBveCkoRzO:ikV8Ef7vVL8vlLSK9H9z
ImpHash	-

ad0f73d90bc295a378e4cbd41d065565e4d81f7b0655db350ce53b16971cb34f

Memory Dump

Stream

»

MIME Type	application/octet-stream
File Size	180.00 KB
MD5	3b6e8d4d96e4cb9850fee1c65b2b32cb
SHA1	9d02dedce622d5aa0c4e595c5d52b712a40acee5
SHA256	ad0f73d90bc295a378e4cbd41d065565e4d81f7b0655db350ce53b16971cb34f
SSDeep	3072:2kZCgkMfoEwIr7vFD/fHr8OOgoAULSmZBveCkoRzO:2kV8Ef7vVL8vlLSK9H9z
ImpHash	-

7ef37b0f65eae8175e63dd92cd6784c19accac0038ef999dec99f204208e1e7b

Memory Dump

Stream

»

MIME Type	application/octet-stream
File Size	180.00 KB
MD5	7cf62daa5826bd08f9c6cd68655c28f0
SHA1	ea323e4d22067a5fbc3cc1323bedde34e0af36a7
SHA256	7ef37b0f65eae8175e63dd92cd6784c19accac0038ef999dec99f204208e1e7b
SSDeep	3072:SkZCgkMfoEwIr7vFD/gULSmZBveCkoRzO:SkV8Ef7vbLSK9H9z
ImpHash	-

522effbf9823210a36ba63133688d7fe73b966f81bbd822f8610f42c069893ab

Memory Dump

Stream

»

MIME Type	application/octet-stream
File Size	180.00 KB
MD5	e4e3cd3f03022df0d4e2002bd49bc71a
SHA1	90318b1ceac9d8bf5d1edf3dc44de058c0bdffe3
SHA256	522effbf9823210a36ba63133688d7fe73b966f81bbd822f8610f42c069893ab
SSDeep	3072:SkZCxMfoEwIr7vFD/gULSmZBveCkoRzO:Sk4Ef7vbLSK9H9z
ImpHash	-

C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\tmp611E.tmp

Dropped File

Text

»

MIME Type	text/xml
File Size	1.56 KB
MD5	97dc6705bcbd4b8f8a72aae52b3710e5
SHA1	c1e9876081068f7cf435c767e9dee93d6838c1f6
SHA256	c136448fdbe671f691150c8897eccb4023be5f9ec346be4864c2b543d40e0ae7
SSDeep	24:2di4+S2qh9Y1Sy1mlUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt89TFxvn:cge2UYrFdOFzOzN33ODOiDdKrsuT8tv
ImpHash	-

Remarks (1/1)

Remarks

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information