Try VMRay Platform
Malicious
Classifications

Spyware

Threat Names

XBinder XLoader C2/Generic-A

Dynamic Analysis Report

Created on 2021-12-09T14:20:00

sample.jar

Java Archive
...

Remarks (2/3)

(0x02000051): The maximum number of 1000 connections has been exceeded. Further connections were not analyzed.

(0x0200000E): The overall sleep time of all monitored processes was truncated from "6 days, 3 hours, 24 minutes, 17 seconds" to "3 minutes, 6 seconds" to reveal dormant functionality.

(0x02000050): This analysis has been updated with the latest reputation and static analysis results from the original analysis with the ID #8154275.

Remarks

(0x0200004A): 4 dumps were skipped because they exceeded the maximum dump size of 16 MB. The largest one was 20 MB.

Filters:
File Name Category Type Verdict Actions
/Users/lxfjnlar/Downloads/sample.jar Sample File Java Archive
malicious
...
»
MIME Type application/java-archive
File Size 706.03 KB
MD5 3c0ab7ca460491b57892aecf093dca97 Copy to Clipboard
SHA1 685a7aa5d866c222119a1d4b3d485e2c72a02b9a Copy to Clipboard
SHA256 33ff9bb1a784b8896ab920c2e0fab1f9e9a631d9b5a8b204f0455acece52630e Copy to Clipboard
SSDeep 12288:q/wCW2+HpZChZpaDQjZ72kX58jza8TYMrkyWLNGrKp4hJhh3bYdITa:q/vR+HpZNi7H180MYMrKpohpbYd8a Copy to Clipboard
ImpHash -
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
XBinder Packer used to distribute malware -
5/5
...
/Users/lxfjnlar/Hgl2uHXq Dropped File Binary
malicious
...
»
Also Known As /Users/lxfjnlar/.rH6PLhr8yR/Bdch.app/Contents/MacOS/Bdch (Dropped File)
MIME Type application/x-mach-binary
File Size 124.81 KB
MD5 a17bf4533d7ec677a0d4bdae19e41ff2 Copy to Clipboard
SHA1 7edead477048b47d2ac3abdc4baef12579c3c348 Copy to Clipboard
SHA256 97d6b194da410db82d9974aec984cff8ac0a6ad59ec72b79d4b2a4672b5aa8aa Copy to Clipboard
SSDeep 3072:Q8+OzCmILFHKLDWykiGmGtIm5NtrUQhPgOGGO:QBE/ILRxyn8O8NtrUU Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
malicious
Mach-O Information
»
Arch Type CPU_TYPE_X86_64
Arch Subtype CPU_SUBTYPE_X86_64_ALL
Type Executable
Flags MH_NOUNDEFS, MH_DYLDLINK, MH_TWOLEVEL
UUID 05c5adec-b5fd-39f2-b84e-0a594460a97a
Entry Point 0x10001df00
Segments (4)
»
Segment: __PAGEZERO
»
Virtual Address 0x0
Virtual Size 0x100000000
Raw Data Offset 0x0
Raw Data Size 0x0
Initial Protection -
Maximum Protection -
Flags -
Entropy 0.0
Segment: __TEXT
»
Virtual Address 0x100000000
Virtual Size 0x1e000
Raw Data Offset 0x0
Raw Data Size 0x1e000
Initial Protection VM_PROT_READ, VM_PROT_EXECUTE
Maximum Protection VM_PROT_READ, VM_PROT_WRITE, VM_PROT_EXECUTE
Flags -
Entropy 7.1
Sections (5)
»
Name Type Virtual Address Raw Data Offset Size Attributes
__text S_REGULAR 0x100000700 0x700 0x1d83e S_ATTR_PURE_INSTRUCTIONS, S_ATTR_SOME_INSTRUCTIONS
__stubs S_SYMBOL_STUBS 0x10001df3e 0x1df3e 0x6 S_ATTR_PURE_INSTRUCTIONS, S_ATTR_SOME_INSTRUCTIONS
__stub_helper S_REGULAR 0x10001df44 0x1df44 0x1a S_ATTR_PURE_INSTRUCTIONS, S_ATTR_SOME_INSTRUCTIONS
__const S_REGULAR 0x10001df60 0x1df60 0x40 -
__unwind_info S_REGULAR 0x10001dfa0 0x1dfa0 0x48 -
Segment: __DATA
»
Virtual Address 0x10001e000
Virtual Size 0x1000
Raw Data Offset 0x1e000
Raw Data Size 0x1000
Initial Protection VM_PROT_READ, VM_PROT_WRITE
Maximum Protection VM_PROT_READ, VM_PROT_WRITE, VM_PROT_EXECUTE
Flags -
Entropy 0.01
Sections (2)
»
Name Type Virtual Address Raw Data Offset Size Attributes
__nl_symbol_ptr S_NON_LAZY_SYMBOL_POINTERS 0x10001e000 0x1e000 0x10 -
__la_symbol_ptr S_LAZY_SYMBOL_POINTERS 0x10001e010 0x1e010 0x8 -
Segment: __LINKEDIT
»
Virtual Address 0x10001f000
Virtual Size 0x340
Raw Data Offset 0x1f000
Raw Data Size 0x340
Initial Protection VM_PROT_READ
Maximum Protection VM_PROT_READ, VM_PROT_WRITE, VM_PROT_EXECUTE
Flags -
Entropy 3.84
Imported Libraries (1)
»
Name Version Compatibility Version
/usr/lib/libSystem.B.dylib 169.3.0 1.0.0
Load Commands (9)
»
LC_DYLD_INFO_ONLY
»
bind_off 126976
bind_size 24
export_off 127016
export_size 336
lazy_bind_off 127000
lazy_bind_size 16
rebase_off 0
rebase_size 0
weak_bind_off 0
weak_bind_size 0
LC_SYMTAB
»
nsyms 4
stroff 127736
strsize 72
symoff 127656
LC_DYSYMTAB
»
extrefsymoff 0
extreloff 0
iextdefsym 1
ilocalsym 0
indirectsymoff 127720
iundefsym 2
locreloff 0
modtaboff 0
nextdefsym 1
nextrefsyms 0
nextrel 0
nindirectsyms 4
nlocalsym 1
nlocrel 0
nmodtab 0
ntoc 0
nundefsym 2
tocoff 0
LC_LOAD_DYLINKER
»
name /usr/lib/dyld
LC_UUID
»
uuid 05c5adec-b5fd-39f2-b84e-0a594460a97a
LC_VERSION_MIN_MACOSX
»
sdk 10.8.0
version 10.6.0
LC_UNIXTHREAD
»
cs 0x0000000000000000
fs 0x0000000000000000
gs 0x0000000000000000
r10 0x0000000000000000
r11 0x0000000000000000
r12 0x0000000000000000
r13 0x0000000000000000
r14 0x0000000000000000
r15 0x0000000000000000
r8 0x0000000000000000
r9 0x0000000000000000
rax 0x0000000000000000
rbp 0x0000000000000000
rbx 0x0000000000000000
rcx 0x0000000000000000
rdi 0x0000000000000000
rdx 0x0000000000000000
rflags 0x0000000000000000
rip 0x000000010001DF00
rsi 0x0000000000000000
rsp 0x0000000000000000
LC_FUNCTION_STARTS
»
dataoff 127352
datasize 304
LC_DATA_IN_CODE
»
dataoff 127656
datasize 0
Memory Dumps (1)
»
Name Process ID Start VA End VA Dump Reason Mach-O Rebuild Bitness Entry Point YARA Actions
hgl2uhxq 3 0x100000000 0x10001FFFF Relevant Image False 64-bit 0x100001000 True
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
XLoader_MacOS XLoader MacOS Spyware
5/5
...
461 Dropped File Stream
clean
Known to be clean.
...
»
MIME Type application/octet-stream
File Size 32.00 KB
MD5 bb7df04e1b0a2570657527a7e108ae23 Copy to Clipboard
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b Copy to Clipboard
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
/Users/lxfjnlar/m2rKEl2wJZ.txt Dropped File Text
clean
Known to be clean.
...
»
MIME Type text/plain
File Size 6 Bytes
MD5 c47c7c7383225ab55ff591cb59c41e6b Copy to Clipboard
SHA1 69e27356ef629022720d868ab0c0e3394775b6c1 Copy to Clipboard
SHA256 2b7814d3fca2e99e56c51b6ff2aa313ea6e9da6424804240aa8ad891fdfe0900 Copy to Clipboard
SSDeep 3:n9:n9 Copy to Clipboard
ImpHash -
/Users/lxfjnlar/.rH6PLhr8yR/Bdch.app/Contents/Info.plist Dropped File Text
clean
...
»
MIME Type text/xml
File Size 777 Bytes
MD5 445535f49ee3edd8219d3167b0b363b7 Copy to Clipboard
SHA1 64bd5a11b21ea2da3566dcc950a02c0aa27d8e9e Copy to Clipboard
SHA256 3e79433fd67a085967b0ff52d04f2007145de55a3f4e1093e680e61af089ba54 Copy to Clipboard
SSDeep 12:TMHdgo+tJVEdQiCXFnInAYwjDXFEXa6m4oIQKKGYsH/fejzjiTAHlvlL:2dfyiwl6wPMa6m4oRwYsH/fenusdL Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image