xloader | 770aee06bb2c48271eaaa6af3d44ac3c590f1a372007d1c92591ae65c053e682

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2022 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe
Size

490KB
MD5

d310668e05d5cd2b883c7635b8478ac3
SHA1

ffe307ef53f4fc5f0d32309dd4193273dae58bdc
SHA256

770aee06bb2c48271eaaa6af3d44ac3c590f1a372007d1c92591ae65c053e682
SHA512

fd1275cbba17c27496a5e395699b7fea0e3478631613d861d16f68e3bc1e16d5ed3fc158af62f61a072a964cbd372885baaf518ae455c5c9614e9cee639f2198
SSDEEP

12288:DX942IWQ20shxEXFktUQDNGkkkkkkkkkkBWC/ZX6:L9lBhheVktUQDJ9

Score

10^/10

xloader zgtb loader rat

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

zgtb

Decoy

gabriellep.com

honghe4.xyz

anisaofrendas.com

happy-tile.com

thesulkies.com

international-ipo.com

tazeco.info

hhhzzz.xyz

vrmonster.xyz

theearthresidencia.com

sportape.xyz

elshadaibaterias.com

koredeiihibi.com

taxtaa.com

globalcityb.com

fxivcama.com

dagsmith.com

elmar-bhp.com

peakice.net

jhcdjewelry.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2008-138-0x0000000000400000-0x000000000042B000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe

description	pid	process	target process
PID 3568 set thread context of 2008	3568	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exeSecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe

pid	process
3568	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe
2008	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe
2008	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe

description pid process

Token: SeDebugPrivilege 3568 SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe

description	pid	process
Token: SeDebugPrivilege	3568	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe

description	pid	process	target process
PID 3568 wrote to memory of 2008	3568	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe
PID 3568 wrote to memory of 2008	3568	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe
PID 3568 wrote to memory of 2008	3568	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe
PID 3568 wrote to memory of 2008	3568	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe
PID 3568 wrote to memory of 2008	3568	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe
PID 3568 wrote to memory of 2008	3568	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe	SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.61638470.5680.17006.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2008-137-0x0000000000000000-mapping.dmp

Download
memory/2008-138-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2008-139-0x00000000013D0000-0x000000000171A000-memory.dmp

Filesize
3.3MB

Download
memory/3568-132-0x0000000000FE0000-0x0000000001060000-memory.dmp

Filesize
512KB

Download
memory/3568-133-0x0000000005F40000-0x00000000064E4000-memory.dmp

Filesize
5.6MB

Download
memory/3568-134-0x0000000005A30000-0x0000000005AC2000-memory.dmp

Filesize
584KB

Download
memory/3568-135-0x0000000005AD0000-0x0000000005B6C000-memory.dmp

Filesize
624KB

Download
memory/3568-136-0x0000000007590000-0x000000000759A000-memory.dmp

Filesize
40KB

Download