xloader | 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c

Analysis

max time kernel
106s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
Size

522KB
MD5

b18e598f9eba3ea6050fb0e70cc81cd4
SHA1

683f6f2ce4279c428870f29dae17bdce0d68a4b7
SHA256

358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c
SHA512

c2ce9e88a445a8046bb3594324423b2e3ee84cf369a8a114c7053d8a6c588fb5ca3c9927656a973ba7530219f6293cda42dd073370073308a6f91dd006de7e08
SSDEEP

12288:Twm/lE0DO2lolaNVSI+Kn4DUYB6U3vrA:UmdfDO2JNVYKnnlUTA

Score

10^/10

xloader 8zdn loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

8zdn

Decoy

yourherogarden.net

onlineharambee.net

cerrajeriaurgencias24horas.com

distritoforex.com

verifyclientserverssr.com

dandwg.com

co2-zero.global

joshssl.com

meckwt.com

theammf.com

rawclectic.com

gzgnetwork.com

richmondavenuecoc.com

nicolelyte.com

thetinyclosetboutique.com

llt-group.net

seven-sky-design.com

joganifinancialgrp.com

elementsvapes.com

bingent.info

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/2036-56-0x0000000000250000-0x0000000000258000-memory.dmp	CustAttr

Xloader payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1120-62-0x000000000041D020-mapping.dmp	xloader
behavioral1/memory/1120-61-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe

description	pid	process	target process
PID 2036 set thread context of 1120	2036	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe

pid process

1120 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe

pid	process
1120	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe

description	pid	process	target process
PID 2036 wrote to memory of 1120	2036	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
PID 2036 wrote to memory of 1120	2036	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
PID 2036 wrote to memory of 1120	2036	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
PID 2036 wrote to memory of 1120	2036	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
PID 2036 wrote to memory of 1120	2036	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
PID 2036 wrote to memory of 1120	2036	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
PID 2036 wrote to memory of 1120	2036	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe

C:\Users\Admin\AppData\Local\Temp\358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
"C:\Users\Admin\AppData\Local\Temp\358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
"C:\Users\Admin\AppData\Local\Temp\358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1120

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1120-59-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1120-58-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1120-62-0x000000000041D020-mapping.dmp

Download
memory/1120-61-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1120-63-0x0000000000B40000-0x0000000000E43000-memory.dmp

Filesize
3.0MB

Download
memory/2036-54-0x0000000000AB0000-0x0000000000B38000-memory.dmp

Filesize
544KB

Download
memory/2036-55-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/2036-56-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/2036-57-0x00000000021E0000-0x0000000002236000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads