xloader | 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c

Analysis

max time kernel
123s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
Size

522KB
MD5

b18e598f9eba3ea6050fb0e70cc81cd4
SHA1

683f6f2ce4279c428870f29dae17bdce0d68a4b7
SHA256

358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c
SHA512

c2ce9e88a445a8046bb3594324423b2e3ee84cf369a8a114c7053d8a6c588fb5ca3c9927656a973ba7530219f6293cda42dd073370073308a6f91dd006de7e08
SSDEEP

12288:Twm/lE0DO2lolaNVSI+Kn4DUYB6U3vrA:UmdfDO2JNVYKnnlUTA

Score

10^/10

xloader 8zdn loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

8zdn

Decoy

yourherogarden.net

onlineharambee.net

cerrajeriaurgencias24horas.com

distritoforex.com

verifyclientserverssr.com

dandwg.com

co2-zero.global

joshssl.com

meckwt.com

theammf.com

rawclectic.com

gzgnetwork.com

richmondavenuecoc.com

nicolelyte.com

thetinyclosetboutique.com

llt-group.net

seven-sky-design.com

joganifinancialgrp.com

elementsvapes.com

bingent.info

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2204-139-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe

description	pid	process	target process
PID 3272 set thread context of 2204	3272	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe

pid	process
2204	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
2204	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe

description	pid	process	target process
PID 3272 wrote to memory of 2204	3272	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
PID 3272 wrote to memory of 2204	3272	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
PID 3272 wrote to memory of 2204	3272	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
PID 3272 wrote to memory of 2204	3272	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
PID 3272 wrote to memory of 2204	3272	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
PID 3272 wrote to memory of 2204	3272	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe	358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe

C:\Users\Admin\AppData\Local\Temp\358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
"C:\Users\Admin\AppData\Local\Temp\358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3272

C:\Users\Admin\AppData\Local\Temp\358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
"C:\Users\Admin\AppData\Local\Temp\358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2204-138-0x0000000000000000-mapping.dmp

Download
memory/2204-139-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2204-140-0x00000000013E0000-0x000000000172A000-memory.dmp

Filesize
3.3MB

Download
memory/3272-132-0x00000000000A0000-0x0000000000128000-memory.dmp

Filesize
544KB

Download
memory/3272-133-0x0000000004A70000-0x0000000004B0C000-memory.dmp

Filesize
624KB

Download
memory/3272-134-0x0000000005100000-0x00000000056A4000-memory.dmp

Filesize
5.6MB

Download
memory/3272-135-0x0000000004BF0000-0x0000000004C82000-memory.dmp

Filesize
584KB

Download
memory/3272-136-0x0000000004B80000-0x0000000004B8A000-memory.dmp

Filesize
40KB

Download
memory/3272-137-0x0000000004DA0000-0x0000000004DF6000-memory.dmp

Filesize
344KB

Download