xloader | b534432fbd54096403d0bbfd3be79cccbb269601cc3773eef3b36d3930089721

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18-07-2023 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe
Size

793KB
MD5

f299a3572c1ca67f5df9c027c50f5488
SHA1

98ae2458837e4f2bc4e518fd867d3edd28c4236f
SHA256

b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a
SHA512

b67592a6fcb8110d41c86bc65141a4138fe251d139009f66235591e60a90905214d2694799f386f7ded8b1e247d38c024e8d102c05fdd645ba8045c81e7de4aa
SSDEEP

12288:MotEJb4xECMrM7I+KA0Z2+8cjtHei+uo0hE/:nCCMrG/R0wTcjtHei+uo0hE/

Score

10^/10

xloader mjyv loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mjyv

Decoy

wenyuexuan.com

tropicaldepression.info

healthylifefit.com

reemletenleafy.com

jmrrve.com

mabduh.com

esomvw.com

selfcaresereneneness.com

murdabudz.com

meinemail.online

brandqrcodes.com

live-in-pflege.com

nickrecovery.com

ziototoristorante.com

chatcure.com

corlora.com

localagentlab.com

yogo7.net

krveop.com

heianswer.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2404-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe

description	pid	process	target process
PID 1972 set thread context of 2404	1972	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe

pid process

2404 b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe

description pid process

Token: SeDebugPrivilege 1972 b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe

pid	process
2404	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe

description	pid	process
Token: SeDebugPrivilege	1972	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe

description	pid	process	target process
PID 1972 wrote to memory of 2404	1972	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe
PID 1972 wrote to memory of 2404	1972	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe
PID 1972 wrote to memory of 2404	1972	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe
PID 1972 wrote to memory of 2404	1972	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe
PID 1972 wrote to memory of 2404	1972	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe
PID 1972 wrote to memory of 2404	1972	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe
PID 1972 wrote to memory of 2404	1972	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe	b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe

C:\Users\Admin\AppData\Local\Temp\b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe
"C:\Users\Admin\AppData\Local\Temp\b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe
"C:\Users\Admin\AppData\Local\Temp\b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2404

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1972-54-0x0000000000F40000-0x000000000100C000-memory.dmp

Filesize
816KB

Download
memory/1972-55-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1972-56-0x00000000005C0000-0x0000000000600000-memory.dmp

Filesize
256KB

Download
memory/1972-62-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1972-64-0x00000000005C0000-0x0000000000600000-memory.dmp

Filesize
256KB

Download
memory/2404-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2404-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-65-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/2404-66-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads