xloader | a6fc3c2cd878129322903c09b84a057046b772e92e883b002714574fff834bde

Analysis

max time kernel
45s
max time network
34s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fe9a3470f0ac5c1d00d26e08a22579f.exe
Size

671KB
MD5

6fe9a3470f0ac5c1d00d26e08a22579f
SHA1

a88181b197bda78c80718197e9e4337baa6b96d5
SHA256

a6fc3c2cd878129322903c09b84a057046b772e92e883b002714574fff834bde
SHA512

ecb0a597f5a60b8593ac82bbc6092cf65e3de71f2e4f9e48d2c446159d812f74a44a7ad6054b058901a165dae5b202296bedbc30e110af3d1e7403cbda563805
SSDEEP

12288:YGcQNKL5XwINR3shZLJQ05nFwrvqHfp9y:/CRwUO/ddOTIfDy

Score

10^/10

xloader uytf loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

uytf

Decoy

elife-home-internet.com

amberbandyoutube.com

myhomemechanism.net

nuosports.com

universalpartnersintl.com

greatmix106.com

fangxianger.com

dreampic.net

lifteddevelopments.com

astyledsurface.com

meditationkota.com

hungry4theholy1.com

8belowrescue.com

almostmidnightgames.com

lifelonghiker.com

maridaniellecontreras.com

hisport.info

loveforquality.com

baincot3.com

theneuro-link.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1676-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2832 set thread context of 1676	2832	6fe9a3470f0ac5c1d00d26e08a22579f.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1676	6fe9a3470f0ac5c1d00d26e08a22579f.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 1676	2832	6fe9a3470f0ac5c1d00d26e08a22579f.exe	30
PID 2832 wrote to memory of 1676	2832	6fe9a3470f0ac5c1d00d26e08a22579f.exe	30
PID 2832 wrote to memory of 1676	2832	6fe9a3470f0ac5c1d00d26e08a22579f.exe	30
PID 2832 wrote to memory of 1676	2832	6fe9a3470f0ac5c1d00d26e08a22579f.exe	30
PID 2832 wrote to memory of 1676	2832	6fe9a3470f0ac5c1d00d26e08a22579f.exe	30
PID 2832 wrote to memory of 1676	2832	6fe9a3470f0ac5c1d00d26e08a22579f.exe	30
PID 2832 wrote to memory of 1676	2832	6fe9a3470f0ac5c1d00d26e08a22579f.exe	30

C:\Users\Admin\AppData\Local\Temp\6fe9a3470f0ac5c1d00d26e08a22579f.exe
"C:\Users\Admin\AppData\Local\Temp\6fe9a3470f0ac5c1d00d26e08a22579f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Local\Temp\6fe9a3470f0ac5c1d00d26e08a22579f.exe
  "C:\Users\Admin\AppData\Local\Temp\6fe9a3470f0ac5c1d00d26e08a22579f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1676-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1676-14-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/1676-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1676-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1676-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2832-3-0x0000000000B60000-0x0000000000B7C000-memory.dmp

Filesize
112KB

Download
memory/2832-6-0x00000000050C0000-0x0000000005126000-memory.dmp

Filesize
408KB

Download
memory/2832-7-0x0000000000C20000-0x0000000000C4E000-memory.dmp

Filesize
184KB

Download
memory/2832-5-0x0000000004AD0000-0x0000000004B10000-memory.dmp

Filesize
256KB

Download
memory/2832-4-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/2832-0-0x0000000000EF0000-0x0000000000F9E000-memory.dmp

Filesize
696KB

Download
memory/2832-2-0x0000000004AD0000-0x0000000004B10000-memory.dmp

Filesize
256KB

Download
memory/2832-13-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/2832-1-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download