xloader | 732c044639713a301c63669f5284e0f23813d57f02c5719b021305aeb8933a58

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a51f4194b7b616ec6d397bf5851d293d.exe
Size

466KB
MD5

a51f4194b7b616ec6d397bf5851d293d
SHA1

c7aa4b6d0c29f9e3a26627d17938a73d6445c695
SHA256

732c044639713a301c63669f5284e0f23813d57f02c5719b021305aeb8933a58
SHA512

29614ef9692bbb72123c11f82e93d6405bae8555e71e220b62e6c4a262c0874191e3d6f47e7a22ba35741f364c964e1c15c5d13b2f0ed33c390c2dcfa8f7af2d
SSDEEP

12288:pWLZ5cHrAnucAXtiZHjeEDnCUXOcZwAbOCD7OfAYVC9:pZcu1X0njwy/

Score

10^/10

xloader gm9w loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

gm9w

Decoy

steffiemor.com

qe2rvstorage.com

louisteak.com

top-dex2.com

fafeiya.com

saffure.com

1upshopandstuff.com

wemove66.com

deckswap.info

joinjifu.com

joboval.com

stilldeliciousvegan.com

intercunt.com

espaciosterapeutas.com

doglai.com

situationslayer.com

adbreaks.net

cdjy666.com

ap70mm.com

gwh525.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/816-12-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4892 set thread context of 816	4892	a51f4194b7b616ec6d397bf5851d293d.exe	98

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
816	a51f4194b7b616ec6d397bf5851d293d.exe
816	a51f4194b7b616ec6d397bf5851d293d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 816	4892	a51f4194b7b616ec6d397bf5851d293d.exe	98
PID 4892 wrote to memory of 816	4892	a51f4194b7b616ec6d397bf5851d293d.exe	98
PID 4892 wrote to memory of 816	4892	a51f4194b7b616ec6d397bf5851d293d.exe	98
PID 4892 wrote to memory of 816	4892	a51f4194b7b616ec6d397bf5851d293d.exe	98
PID 4892 wrote to memory of 816	4892	a51f4194b7b616ec6d397bf5851d293d.exe	98
PID 4892 wrote to memory of 816	4892	a51f4194b7b616ec6d397bf5851d293d.exe	98

C:\Users\Admin\AppData\Local\Temp\a51f4194b7b616ec6d397bf5851d293d.exe
"C:\Users\Admin\AppData\Local\Temp\a51f4194b7b616ec6d397bf5851d293d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Local\Temp\a51f4194b7b616ec6d397bf5851d293d.exe
  "C:\Users\Admin\AppData\Local\Temp\a51f4194b7b616ec6d397bf5851d293d.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/816-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/816-16-0x00000000013C0000-0x000000000170A000-memory.dmp

Filesize
3.3MB

Download
memory/816-15-0x00000000013C0000-0x000000000170A000-memory.dmp

Filesize
3.3MB

Download
memory/4892-4-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/4892-1-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4892-5-0x0000000007130000-0x000000000713A000-memory.dmp

Filesize
40KB

Download
memory/4892-6-0x00000000024C0000-0x00000000024DC000-memory.dmp

Filesize
112KB

Download
memory/4892-7-0x0000000008490000-0x000000000852C000-memory.dmp

Filesize
624KB

Download
memory/4892-8-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4892-9-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/4892-10-0x0000000008840000-0x00000000088A6000-memory.dmp

Filesize
408KB

Download
memory/4892-11-0x0000000005D30000-0x0000000005D5E000-memory.dmp

Filesize
184KB

Download
memory/4892-3-0x0000000007150000-0x00000000071E2000-memory.dmp

Filesize
584KB

Download
memory/4892-14-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4892-2-0x0000000007660000-0x0000000007C04000-memory.dmp

Filesize
5.6MB

Download
memory/4892-0-0x00000000001D0000-0x000000000024A000-memory.dmp

Filesize
488KB

Download