xloader | d8bbf0c15a39bb1dd36c71177d2e8c5a05b0531bd91c03800b8503dc23f662c7

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4033910eaa4944d2c84b15fb964cda9.exe
Size

474KB
MD5

c4033910eaa4944d2c84b15fb964cda9
SHA1

638909d6c893b58b57e3ce61eaa650628dd42b08
SHA256

d8bbf0c15a39bb1dd36c71177d2e8c5a05b0531bd91c03800b8503dc23f662c7
SHA512

2dd0d33d5385af8f247a308b7adf71144881a34bed6177748b1b101c61fe39ccc63425f8a2efb4beeef28baf55f9e2752240ab24265728de082f5c16a9b7e8a0
SSDEEP

12288:naYamkM7gHD3KTfv7w0YGwiYPlyGmEdtI:aYl/7Ea/D

Score

10^/10

xloader cpa3 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

cpa3

Decoy

hkp.xyz

marcinkwiatkowski.com

celebrityobserver.com

thelotsgroup.com

actusforums.com

cityparcelservice.com

apprig.com

naughtianalove.com

lesitedelanimation.com

taxes1234.com

citieyuan.com

kokonarafile.com

morenatives.com

iredreview.com

oddlywelladjusted.com

wpj.xyz

gofairlane.com

galtoubul.com

custompickem.com

partsandersenstormdoor.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2452-17-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2840 set thread context of 2452	2840	c4033910eaa4944d2c84b15fb964cda9.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2452	c4033910eaa4944d2c84b15fb964cda9.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2984	2840	c4033910eaa4944d2c84b15fb964cda9.exe	29
PID 2840 wrote to memory of 2984	2840	c4033910eaa4944d2c84b15fb964cda9.exe	29
PID 2840 wrote to memory of 2984	2840	c4033910eaa4944d2c84b15fb964cda9.exe	29
PID 2840 wrote to memory of 2984	2840	c4033910eaa4944d2c84b15fb964cda9.exe	29
PID 2840 wrote to memory of 2452	2840	c4033910eaa4944d2c84b15fb964cda9.exe	31
PID 2840 wrote to memory of 2452	2840	c4033910eaa4944d2c84b15fb964cda9.exe	31
PID 2840 wrote to memory of 2452	2840	c4033910eaa4944d2c84b15fb964cda9.exe	31
PID 2840 wrote to memory of 2452	2840	c4033910eaa4944d2c84b15fb964cda9.exe	31
PID 2840 wrote to memory of 2452	2840	c4033910eaa4944d2c84b15fb964cda9.exe	31
PID 2840 wrote to memory of 2452	2840	c4033910eaa4944d2c84b15fb964cda9.exe	31
PID 2840 wrote to memory of 2452	2840	c4033910eaa4944d2c84b15fb964cda9.exe	31

C:\Users\Admin\AppData\Local\Temp\c4033910eaa4944d2c84b15fb964cda9.exe
"C:\Users\Admin\AppData\Local\Temp\c4033910eaa4944d2c84b15fb964cda9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DRLdmehSEx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp28C5.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\c4033910eaa4944d2c84b15fb964cda9.exe
  "C:\Users\Admin\AppData\Local\Temp\c4033910eaa4944d2c84b15fb964cda9.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2452-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2452-19-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download
memory/2452-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2452-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2452-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2840-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2840-6-0x0000000000B80000-0x0000000000BE6000-memory.dmp

Filesize
408KB

Download
memory/2840-7-0x0000000000540000-0x000000000056E000-memory.dmp

Filesize
184KB

Download
memory/2840-5-0x00000000046A0000-0x00000000046E0000-memory.dmp

Filesize
256KB

Download
memory/2840-4-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2840-0-0x0000000000DF0000-0x0000000000E6C000-memory.dmp

Filesize
496KB

Download
memory/2840-2-0x00000000046A0000-0x00000000046E0000-memory.dmp

Filesize
256KB

Download
memory/2840-18-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2840-1-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download