xloader | b71e66c2f3dd88356df6c1bb0cab806156e91bed324c376b45cae58ce051ceff

Analysis

max time kernel
0s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f875ce20d9473d5dd74d2e0382fb32ba.js
Size

311KB
MD5

f875ce20d9473d5dd74d2e0382fb32ba
SHA1

a9b75554d7cb9eae3f06c2b9f3b7cf60617b32d8
SHA256

b71e66c2f3dd88356df6c1bb0cab806156e91bed324c376b45cae58ce051ceff
SHA512

1eccb095f0bd41fb28879a726d8257b3a30cc487efa33fe24f2be2899596ee99bc54179d7003493aec50e55f6e6beac77616a9a8d9c3d80e4cb4a0244c33c4fe
SSDEEP

6144:X/Rfo2A0XbJtYp+JPNqRvhQoACsix01v8sPgMBZe9c/slHWiqIWvfQwc:mkFtYwPNqRGrCG9rYML/FjvI

Score

10^/10

xloader wqos loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

wqos

Decoy

nobis.one

firecrestfineart.com

zhongqiaolw.com

healthcaremovement.com

amothersloveliberates.com

maskscafe.com

dkukkmk.icu

realmindofmitch.com

cranes-crossing.com

deeplyrootedplants.com

doodlesbakery.com

xiaomagu.com

lactase-enzym.com

comprartecnologia.com

making-my-new-normal.com

ruksamin.com

inforko.com

2mblueprint.com

pinkfang.com

100daysofbush.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/5068-12-0x0000000000270000-0x0000000000298000-memory.dmp	xloader
behavioral2/files/0x0006000000023214-6.dat	xloader
behavioral2/memory/2260-17-0x0000000000870000-0x0000000000898000-memory.dmp	xloader
behavioral2/memory/2260-19-0x0000000000870000-0x0000000000898000-memory.dmp	xloader

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\f875ce20d9473d5dd74d2e0382fb32ba.js
1⤵
PID:3004
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zIMOUAQYhg.js"
  2⤵
  PID:4660
- C:\Users\Admin\AppData\Local\Temp\bin.exe
  "C:\Users\Admin\AppData\Local\Temp\bin.exe"
  2⤵
  PID:5068

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
1⤵
PID:2260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\zIMOUAQYhg.js

Filesize
9KB

MD5
797f97b46b0f42d7a26810b7b2e04cc9

SHA1
141b0a609e3fe9e4695ad0dfd905be24414287ab

SHA256
2a15292e70c7b6edbfb44ae1347debf9ab31bb3296b7cd3619fda0f9abf0d89d

SHA512
c5173a980edc2230d9673e2c5729b6829c4130e80a14eb7efd7f0e41bc5a3f01b559fb67b5be191e0a309f0b04abf2c52b632e873307471569a07f995774a27d

Download Submit
memory/2260-18-0x00000000029F0000-0x0000000002D3A000-memory.dmp

Filesize
3.3MB

Download
memory/2260-15-0x00000000009D0000-0x00000000009DC000-memory.dmp

Filesize
48KB

Download
memory/2260-17-0x0000000000870000-0x0000000000898000-memory.dmp

Filesize
160KB

Download
memory/2260-16-0x00000000009D0000-0x00000000009DC000-memory.dmp

Filesize
48KB

Download
memory/2260-19-0x0000000000870000-0x0000000000898000-memory.dmp

Filesize
160KB

Download
memory/2260-20-0x0000000002790000-0x000000000281F000-memory.dmp

Filesize
572KB

Download
memory/3384-14-0x0000000004D20000-0x0000000004E67000-memory.dmp

Filesize
1.3MB

Download
memory/3384-24-0x0000000007CD0000-0x0000000007D6E000-memory.dmp

Filesize
632KB

Download
memory/3384-25-0x0000000007CD0000-0x0000000007D6E000-memory.dmp

Filesize
632KB

Download
memory/3384-28-0x0000000007CD0000-0x0000000007D6E000-memory.dmp

Filesize
632KB

Download
memory/5068-12-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download
memory/5068-13-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/5068-11-0x0000000001200000-0x000000000154A000-memory.dmp

Filesize
3.3MB

Download