xloader | b84be8911946bbe709de08dcaa4c04efc8640d92889dd5603c8afaad142a79af

Analysis

max time kernel
120s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c38fc3c0a2465e3a15e1bac02f6b4bb.exe
Size

252KB
MD5

0c38fc3c0a2465e3a15e1bac02f6b4bb
SHA1

8220e570da33641eafcc094ba8824c2624bc92ff
SHA256

b84be8911946bbe709de08dcaa4c04efc8640d92889dd5603c8afaad142a79af
SHA512

8a339b9f4e36cc04cee2cc4ac1f3f3e1e3124579ef8fb3ba81f68182d89da16ed3247cfc3cf7e22952853d9daa1d486c9ef98c704a4164049a70c5b4bc7291b8
SSDEEP

6144:6w1Rg0otCAGOKVUZbz2kp7b+dRD0lV/erzs062suy:v13GzWUZG9D0/UFvy

Score

10^/10

xloader pagi loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

pagi

Decoy

makehrworkable.com

sound-wisdom.com

blacts.com

caenantglamping.com

meridiancpas.com

draughtedinn.co.uk

windywoodshc.com

mintmovileplus.com

pubgeventdailylogin.com

thesocialdzr.com

holapv.com

racevc.com

openpula.pro

wepreventstroke.com

autoclosy.com

enginkarabacak.com

15096eec1652.info

buildthefoundation.net

pwilliamberciklaw.com

paramountrevenueadvisors.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1988-3-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

0c38fc3c0a2465e3a15e1bac02f6b4bb.exe

description pid process target process

PID 2248 set thread context of 1988 2248 0c38fc3c0a2465e3a15e1bac02f6b4bb.exe 0c38fc3c0a2465e3a15e1bac02f6b4bb.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2232 1988 WerFault.exe 0c38fc3c0a2465e3a15e1bac02f6b4bb.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

0c38fc3c0a2465e3a15e1bac02f6b4bb.exe

pid process

2248 0c38fc3c0a2465e3a15e1bac02f6b4bb.exe
2248 0c38fc3c0a2465e3a15e1bac02f6b4bb.exe

description	pid	process	target process
PID 2248 set thread context of 1988	2248	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe

pid	pid_target	process	target process
2232	1988	WerFault.exe	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe

pid	process
2248	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe
2248	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0c38fc3c0a2465e3a15e1bac02f6b4bb.exe0c38fc3c0a2465e3a15e1bac02f6b4bb.exe

description	pid	process	target process
PID 2248 wrote to memory of 1988	2248	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe
PID 2248 wrote to memory of 1988	2248	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe
PID 2248 wrote to memory of 1988	2248	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe
PID 2248 wrote to memory of 1988	2248	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe
PID 2248 wrote to memory of 1988	2248	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe
PID 1988 wrote to memory of 2232	1988	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe	WerFault.exe
PID 1988 wrote to memory of 2232	1988	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe	WerFault.exe
PID 1988 wrote to memory of 2232	1988	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe	WerFault.exe
PID 1988 wrote to memory of 2232	1988	0c38fc3c0a2465e3a15e1bac02f6b4bb.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0c38fc3c0a2465e3a15e1bac02f6b4bb.exe
"C:\Users\Admin\AppData\Local\Temp\0c38fc3c0a2465e3a15e1bac02f6b4bb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\0c38fc3c0a2465e3a15e1bac02f6b4bb.exe
"C:\Users\Admin\AppData\Local\Temp\0c38fc3c0a2465e3a15e1bac02f6b4bb.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 36
3⤵
- Program crash
PID:2232

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1988-3-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/2248-1-0x00000000000A0000-0x00000000001A0000-memory.dmp

Filesize
1024KB

Download
memory/2248-2-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download