xloader | 9808a74ae58e0a4ce64f01226ea471338f9df7e2155581ef0822070d952997b5

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 16:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b487f8cff52e5de3c37f4d48975ed45.exe
Size

1.4MB
MD5

2b487f8cff52e5de3c37f4d48975ed45
SHA1

367d9ccbd374e0267eb50e3323fffce0ed2b2f41
SHA256

9808a74ae58e0a4ce64f01226ea471338f9df7e2155581ef0822070d952997b5
SHA512

af6fbfd84e96c7d75cf00b97d28f8b08b93bcf51faaaf5fb9a07a065e3d114ed1f4677f25af324804c536d795559dede1d698ae4056487314682bfcfa5eb2da9
SSDEEP

24576:9irOsBgo0q4wMWBmCmTOUd+L6kpXW9wdc0Kly0VaLQ8Iq40Kv1VZX:UaoHMqmCm6Ud+zpXmwDSy048JZ

Score

10^/10

xloader p086 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

p086

Decoy

jinshichain.com

worldpettraveler.com

hightecforpc.com

kj97fm.com

streetnewstv.com

webrew.club

wheretogodubai.com

apostapolitica.net

thecafy.com

vinelosangeles.com

gashinc.com

gutitout.net

bvd-invest.com

realtoroutdesk.com

lawnbowlstournaments.net

nobodyisillegal.com

abogadoorihuela.net

sanistela.com

jksecurityworld.com

peppermintproject.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral2/memory/1108-8-0x0000000005380000-0x0000000005392000-memory.dmp	CustAttr

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4724-13-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 4724	1108	2b487f8cff52e5de3c37f4d48975ed45.exe	101

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1108	2b487f8cff52e5de3c37f4d48975ed45.exe
1108	2b487f8cff52e5de3c37f4d48975ed45.exe
4724	2b487f8cff52e5de3c37f4d48975ed45.exe
4724	2b487f8cff52e5de3c37f4d48975ed45.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1108	2b487f8cff52e5de3c37f4d48975ed45.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 2568	1108	2b487f8cff52e5de3c37f4d48975ed45.exe	102
PID 1108 wrote to memory of 2568	1108	2b487f8cff52e5de3c37f4d48975ed45.exe	102
PID 1108 wrote to memory of 2568	1108	2b487f8cff52e5de3c37f4d48975ed45.exe	102
PID 1108 wrote to memory of 4724	1108	2b487f8cff52e5de3c37f4d48975ed45.exe	101
PID 1108 wrote to memory of 4724	1108	2b487f8cff52e5de3c37f4d48975ed45.exe	101
PID 1108 wrote to memory of 4724	1108	2b487f8cff52e5de3c37f4d48975ed45.exe	101
PID 1108 wrote to memory of 4724	1108	2b487f8cff52e5de3c37f4d48975ed45.exe	101
PID 1108 wrote to memory of 4724	1108	2b487f8cff52e5de3c37f4d48975ed45.exe	101
PID 1108 wrote to memory of 4724	1108	2b487f8cff52e5de3c37f4d48975ed45.exe	101

C:\Users\Admin\AppData\Local\Temp\2b487f8cff52e5de3c37f4d48975ed45.exe
"C:\Users\Admin\AppData\Local\Temp\2b487f8cff52e5de3c37f4d48975ed45.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\2b487f8cff52e5de3c37f4d48975ed45.exe
  "C:\Users\Admin\AppData\Local\Temp\2b487f8cff52e5de3c37f4d48975ed45.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4724
- C:\Users\Admin\AppData\Local\Temp\2b487f8cff52e5de3c37f4d48975ed45.exe
  "C:\Users\Admin\AppData\Local\Temp\2b487f8cff52e5de3c37f4d48975ed45.exe"
  2⤵
  PID:2568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-8-0x0000000005380000-0x0000000005392000-memory.dmp

Filesize
72KB

Download
memory/1108-9-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1108-3-0x0000000005910000-0x0000000005EB4000-memory.dmp

Filesize
5.6MB

Download
memory/1108-4-0x0000000005400000-0x0000000005492000-memory.dmp

Filesize
584KB

Download
memory/1108-6-0x0000000005290000-0x000000000529A000-memory.dmp

Filesize
40KB

Download
memory/1108-7-0x00000000055B0000-0x0000000005606000-memory.dmp

Filesize
344KB

Download
memory/1108-5-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/1108-0-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1108-1-0x0000000000720000-0x0000000000894000-memory.dmp

Filesize
1.5MB

Download
memory/1108-10-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/1108-2-0x00000000052C0000-0x000000000535C000-memory.dmp

Filesize
624KB

Download
memory/1108-11-0x0000000006D30000-0x0000000006DAC000-memory.dmp

Filesize
496KB

Download
memory/1108-12-0x0000000006DB0000-0x0000000006DE4000-memory.dmp

Filesize
208KB

Download
memory/1108-15-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-16-0x00000000017E0000-0x0000000001B2A000-memory.dmp

Filesize
3.3MB

Download
memory/4724-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4724-17-0x00000000017E0000-0x0000000001B2A000-memory.dmp

Filesize
3.3MB

Download