xloader | 18e6e02d43d660b18e79a33afd5448f28bf7e24a2bcc070667cedda0f8e97a25

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3491c33f5128081ae84219bbc4068fcb.exe
Size

324KB
MD5

3491c33f5128081ae84219bbc4068fcb
SHA1

23f1bd76d12ae78dcccaa244a6cec80d85ea7258
SHA256

18e6e02d43d660b18e79a33afd5448f28bf7e24a2bcc070667cedda0f8e97a25
SHA512

ce90ec8db5aa48e53c1a9d9df7194c80090fc7f978c990bda0eb1ee6910233173f4342fa5210fb628ba26a0c12accc8134b95cb7fe313c3b2ef93d6eefe783d2
SSDEEP

6144:gMIGxTYW0K/+vUfxn9lzUZdXjqDEByRQYC04czlbVzXjVxg+lK:+GxEW0K/+vUfxn9lodXjqyTFcJbV7Dg+

Score

10^/10

xloader iq3g loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

iq3g

Decoy

itbcx.com

katielegget.com

myneighorsbasement.com

charts.wiki

toricolucci.com

ntlichengmodel.com

onsaleja.com

nailsbyleentje.com

freya-lux.com

moodyblack.com

mseoljaehwi.com

successfulsend.com

dr-roach.com

nargilegalerisi.com

animalhoney.com

indiarankers.com

botcantaysitokata.club

okinawakurashinavi.com

ceev-japan.com

shsqyy.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2004-2-0x0000000000220000-0x000000000024A000-memory.dmp	xloader
behavioral1/memory/760-5-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

3491c33f5128081ae84219bbc4068fcb.exe

description pid process target process

PID 2004 set thread context of 760 2004 3491c33f5128081ae84219bbc4068fcb.exe 3491c33f5128081ae84219bbc4068fcb.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3491c33f5128081ae84219bbc4068fcb.exe

pid process

760 3491c33f5128081ae84219bbc4068fcb.exe

description	pid	process	target process
PID 2004 set thread context of 760	2004	3491c33f5128081ae84219bbc4068fcb.exe	3491c33f5128081ae84219bbc4068fcb.exe

pid	process
760	3491c33f5128081ae84219bbc4068fcb.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3491c33f5128081ae84219bbc4068fcb.exe

description	pid	process	target process
PID 2004 wrote to memory of 760	2004	3491c33f5128081ae84219bbc4068fcb.exe	3491c33f5128081ae84219bbc4068fcb.exe
PID 2004 wrote to memory of 760	2004	3491c33f5128081ae84219bbc4068fcb.exe	3491c33f5128081ae84219bbc4068fcb.exe
PID 2004 wrote to memory of 760	2004	3491c33f5128081ae84219bbc4068fcb.exe	3491c33f5128081ae84219bbc4068fcb.exe
PID 2004 wrote to memory of 760	2004	3491c33f5128081ae84219bbc4068fcb.exe	3491c33f5128081ae84219bbc4068fcb.exe
PID 2004 wrote to memory of 760	2004	3491c33f5128081ae84219bbc4068fcb.exe	3491c33f5128081ae84219bbc4068fcb.exe
PID 2004 wrote to memory of 760	2004	3491c33f5128081ae84219bbc4068fcb.exe	3491c33f5128081ae84219bbc4068fcb.exe
PID 2004 wrote to memory of 760	2004	3491c33f5128081ae84219bbc4068fcb.exe	3491c33f5128081ae84219bbc4068fcb.exe

C:\Users\Admin\AppData\Local\Temp\3491c33f5128081ae84219bbc4068fcb.exe
"C:\Users\Admin\AppData\Local\Temp\3491c33f5128081ae84219bbc4068fcb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\3491c33f5128081ae84219bbc4068fcb.exe
"C:\Users\Admin\AppData\Local\Temp\3491c33f5128081ae84219bbc4068fcb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:760

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/760-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/760-8-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/2004-1-0x0000000000940000-0x0000000000A40000-memory.dmp

Filesize
1024KB

Download
memory/2004-2-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download