xloader | 52b0438a43977e210e58786f139697a9007854f624d8901c891a9af69b87667f

Analysis

max time kernel
114s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02b89444a1d633c44e1e9e54e3fdd1b0.exe
Size

945KB
MD5

02b89444a1d633c44e1e9e54e3fdd1b0
SHA1

6d560a1c41457fa9c88d5d218ea4a9ae670fbedd
SHA256

52b0438a43977e210e58786f139697a9007854f624d8901c891a9af69b87667f
SHA512

1521d912a90f74e46a6428eb4ee6bdf7561ff05260b9243a34e724b9be1424bec2f7c78ea527097a3d75f349e5afa485bc9aeb159d6186e1f621e462eacda5f7
SSDEEP

12288:qxDc9F3nC0Py3gAhSEJbjJEK1+E5Gl6twEtG5FhVvjRrry8rXcuzDD8qfv:6J5Gl6HE5FhhjRvy8Zdv

Score

10^/10

xloader earz loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

earz

Decoy

halacoupon.com

anthos-labs.com

hagertylabs.net

l1992.com

856379580.xyz

rcbb-technologies.com

realhoggapparel.com

sauceprince.com

tootingcab.com

4chase5.com

ordergogibibimbap.com

nyj.xyz

dermixspa.com

premiergiftingco.com

razorcentric.com

mbrealtyadvisors.com

officialjazz.club

cctv006.com

hbcuatthepolls.info

prestamos-ya.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4052-12-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2148 set thread context of 4052	2148	02b89444a1d633c44e1e9e54e3fdd1b0.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4052	02b89444a1d633c44e1e9e54e3fdd1b0.exe
4052	02b89444a1d633c44e1e9e54e3fdd1b0.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 4052	2148	02b89444a1d633c44e1e9e54e3fdd1b0.exe	96
PID 2148 wrote to memory of 4052	2148	02b89444a1d633c44e1e9e54e3fdd1b0.exe	96
PID 2148 wrote to memory of 4052	2148	02b89444a1d633c44e1e9e54e3fdd1b0.exe	96
PID 2148 wrote to memory of 4052	2148	02b89444a1d633c44e1e9e54e3fdd1b0.exe	96
PID 2148 wrote to memory of 4052	2148	02b89444a1d633c44e1e9e54e3fdd1b0.exe	96
PID 2148 wrote to memory of 4052	2148	02b89444a1d633c44e1e9e54e3fdd1b0.exe	96

C:\Users\Admin\AppData\Local\Temp\02b89444a1d633c44e1e9e54e3fdd1b0.exe
"C:\Users\Admin\AppData\Local\Temp\02b89444a1d633c44e1e9e54e3fdd1b0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\02b89444a1d633c44e1e9e54e3fdd1b0.exe
  "C:\Users\Admin\AppData\Local\Temp\02b89444a1d633c44e1e9e54e3fdd1b0.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2148-8-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/2148-2-0x0000000005F90000-0x0000000006534000-memory.dmp

Filesize
5.6MB

Download
memory/2148-4-0x0000000005B20000-0x0000000005BBC000-memory.dmp

Filesize
624KB

Download
memory/2148-5-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/2148-1-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/2148-3-0x0000000005A80000-0x0000000005B12000-memory.dmp

Filesize
584KB

Download
memory/2148-0-0x0000000000F10000-0x0000000001002000-memory.dmp

Filesize
968KB

Download
memory/2148-7-0x0000000005D10000-0x0000000005D28000-memory.dmp

Filesize
96KB

Download
memory/2148-6-0x0000000005A10000-0x0000000005A1A000-memory.dmp

Filesize
40KB

Download
memory/2148-9-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/2148-10-0x0000000007330000-0x00000000073CA000-memory.dmp

Filesize
616KB

Download
memory/2148-11-0x0000000007150000-0x000000000717E000-memory.dmp

Filesize
184KB

Download
memory/2148-14-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/4052-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4052-15-0x0000000001260000-0x00000000015AA000-memory.dmp

Filesize
3.3MB

Download
memory/4052-16-0x0000000001260000-0x00000000015AA000-memory.dmp

Filesize
3.3MB

Download