xloader | 69a08fcc2b3eb5499a9356a801bb646d7726dc158cba7f141335997f374ead38

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 06:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

111d2be6108ec665c15caae8b6964387.exe
Size

1.3MB
MD5

111d2be6108ec665c15caae8b6964387
SHA1

04228ee5fb9fbe16b3a6406f64a067c15d549faa
SHA256

69a08fcc2b3eb5499a9356a801bb646d7726dc158cba7f141335997f374ead38
SHA512

2fcf5640c8fc5d08ed6737caab9fe8f359671f272b1a0992c360887e6166597b9cfd7c5efe7b5e2c418b0e9dd0392e54ea4bfe1b7aa62437cc509869f49c2a94
SSDEEP

24576:oKIUradyDYzq7qbJvrd3nKivWV/Nm/y12Nhmk+p:nIqadyM27qbFrZJdyYw

Score

10^/10

xloader ssee loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ssee

Decoy

portalcanaa.com

korzino.com

dlylms.net

smartearphoneshop.com

olimiloshop.com

auvdigitalstack.com

ydxc.chat

yhk868.com

lifeinthedport.com

self-sciencelabs.com

scandicpack.com

hold-sometimes.xyz

beiputei.com

yourrealtorcoach.com

rxods.com

fundsoption.com

ahlstromclothes.com

ksdieselparts.com

accountmangerford.com

kuwaitlogistic.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2012-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2912 set thread context of 2012	2912	111d2be6108ec665c15caae8b6964387.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2012	111d2be6108ec665c15caae8b6964387.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2012	2912	111d2be6108ec665c15caae8b6964387.exe	30
PID 2912 wrote to memory of 2012	2912	111d2be6108ec665c15caae8b6964387.exe	30
PID 2912 wrote to memory of 2012	2912	111d2be6108ec665c15caae8b6964387.exe	30
PID 2912 wrote to memory of 2012	2912	111d2be6108ec665c15caae8b6964387.exe	30
PID 2912 wrote to memory of 2012	2912	111d2be6108ec665c15caae8b6964387.exe	30
PID 2912 wrote to memory of 2012	2912	111d2be6108ec665c15caae8b6964387.exe	30
PID 2912 wrote to memory of 2012	2912	111d2be6108ec665c15caae8b6964387.exe	30

C:\Users\Admin\AppData\Local\Temp\111d2be6108ec665c15caae8b6964387.exe
"C:\Users\Admin\AppData\Local\Temp\111d2be6108ec665c15caae8b6964387.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\111d2be6108ec665c15caae8b6964387.exe
  "C:\Users\Admin\AppData\Local\Temp\111d2be6108ec665c15caae8b6964387.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2012-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2012-14-0x0000000000950000-0x0000000000C53000-memory.dmp

Filesize
3.0MB

Download
memory/2012-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2012-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2012-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2912-3-0x00000000004F0000-0x000000000050C000-memory.dmp

Filesize
112KB

Download
memory/2912-6-0x0000000006050000-0x00000000060DC000-memory.dmp

Filesize
560KB

Download
memory/2912-7-0x00000000047F0000-0x0000000004848000-memory.dmp

Filesize
352KB

Download
memory/2912-5-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/2912-4-0x0000000073E80000-0x000000007456E000-memory.dmp

Filesize
6.9MB

Download
memory/2912-0-0x0000000000F90000-0x00000000010DE000-memory.dmp

Filesize
1.3MB

Download
memory/2912-2-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/2912-13-0x0000000073E80000-0x000000007456E000-memory.dmp

Filesize
6.9MB

Download
memory/2912-1-0x0000000073E80000-0x000000007456E000-memory.dmp

Filesize
6.9MB

Download