xloader | 6ce6f6c16310e90a3d624750f1d7146aa4d2e8baa04d409133869199d4a5d23a

Analysis

max time kernel
121s
max time network
131s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

190bbbb3ef3a08fc73a9d397f87de2ec.exe
Size

1.5MB
MD5

190bbbb3ef3a08fc73a9d397f87de2ec
SHA1

c81ffe08d0c6b7859d5c668fc8a756c8acb0b451
SHA256

6ce6f6c16310e90a3d624750f1d7146aa4d2e8baa04d409133869199d4a5d23a
SHA512

c379b287d4464bd1de5573500733429ea2cb40c45a67a56d90124660961199a4aa00f74dbdf45cab02ca67ce778787ad7b9fe993d59501c5dc869610a82a2f33
SSDEEP

12288:v+q3bFCO9bHBa3AWZavABd0YItKOxZsSbWQdOm//8xLrQ6H+Uy1Susr8MmH3j5:R19bHBiHj6cOxvbWQd9/EFMZZS5R0

Score

10^/10

xloader m7gs loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

m7gs

Decoy

goodxxxhigh.com

blun33.com

mcbt328.com

sxtdba.com

sagalocal.icu

spentonindustries.com

greatexpectationssouthshore.com

herzenco.com

duoxizhe.com

h-mawari.net

jeevicain.com

sculpted-vegan.net

vipchainwallet.com

smartanalytics.info

jiujirat.com

canhoquan8-centralpremium.com

pasarandir.com

mario17331.com

dillonsavage.com

ladiesboxx.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2612-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2536 set thread context of 2612	2536	190bbbb3ef3a08fc73a9d397f87de2ec.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2612	190bbbb3ef3a08fc73a9d397f87de2ec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2612	2536	190bbbb3ef3a08fc73a9d397f87de2ec.exe	30
PID 2536 wrote to memory of 2612	2536	190bbbb3ef3a08fc73a9d397f87de2ec.exe	30
PID 2536 wrote to memory of 2612	2536	190bbbb3ef3a08fc73a9d397f87de2ec.exe	30
PID 2536 wrote to memory of 2612	2536	190bbbb3ef3a08fc73a9d397f87de2ec.exe	30
PID 2536 wrote to memory of 2612	2536	190bbbb3ef3a08fc73a9d397f87de2ec.exe	30
PID 2536 wrote to memory of 2612	2536	190bbbb3ef3a08fc73a9d397f87de2ec.exe	30
PID 2536 wrote to memory of 2612	2536	190bbbb3ef3a08fc73a9d397f87de2ec.exe	30

C:\Users\Admin\AppData\Local\Temp\190bbbb3ef3a08fc73a9d397f87de2ec.exe
"C:\Users\Admin\AppData\Local\Temp\190bbbb3ef3a08fc73a9d397f87de2ec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\190bbbb3ef3a08fc73a9d397f87de2ec.exe
  "C:\Users\Admin\AppData\Local\Temp\190bbbb3ef3a08fc73a9d397f87de2ec.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2536-6-0x00000000057C0000-0x000000000585E000-memory.dmp

Filesize
632KB

Download
memory/2536-13-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-2-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2536-3-0x0000000000290000-0x00000000002AE000-memory.dmp

Filesize
120KB

Download
memory/2536-4-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-5-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2536-7-0x0000000000650000-0x000000000067E000-memory.dmp

Filesize
184KB

Download
memory/2536-1-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-0-0x0000000000980000-0x0000000000B08000-memory.dmp

Filesize
1.5MB

Download
memory/2612-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2612-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2612-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2612-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2612-14-0x0000000000B10000-0x0000000000E13000-memory.dmp

Filesize
3.0MB

Download