xloader | 6fac52318b313ba9642ecb060c7725dbbd3e0b1146e936deb2b635ce7a255a2e

Analysis

max time kernel
147s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

372fe4529580602a406a6ffad7739581.exe
Size

673KB
MD5

372fe4529580602a406a6ffad7739581
SHA1

656104739470b5119ec630eb19603d9677a4fa03
SHA256

6fac52318b313ba9642ecb060c7725dbbd3e0b1146e936deb2b635ce7a255a2e
SHA512

5e3c4c50c0384a589f483d9b6abfaef3dd805e104dadc7156d8fb901e3aa272c134ff987e7fe7dbdb472e69321c5583bc3049882888806b993a36a1799cff76f
SSDEEP

12288:Z7n6jcVXAQfGq1Q/o2sKGUnQKlnZ3Xxs31:F6AVXpqMHUQKVZnc

Score

10^/10

xloader mej0 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

mej0

Decoy

mtxs8.com

quickskiplondon.com

sltplanner.com

generatedate.com

amsinspections.com

tomrings.com

109friends.com

freelovereading.com

avalapartners.com

nordiqueluxury.com

inmbex.com

everybankatm.com

bo1899.com

ashymeadow.com

pubgm-chickendinner.com

takudolunch.com

carlagremiao.com

actonetheatre.com

wemhealth.com

khasomat.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3828-12-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1988 set thread context of 3828	1988	372fe4529580602a406a6ffad7739581.exe	100

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3828	372fe4529580602a406a6ffad7739581.exe
3828	372fe4529580602a406a6ffad7739581.exe
3828	372fe4529580602a406a6ffad7739581.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 3828	1988	372fe4529580602a406a6ffad7739581.exe	100
PID 1988 wrote to memory of 3828	1988	372fe4529580602a406a6ffad7739581.exe	100
PID 1988 wrote to memory of 3828	1988	372fe4529580602a406a6ffad7739581.exe	100
PID 1988 wrote to memory of 3828	1988	372fe4529580602a406a6ffad7739581.exe	100
PID 1988 wrote to memory of 3828	1988	372fe4529580602a406a6ffad7739581.exe	100
PID 1988 wrote to memory of 3828	1988	372fe4529580602a406a6ffad7739581.exe	100

C:\Users\Admin\AppData\Local\Temp\372fe4529580602a406a6ffad7739581.exe
"C:\Users\Admin\AppData\Local\Temp\372fe4529580602a406a6ffad7739581.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\372fe4529580602a406a6ffad7739581.exe
  "C:\Users\Admin\AppData\Local\Temp\372fe4529580602a406a6ffad7739581.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1988-6-0x0000000005E00000-0x0000000005E1C000-memory.dmp

Filesize
112KB

Download
memory/1988-10-0x0000000007400000-0x0000000007464000-memory.dmp

Filesize
400KB

Download
memory/1988-2-0x00000000060A0000-0x0000000006644000-memory.dmp

Filesize
5.6MB

Download
memory/1988-3-0x0000000005AF0000-0x0000000005B82000-memory.dmp

Filesize
584KB

Download
memory/1988-4-0x0000000005CF0000-0x0000000005D00000-memory.dmp

Filesize
64KB

Download
memory/1988-5-0x0000000005A60000-0x0000000005A6A000-memory.dmp

Filesize
40KB

Download
memory/1988-0-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/1988-8-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/1988-1-0x0000000000FC0000-0x000000000106E000-memory.dmp

Filesize
696KB

Download
memory/1988-9-0x0000000005CF0000-0x0000000005D00000-memory.dmp

Filesize
64KB

Download
memory/1988-7-0x0000000006CF0000-0x0000000006D8C000-memory.dmp

Filesize
624KB

Download
memory/1988-11-0x00000000099F0000-0x0000000009A20000-memory.dmp

Filesize
192KB

Download
memory/1988-14-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/3828-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3828-15-0x0000000001300000-0x000000000164A000-memory.dmp

Filesize
3.3MB

Download