xloader | 3085d62628657edccc65a18edda86f253fb86712a4e50b1cf67828bfa2d33e80

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a91f6caa3965066b881d1de7a67f1b9.exe
Size

680KB
MD5

3a91f6caa3965066b881d1de7a67f1b9
SHA1

6097fcf7687e0ec485eae2d57cf9b993ab520375
SHA256

3085d62628657edccc65a18edda86f253fb86712a4e50b1cf67828bfa2d33e80
SHA512

516b5704221bc49d607b80bafd6841976019f908869449c97f6a27c2840d43f62c76af2c5e464fb6b3f04079045b95883d3ed7fd684be1a269ec1663ba2b2dfb
SSDEEP

6144:SDnzTkV5gplawjJlNbno7QCGyfVENB+r5XmLXGZEKr042gBHL3Q9I5Oup:4nxawjlnAVfVIBc5XmL2O42gBHDQ9WN

Score

10^/10

xloader k8b5 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

k8b5

Decoy

sardamedicals.com

reelectkendavis4council.com

coreconsultation.com

fajarazhary.com

mybitearner.com

brightpet.info

voicewithchoice.com

bailbondscompany.xyz

7133333333.com

delights.info

gawlvegdr.icu

sdqhpm.com

we2savvyok.com

primallifeathlete.com

gdsinglecell.com

isokineticmachines.com

smartneckrelax.com

gardenvintage.com

hiphopvolume.com

medicapoint.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2588-14-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

3a91f6caa3965066b881d1de7a67f1b9.exe

description pid process target process

PID 2188 set thread context of 2588 2188 3a91f6caa3965066b881d1de7a67f1b9.exe 3a91f6caa3965066b881d1de7a67f1b9.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3a91f6caa3965066b881d1de7a67f1b9.exe

pid process

2588 3a91f6caa3965066b881d1de7a67f1b9.exe

description	pid	process	target process
PID 2188 set thread context of 2588	2188	3a91f6caa3965066b881d1de7a67f1b9.exe	3a91f6caa3965066b881d1de7a67f1b9.exe

pid	process
2588	3a91f6caa3965066b881d1de7a67f1b9.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3a91f6caa3965066b881d1de7a67f1b9.exe

description	pid	process	target process
PID 2188 wrote to memory of 2588	2188	3a91f6caa3965066b881d1de7a67f1b9.exe	3a91f6caa3965066b881d1de7a67f1b9.exe
PID 2188 wrote to memory of 2588	2188	3a91f6caa3965066b881d1de7a67f1b9.exe	3a91f6caa3965066b881d1de7a67f1b9.exe
PID 2188 wrote to memory of 2588	2188	3a91f6caa3965066b881d1de7a67f1b9.exe	3a91f6caa3965066b881d1de7a67f1b9.exe
PID 2188 wrote to memory of 2588	2188	3a91f6caa3965066b881d1de7a67f1b9.exe	3a91f6caa3965066b881d1de7a67f1b9.exe
PID 2188 wrote to memory of 2588	2188	3a91f6caa3965066b881d1de7a67f1b9.exe	3a91f6caa3965066b881d1de7a67f1b9.exe
PID 2188 wrote to memory of 2588	2188	3a91f6caa3965066b881d1de7a67f1b9.exe	3a91f6caa3965066b881d1de7a67f1b9.exe
PID 2188 wrote to memory of 2588	2188	3a91f6caa3965066b881d1de7a67f1b9.exe	3a91f6caa3965066b881d1de7a67f1b9.exe

C:\Users\Admin\AppData\Local\Temp\3a91f6caa3965066b881d1de7a67f1b9.exe
"C:\Users\Admin\AppData\Local\Temp\3a91f6caa3965066b881d1de7a67f1b9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\3a91f6caa3965066b881d1de7a67f1b9.exe
"C:\Users\Admin\AppData\Local\Temp\3a91f6caa3965066b881d1de7a67f1b9.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2588

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2188-6-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/2188-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-2-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download
memory/2188-3-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/2188-4-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-5-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download
memory/2188-0-0x0000000000C20000-0x0000000000CD0000-memory.dmp

Filesize
704KB

Download
memory/2188-7-0x0000000000BA0000-0x0000000000BD0000-memory.dmp

Filesize
192KB

Download
memory/2188-15-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2588-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2588-16-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/2588-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2588-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2588-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download