xloader | 435b924af18dce67e3fbc2b55fc515b839fe883da2e10fd3c8c21859a1181d64

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 20:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3ddba9dd096fe52fcd90d41478bfcba5.exe
Size

677KB
MD5

3ddba9dd096fe52fcd90d41478bfcba5
SHA1

43c708bca3d1bb944adc81b3b7a1f7b2fb80c4f6
SHA256

435b924af18dce67e3fbc2b55fc515b839fe883da2e10fd3c8c21859a1181d64
SHA512

5c7e6ce588c3236370b88a385733301161b3ed5869e4cfbde5b7d6b04a1c3b1f4ae4ae5c268dde2923bc4c091f70edd19cf14cf4995de19f19c27cbc6e064feb
SSDEEP

12288:PLI/HK7zE857ioHjT4d1MIi7vKgwl6m/Zcl2APRq6to0D2TPgRqIq:zb7ioHjT44j7vPmhwn9X2T+

Score

10^/10

xloader ssee loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ssee

Decoy

portalcanaa.com

korzino.com

dlylms.net

smartearphoneshop.com

olimiloshop.com

auvdigitalstack.com

ydxc.chat

yhk868.com

lifeinthedport.com

self-sciencelabs.com

scandicpack.com

hold-sometimes.xyz

beiputei.com

yourrealtorcoach.com

rxods.com

fundsoption.com

ahlstromclothes.com

ksdieselparts.com

accountmangerford.com

kuwaitlogistic.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2808-14-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2236 set thread context of 2808	2236	3ddba9dd096fe52fcd90d41478bfcba5.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2236	3ddba9dd096fe52fcd90d41478bfcba5.exe
2808	3ddba9dd096fe52fcd90d41478bfcba5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	3ddba9dd096fe52fcd90d41478bfcba5.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2220	2236	3ddba9dd096fe52fcd90d41478bfcba5.exe	30
PID 2236 wrote to memory of 2220	2236	3ddba9dd096fe52fcd90d41478bfcba5.exe	30
PID 2236 wrote to memory of 2220	2236	3ddba9dd096fe52fcd90d41478bfcba5.exe	30
PID 2236 wrote to memory of 2220	2236	3ddba9dd096fe52fcd90d41478bfcba5.exe	30
PID 2236 wrote to memory of 2808	2236	3ddba9dd096fe52fcd90d41478bfcba5.exe	31
PID 2236 wrote to memory of 2808	2236	3ddba9dd096fe52fcd90d41478bfcba5.exe	31
PID 2236 wrote to memory of 2808	2236	3ddba9dd096fe52fcd90d41478bfcba5.exe	31
PID 2236 wrote to memory of 2808	2236	3ddba9dd096fe52fcd90d41478bfcba5.exe	31
PID 2236 wrote to memory of 2808	2236	3ddba9dd096fe52fcd90d41478bfcba5.exe	31
PID 2236 wrote to memory of 2808	2236	3ddba9dd096fe52fcd90d41478bfcba5.exe	31
PID 2236 wrote to memory of 2808	2236	3ddba9dd096fe52fcd90d41478bfcba5.exe	31

C:\Users\Admin\AppData\Local\Temp\3ddba9dd096fe52fcd90d41478bfcba5.exe
"C:\Users\Admin\AppData\Local\Temp\3ddba9dd096fe52fcd90d41478bfcba5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\3ddba9dd096fe52fcd90d41478bfcba5.exe
  "C:\Users\Admin\AppData\Local\Temp\3ddba9dd096fe52fcd90d41478bfcba5.exe"
  2⤵
  PID:2220
- C:\Users\Admin\AppData\Local\Temp\3ddba9dd096fe52fcd90d41478bfcba5.exe
  "C:\Users\Admin\AppData\Local\Temp\3ddba9dd096fe52fcd90d41478bfcba5.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2236-6-0x0000000005700000-0x000000000579C000-memory.dmp

Filesize
624KB

Download
memory/2236-15-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2236-2-0x0000000000D90000-0x0000000000DD0000-memory.dmp

Filesize
256KB

Download
memory/2236-3-0x00000000008E0000-0x00000000008F6000-memory.dmp

Filesize
88KB

Download
memory/2236-4-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2236-5-0x0000000000D90000-0x0000000000DD0000-memory.dmp

Filesize
256KB

Download
memory/2236-7-0x00000000009F0000-0x0000000000A1E000-memory.dmp

Filesize
184KB

Download
memory/2236-0-0x0000000001110000-0x00000000011C0000-memory.dmp

Filesize
704KB

Download
memory/2236-1-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2808-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-16-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download