xloader | 8b46ffe6f10e29d52a311f2516deb4f54b84ddedf75a3a6921e1423518658e26

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07-01-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4790a6bec0eb9efda12d2abe2bb38d00.exe
Size

1.3MB
MD5

4790a6bec0eb9efda12d2abe2bb38d00
SHA1

fee62df00e5888398be1cf7d8abc716afe43d37d
SHA256

8b46ffe6f10e29d52a311f2516deb4f54b84ddedf75a3a6921e1423518658e26
SHA512

751bc4ca9266183b1e4ca855cac6734b3148a51db845c33d664f6ce49c19091f2b703c756d5b51be6ba98e5774d462b9313ab3e20f1d4efc518260b8bbcc0840
SSDEEP

24576:0EUzRj83ukaDcTG7dDkuepQUsjtbbn2YgVuZlZcjOsZ3ON:y83uka7kuOQVRr2RvrO

Score

10^/10

xloader n84e loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n84e

Decoy

upscalebuyer.com

qtict.net

karlgillard.com

fangsbags.com

blackwhitebangtan.com

lojaautomatica.com

browbabelondon.com

dupladocabelo.com

tcheap3dwdshop.com

htnmg.com

globaltradeview.com

instrumentwinebreathe.net

futurejobstech.com

notemanches.com

myconventionalcooking.xyz

doniang.com

ouruiwh.com

tecnologiatimes.com

yxbmfc.com

mae-baby.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2600-13-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 2600	1448	4790a6bec0eb9efda12d2abe2bb38d00.exe	29

Program crash 1 IoCs

pid	pid_target	Process
2728	2600	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2600	1448	4790a6bec0eb9efda12d2abe2bb38d00.exe	29
PID 1448 wrote to memory of 2600	1448	4790a6bec0eb9efda12d2abe2bb38d00.exe	29
PID 1448 wrote to memory of 2600	1448	4790a6bec0eb9efda12d2abe2bb38d00.exe	29
PID 1448 wrote to memory of 2600	1448	4790a6bec0eb9efda12d2abe2bb38d00.exe	29
PID 1448 wrote to memory of 2600	1448	4790a6bec0eb9efda12d2abe2bb38d00.exe	29
PID 1448 wrote to memory of 2600	1448	4790a6bec0eb9efda12d2abe2bb38d00.exe	29
PID 1448 wrote to memory of 2600	1448	4790a6bec0eb9efda12d2abe2bb38d00.exe	29
PID 2600 wrote to memory of 2728	2600	4790a6bec0eb9efda12d2abe2bb38d00.exe	28
PID 2600 wrote to memory of 2728	2600	4790a6bec0eb9efda12d2abe2bb38d00.exe	28
PID 2600 wrote to memory of 2728	2600	4790a6bec0eb9efda12d2abe2bb38d00.exe	28
PID 2600 wrote to memory of 2728	2600	4790a6bec0eb9efda12d2abe2bb38d00.exe	28

C:\Users\Admin\AppData\Local\Temp\4790a6bec0eb9efda12d2abe2bb38d00.exe
"C:\Users\Admin\AppData\Local\Temp\4790a6bec0eb9efda12d2abe2bb38d00.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\4790a6bec0eb9efda12d2abe2bb38d00.exe
  "C:\Users\Admin\AppData\Local\Temp\4790a6bec0eb9efda12d2abe2bb38d00.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 36
1⤵
- Program crash
PID:2728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1448-0-0x0000000001080000-0x00000000011D2000-memory.dmp

Filesize
1.3MB

Download
memory/1448-1-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1448-2-0x00000000049E0000-0x0000000004A20000-memory.dmp

Filesize
256KB

Download
memory/1448-3-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/1448-4-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1448-5-0x00000000049E0000-0x0000000004A20000-memory.dmp

Filesize
256KB

Download
memory/1448-6-0x0000000005760000-0x0000000005800000-memory.dmp

Filesize
640KB

Download
memory/1448-7-0x0000000000690000-0x00000000006C0000-memory.dmp

Filesize
192KB

Download
memory/1448-14-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/2600-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2600-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2600-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2600-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download