xloader | 8b46ffe6f10e29d52a311f2516deb4f54b84ddedf75a3a6921e1423518658e26

Analysis

max time kernel
139s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4790a6bec0eb9efda12d2abe2bb38d00.exe
Size

1.3MB
MD5

4790a6bec0eb9efda12d2abe2bb38d00
SHA1

fee62df00e5888398be1cf7d8abc716afe43d37d
SHA256

8b46ffe6f10e29d52a311f2516deb4f54b84ddedf75a3a6921e1423518658e26
SHA512

751bc4ca9266183b1e4ca855cac6734b3148a51db845c33d664f6ce49c19091f2b703c756d5b51be6ba98e5774d462b9313ab3e20f1d4efc518260b8bbcc0840
SSDEEP

24576:0EUzRj83ukaDcTG7dDkuepQUsjtbbn2YgVuZlZcjOsZ3ON:y83uka7kuOQVRr2RvrO

Score

10^/10

xloader n84e loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n84e

Decoy

upscalebuyer.com

qtict.net

karlgillard.com

fangsbags.com

blackwhitebangtan.com

lojaautomatica.com

browbabelondon.com

dupladocabelo.com

tcheap3dwdshop.com

htnmg.com

globaltradeview.com

instrumentwinebreathe.net

futurejobstech.com

notemanches.com

myconventionalcooking.xyz

doniang.com

ouruiwh.com

tecnologiatimes.com

yxbmfc.com

mae-baby.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4696-12-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5000 set thread context of 4696	5000	4790a6bec0eb9efda12d2abe2bb38d00.exe	102

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4696	4790a6bec0eb9efda12d2abe2bb38d00.exe
4696	4790a6bec0eb9efda12d2abe2bb38d00.exe
4696	4790a6bec0eb9efda12d2abe2bb38d00.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 4696	5000	4790a6bec0eb9efda12d2abe2bb38d00.exe	102
PID 5000 wrote to memory of 4696	5000	4790a6bec0eb9efda12d2abe2bb38d00.exe	102
PID 5000 wrote to memory of 4696	5000	4790a6bec0eb9efda12d2abe2bb38d00.exe	102
PID 5000 wrote to memory of 4696	5000	4790a6bec0eb9efda12d2abe2bb38d00.exe	102
PID 5000 wrote to memory of 4696	5000	4790a6bec0eb9efda12d2abe2bb38d00.exe	102
PID 5000 wrote to memory of 4696	5000	4790a6bec0eb9efda12d2abe2bb38d00.exe	102

C:\Users\Admin\AppData\Local\Temp\4790a6bec0eb9efda12d2abe2bb38d00.exe
"C:\Users\Admin\AppData\Local\Temp\4790a6bec0eb9efda12d2abe2bb38d00.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\4790a6bec0eb9efda12d2abe2bb38d00.exe
  "C:\Users\Admin\AppData\Local\Temp\4790a6bec0eb9efda12d2abe2bb38d00.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4696-15-0x0000000001B20000-0x0000000001E6A000-memory.dmp

Filesize
3.3MB

Download
memory/4696-16-0x0000000001B20000-0x0000000001E6A000-memory.dmp

Filesize
3.3MB

Download
memory/4696-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5000-4-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/5000-0-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/5000-5-0x0000000004CD0000-0x0000000004CDA000-memory.dmp

Filesize
40KB

Download
memory/5000-6-0x0000000006470000-0x000000000650C000-memory.dmp

Filesize
624KB

Download
memory/5000-7-0x00000000050B0000-0x00000000050C2000-memory.dmp

Filesize
72KB

Download
memory/5000-8-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/5000-9-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/5000-10-0x0000000006390000-0x0000000006430000-memory.dmp

Filesize
640KB

Download
memory/5000-11-0x0000000002500000-0x0000000002530000-memory.dmp

Filesize
192KB

Download
memory/5000-2-0x0000000005140000-0x00000000056E4000-memory.dmp

Filesize
5.6MB

Download
memory/5000-14-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/5000-3-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/5000-1-0x00000000000C0000-0x0000000000212000-memory.dmp

Filesize
1.3MB

Download