xloader | ed97e9802edd407c13fe0fa214582d2c4623797bb0c38b0b583a1d919d078284

Analysis

max time kernel
122s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 18:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f0ed2e7cf6f9f1d1c50685e851a06412.exe
Size

387KB
MD5

f0ed2e7cf6f9f1d1c50685e851a06412
SHA1

3d0949bc857db236e56c495d6a570e54bd09d6c8
SHA256

ed97e9802edd407c13fe0fa214582d2c4623797bb0c38b0b583a1d919d078284
SHA512

23141f5ab73b9ced48e51a77b57dc3d5eb37ae23d768addf326b22ffdef7b01118746728643fe267071c6863a04a6a72c2937998d40efa7cdfb84c3a918535cf
SSDEEP

12288:/fiNDGoVZvUiJo7uhXDR7D+d7to2wk6EfLg:S1xJo6hTR7DSxo236f

Score

10^/10

xloader qmf6 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

qmf6

Decoy

triloxi.com

blackstogether.com

jctradingllc.com

debbieandlesa.com

badseedsco.com

tjlovers.com

creativeresourcesconsulting.com

ksmjobs.net

reginajohas.net

site123web.com

pracliphardware.com

lunchtimewithtwilyght.com

remotereel.com

spartanmu.com

porter-booking-engine.com

slouberdounces.com

certificationsarchive.com

kat420nip.com

prancegoldholdingsjewels.com

xn--botiqunbotnico-4gb1q.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2284-3-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 852 set thread context of 2284	852	f0ed2e7cf6f9f1d1c50685e851a06412.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2284	f0ed2e7cf6f9f1d1c50685e851a06412.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
852	f0ed2e7cf6f9f1d1c50685e851a06412.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 2284	852	f0ed2e7cf6f9f1d1c50685e851a06412.exe	28
PID 852 wrote to memory of 2284	852	f0ed2e7cf6f9f1d1c50685e851a06412.exe	28
PID 852 wrote to memory of 2284	852	f0ed2e7cf6f9f1d1c50685e851a06412.exe	28
PID 852 wrote to memory of 2284	852	f0ed2e7cf6f9f1d1c50685e851a06412.exe	28
PID 852 wrote to memory of 2284	852	f0ed2e7cf6f9f1d1c50685e851a06412.exe	28

C:\Users\Admin\AppData\Local\Temp\f0ed2e7cf6f9f1d1c50685e851a06412.exe
"C:\Users\Admin\AppData\Local\Temp\f0ed2e7cf6f9f1d1c50685e851a06412.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\f0ed2e7cf6f9f1d1c50685e851a06412.exe
  "C:\Users\Admin\AppData\Local\Temp\f0ed2e7cf6f9f1d1c50685e851a06412.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/852-1-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/852-2-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2284-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2284-6-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download