xloader | f515599d9ab7045656d0976c3aa5740feab68f862fa2e339379a1118f8ccba4a

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89988ac505f3a7eedd5a842d23683f10.exe
Size

921KB
MD5

89988ac505f3a7eedd5a842d23683f10
SHA1

087322adf2ee38e7b50bdc0b0a3c92d6657e5ab4
SHA256

f515599d9ab7045656d0976c3aa5740feab68f862fa2e339379a1118f8ccba4a
SHA512

03f97c8fe7240f0b89013ed8fe77cefad7ac61d70f9e07981986d96663b4dc90530485c204fe5d9e0e481bb49f4b7301fb3874f57aec17f66afe011b9adea514
SSDEEP

12288:FextSIBGwdaXS2IaG+Xn+yaH8yNwQu8mLusqsw+4aDHC/pnyGfoB8ZqiCNu:Ext7BTd/aTyHteusqswA9sw8iU

Score

10^/10

xloader ftgq loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ftgq

Decoy

naturalbeautyapparel.com

abtotalsolution.com

periclescapitalmanagement.com

pleasejustdont.com

ryanscode.com

carsandscooters.com

best-polarized-sunglasses.com

hoodshawaii.com

titaefred.com

tomrings.com

swededenoting.host

birthdaytease.com

xaydzn.com

scutganxun.com

gdzhongle.com

alossol.com

shivamshield.com

fashionnailsjohnston.com

jobuelas.com

arvopaert.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2792-3-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2168 set thread context of 2792	2168	89988ac505f3a7eedd5a842d23683f10.exe	23

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2792	89988ac505f3a7eedd5a842d23683f10.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2168	89988ac505f3a7eedd5a842d23683f10.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2792	2168	89988ac505f3a7eedd5a842d23683f10.exe	23
PID 2168 wrote to memory of 2792	2168	89988ac505f3a7eedd5a842d23683f10.exe	23
PID 2168 wrote to memory of 2792	2168	89988ac505f3a7eedd5a842d23683f10.exe	23
PID 2168 wrote to memory of 2792	2168	89988ac505f3a7eedd5a842d23683f10.exe	23
PID 2168 wrote to memory of 2792	2168	89988ac505f3a7eedd5a842d23683f10.exe	23

C:\Users\Admin\AppData\Local\Temp\89988ac505f3a7eedd5a842d23683f10.exe
"C:\Users\Admin\AppData\Local\Temp\89988ac505f3a7eedd5a842d23683f10.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\89988ac505f3a7eedd5a842d23683f10.exe
  "C:\Users\Admin\AppData\Local\Temp\89988ac505f3a7eedd5a842d23683f10.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2168-1-0x00000000001E0000-0x00000000002E0000-memory.dmp

Filesize
1024KB

Download
memory/2168-2-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2792-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2792-4-0x0000000000BA0000-0x0000000000EA3000-memory.dmp

Filesize
3.0MB

Download