xloader | e07fbf3b9adba7e4aceb5cc6804c0002ee01c000d4e67ff3227f59eb9949c80e

Analysis

max time kernel
123s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0c4de5dd6fc348f8d6d475c20da8e7b.exe
Size

835KB
MD5

e0c4de5dd6fc348f8d6d475c20da8e7b
SHA1

a49a0cf25cbc520a0d43791aeca50390ba86b86f
SHA256

e07fbf3b9adba7e4aceb5cc6804c0002ee01c000d4e67ff3227f59eb9949c80e
SHA512

0347d69efd04063ea9a77ca0b2b98827b993c6ca80e3ae713f48d0c3d5bba1f6e03e5d375d5da946dedb45dfebcaed37a0b7c68b7daec6836cb4fedbeb64fcb1
SSDEEP

12288:eDoR65AXwgFvuSSXszJCo0LLJQmf/dDhZxrAPnx/eE77w31nctqRyNnTJk/dWl2m:0oR6qgtrLLyYvxktN43qCyB1k/dWl2m

Score

10^/10

xloader wufn loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

wufn

Decoy

rsautoluxe.com

theroseofsharonsalon.com

singnema.com

nathanielwhite108.com

theforumonline.com

iqpt.info

joneshondaservice.com

fafene.com

solanohomebuyerclass.com

zwq.xyz

searchlakeconroehomes.com

briative.com

frystmor.city

systemofyouth.com

sctsmney.com

tv-safetrading.com

thesweetboy.com

occulusblu.com

pawsthemomentpetphotography.com

travelstipsguide.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5016-13-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

e0c4de5dd6fc348f8d6d475c20da8e7b.exe

description pid process target process

PID 4736 set thread context of 5016 4736 e0c4de5dd6fc348f8d6d475c20da8e7b.exe e0c4de5dd6fc348f8d6d475c20da8e7b.exe

description	pid	process	target process
PID 4736 set thread context of 5016	4736	e0c4de5dd6fc348f8d6d475c20da8e7b.exe	e0c4de5dd6fc348f8d6d475c20da8e7b.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

e0c4de5dd6fc348f8d6d475c20da8e7b.exee0c4de5dd6fc348f8d6d475c20da8e7b.exe

pid	process
4736	e0c4de5dd6fc348f8d6d475c20da8e7b.exe
4736	e0c4de5dd6fc348f8d6d475c20da8e7b.exe
5016	e0c4de5dd6fc348f8d6d475c20da8e7b.exe
5016	e0c4de5dd6fc348f8d6d475c20da8e7b.exe
5016	e0c4de5dd6fc348f8d6d475c20da8e7b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e0c4de5dd6fc348f8d6d475c20da8e7b.exe

description pid process

Token: SeDebugPrivilege 4736 e0c4de5dd6fc348f8d6d475c20da8e7b.exe

description	pid	process
Token: SeDebugPrivilege	4736	e0c4de5dd6fc348f8d6d475c20da8e7b.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e0c4de5dd6fc348f8d6d475c20da8e7b.exe

description	pid	process	target process
PID 4736 wrote to memory of 4528	4736	e0c4de5dd6fc348f8d6d475c20da8e7b.exe	e0c4de5dd6fc348f8d6d475c20da8e7b.exe
PID 4736 wrote to memory of 4528	4736	e0c4de5dd6fc348f8d6d475c20da8e7b.exe	e0c4de5dd6fc348f8d6d475c20da8e7b.exe
PID 4736 wrote to memory of 4528	4736	e0c4de5dd6fc348f8d6d475c20da8e7b.exe	e0c4de5dd6fc348f8d6d475c20da8e7b.exe
PID 4736 wrote to memory of 5016	4736	e0c4de5dd6fc348f8d6d475c20da8e7b.exe	e0c4de5dd6fc348f8d6d475c20da8e7b.exe
PID 4736 wrote to memory of 5016	4736	e0c4de5dd6fc348f8d6d475c20da8e7b.exe	e0c4de5dd6fc348f8d6d475c20da8e7b.exe
PID 4736 wrote to memory of 5016	4736	e0c4de5dd6fc348f8d6d475c20da8e7b.exe	e0c4de5dd6fc348f8d6d475c20da8e7b.exe
PID 4736 wrote to memory of 5016	4736	e0c4de5dd6fc348f8d6d475c20da8e7b.exe	e0c4de5dd6fc348f8d6d475c20da8e7b.exe
PID 4736 wrote to memory of 5016	4736	e0c4de5dd6fc348f8d6d475c20da8e7b.exe	e0c4de5dd6fc348f8d6d475c20da8e7b.exe
PID 4736 wrote to memory of 5016	4736	e0c4de5dd6fc348f8d6d475c20da8e7b.exe	e0c4de5dd6fc348f8d6d475c20da8e7b.exe

C:\Users\Admin\AppData\Local\Temp\e0c4de5dd6fc348f8d6d475c20da8e7b.exe
"C:\Users\Admin\AppData\Local\Temp\e0c4de5dd6fc348f8d6d475c20da8e7b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736

C:\Users\Admin\AppData\Local\Temp\e0c4de5dd6fc348f8d6d475c20da8e7b.exe
"C:\Users\Admin\AppData\Local\Temp\e0c4de5dd6fc348f8d6d475c20da8e7b.exe"
2⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\e0c4de5dd6fc348f8d6d475c20da8e7b.exe
"C:\Users\Admin\AppData\Local\Temp\e0c4de5dd6fc348f8d6d475c20da8e7b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4188 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:8
1⤵
PID:5096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4736-8-0x00000000058C0000-0x00000000058DA000-memory.dmp

Filesize
104KB

Download
memory/4736-6-0x0000000005350000-0x000000000535A000-memory.dmp

Filesize
40KB

Download
memory/4736-2-0x0000000005380000-0x000000000541C000-memory.dmp

Filesize
624KB

Download
memory/4736-3-0x00000000059D0000-0x0000000005F74000-memory.dmp

Filesize
5.6MB

Download
memory/4736-0-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4736-5-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/4736-1-0x0000000000880000-0x0000000000956000-memory.dmp

Filesize
856KB

Download
memory/4736-7-0x0000000005670000-0x00000000056C6000-memory.dmp

Filesize
344KB

Download
memory/4736-4-0x0000000005420000-0x00000000054B2000-memory.dmp

Filesize
584KB

Download
memory/4736-9-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4736-10-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/4736-11-0x00000000091E0000-0x0000000009280000-memory.dmp

Filesize
640KB

Download
memory/4736-12-0x000000000B5F0000-0x000000000B61E000-memory.dmp

Filesize
184KB

Download
memory/4736-15-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/5016-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5016-16-0x0000000001670000-0x00000000019BA000-memory.dmp

Filesize
3.3MB

Download