xloader | 6fd8c63bf53f7364e54505eb98e1b6fc005fbb691a65680e400e7b9104ad1795

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1d1316d5bc047ec817b950286734ed0.exe
Size

1.3MB
MD5

e1d1316d5bc047ec817b950286734ed0
SHA1

ae3cb4a0103f8daa9ec8f6dc00b6bfeb3f1c52ca
SHA256

6fd8c63bf53f7364e54505eb98e1b6fc005fbb691a65680e400e7b9104ad1795
SHA512

88a8f1555bc906728a9ab429899e2ae7d5eefa57128072607423cca26e36044160f6383f3568a581a786780a6a0fdd54cf13b9222c550dc6e66b8994fcc2b168
SSDEEP

24576:gzeFrYS/d3kYdkhlOAnxHRrjz+LVL+eQBDmwRGPoN7vdiTbnFM:5H2lOAnxHRrjz+ZL+eum/PoiM

Score

10^/10

xloader ajs8 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ajs8

Decoy

lotfysupport.net

tradingsentral.com

mobiles240.com

redecompre.com

mulliganjames.com

excursionlanzarote.com

n1getaccess.com

wirelessconsole.com

thevez.net

joygshpng.com

arandawines.com

eliassantis.net

racevc.com

mybluemonitor.com

jual-penggugurkandungan.com

connectgf.com

nmpsolutions.com

anipawesome.com

vissito.com

terracottagkp.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral2/memory/4084-8-0x0000000002B60000-0x0000000002B72000-memory.dmp	CustAttr

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2868-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4084 set thread context of 2868	4084	e1d1316d5bc047ec817b950286734ed0.exe	102

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4084	e1d1316d5bc047ec817b950286734ed0.exe
4084	e1d1316d5bc047ec817b950286734ed0.exe
2868	e1d1316d5bc047ec817b950286734ed0.exe
2868	e1d1316d5bc047ec817b950286734ed0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4084	e1d1316d5bc047ec817b950286734ed0.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 2616	4084	e1d1316d5bc047ec817b950286734ed0.exe	101
PID 4084 wrote to memory of 2616	4084	e1d1316d5bc047ec817b950286734ed0.exe	101
PID 4084 wrote to memory of 2616	4084	e1d1316d5bc047ec817b950286734ed0.exe	101
PID 4084 wrote to memory of 2868	4084	e1d1316d5bc047ec817b950286734ed0.exe	102
PID 4084 wrote to memory of 2868	4084	e1d1316d5bc047ec817b950286734ed0.exe	102
PID 4084 wrote to memory of 2868	4084	e1d1316d5bc047ec817b950286734ed0.exe	102
PID 4084 wrote to memory of 2868	4084	e1d1316d5bc047ec817b950286734ed0.exe	102
PID 4084 wrote to memory of 2868	4084	e1d1316d5bc047ec817b950286734ed0.exe	102
PID 4084 wrote to memory of 2868	4084	e1d1316d5bc047ec817b950286734ed0.exe	102

C:\Users\Admin\AppData\Local\Temp\e1d1316d5bc047ec817b950286734ed0.exe
"C:\Users\Admin\AppData\Local\Temp\e1d1316d5bc047ec817b950286734ed0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Users\Admin\AppData\Local\Temp\e1d1316d5bc047ec817b950286734ed0.exe
  "C:\Users\Admin\AppData\Local\Temp\e1d1316d5bc047ec817b950286734ed0.exe"
  2⤵
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\e1d1316d5bc047ec817b950286734ed0.exe
  "C:\Users\Admin\AppData\Local\Temp\e1d1316d5bc047ec817b950286734ed0.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2868-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2868-17-0x00000000015B0000-0x00000000018FA000-memory.dmp

Filesize
3.3MB

Download
memory/2868-16-0x00000000015B0000-0x00000000018FA000-memory.dmp

Filesize
3.3MB

Download
memory/4084-8-0x0000000002B60000-0x0000000002B72000-memory.dmp

Filesize
72KB

Download
memory/4084-10-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/4084-5-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/4084-6-0x0000000005220000-0x000000000522A000-memory.dmp

Filesize
40KB

Download
memory/4084-7-0x00000000054B0000-0x0000000005506000-memory.dmp

Filesize
344KB

Download
memory/4084-0-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/4084-9-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/4084-4-0x0000000005290000-0x0000000005322000-memory.dmp

Filesize
584KB

Download
memory/4084-11-0x0000000006B00000-0x0000000006B9A000-memory.dmp

Filesize
616KB

Download
memory/4084-12-0x0000000006850000-0x000000000687E000-memory.dmp

Filesize
184KB

Download
memory/4084-3-0x0000000005840000-0x0000000005DE4000-memory.dmp

Filesize
5.6MB

Download
memory/4084-15-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/4084-2-0x0000000005130000-0x00000000051CC000-memory.dmp

Filesize
624KB

Download
memory/4084-1-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download