xloader | 00a9f766c47eed9e7b5eb6069a7803bd215ad5513865d675c0e6befb75c4ee0c

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25e0d7d8ec7b207b6084348d872db814_JaffaCakes118.exe
Size

358KB
MD5

25e0d7d8ec7b207b6084348d872db814
SHA1

3c573c3e4d06748905be128eeb1214eae8a4aded
SHA256

00a9f766c47eed9e7b5eb6069a7803bd215ad5513865d675c0e6befb75c4ee0c
SHA512

84b344a0bd5bfa0df07d0c90d5a796c85d8ef6b60dfd8fbe662a77aeebe07f1713c2af2e54e8ddcf351fb39076c30dff1a3a063b5091ea202967234a3707d4a3
SSDEEP

6144:J+ka80Y2N8IOrJPAZub35+4NsPOrpz/Kc0zGqqX7tNfVXVHQLIiu8cfo0/pW:Jxa8V2N8IVUJ+iAOSzVwZGEX8cA0/M

Score

10^/10

xloader bs8f loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

bs8f

Decoy

vasilnikov.com

parkate.club

pol360.com

handmadequatang.com

consult-set.com

nourkoki.com

theveganfusspot.com

dreamssail.com

pinpinyouqian.xyz

satellitphonestore.com

yotosunny.com

telosaolympics.com

gogetemm.com

yozotnpasumo2.xyz

avantgardemarket.com

glenndcp.com

dirtydriverz.com

avaui.com

anchoredtheblog.com

marianaoliveiraarquitetura.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4280-2-0x0000000004C70000-0x0000000004C99000-memory.dmp	xloader
behavioral2/memory/4280-4-0x0000000000400000-0x0000000002F24000-memory.dmp	xloader
behavioral2/memory/4280-5-0x0000000004C70000-0x0000000004C99000-memory.dmp	xloader

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3956 4280 WerFault.exe 25e0d7d8ec7b207b6084348d872db814_JaffaCakes118.exe

pid	pid_target	process	target process
3956	4280	WerFault.exe	25e0d7d8ec7b207b6084348d872db814_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\25e0d7d8ec7b207b6084348d872db814_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25e0d7d8ec7b207b6084348d872db814_JaffaCakes118.exe"
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 280
2⤵
- Program crash
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4280 -ip 4280
1⤵
PID:4184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4280-1-0x0000000002F40000-0x0000000003040000-memory.dmp

Filesize
1024KB

Download
memory/4280-2-0x0000000004C70000-0x0000000004C99000-memory.dmp

Filesize
164KB

Download
memory/4280-4-0x0000000000400000-0x0000000002F24000-memory.dmp

Filesize
43.1MB

Download
memory/4280-5-0x0000000004C70000-0x0000000004C99000-memory.dmp

Filesize
164KB

Download