xloader | 582ac71b89432d6b319e3fc21336c30090195549d9f9643a49cebf6a3e2ee05f

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 17:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe
Size

736KB
MD5

27c225daac0c41786f416a73f6d4ee60
SHA1

2be9b42b658709ffb1f8326992668f64cb0b3690
SHA256

582ac71b89432d6b319e3fc21336c30090195549d9f9643a49cebf6a3e2ee05f
SHA512

b569fdfd7e7a2764e640dc8571a4c4f051ee3e1215d19cc7425e18e5c252346e4e2f2bbb693079529b3f9c8fe35f6e9ae6a25b8db5ab1b6a8201fd08ce9641ae
SSDEEP

12288:oKSbh08OGQuZLvqJFTPpGa9RMRGzkjPz3ICI1FHe2JWk3n9gbnLk3:ZnGQYTqlQGzkj7IC4e2L

Score

10^/10

xloader xc52 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

xc52

Decoy

koebnertriangle.com

maltbahis74.com

invisionment.com

buzzcupid.com

portavellarestaurant.com

vegan-mexican.com

magotan100.com

focalpatio.com

teammissouri.club

marketplacejoy.com

cxz6.com

bettersalud.info

viesereine.net

neondashboard.com

linuxsauce.net

samuelcollie.com

lavishlylashed.net

gosseinsag.com

isaeitaly.com

mediakal-sa.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2584-14-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1444 set thread context of 2584	1444	27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1444	27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe
2584	27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2544	1444	27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe	28
PID 1444 wrote to memory of 2544	1444	27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe	28
PID 1444 wrote to memory of 2544	1444	27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe	28
PID 1444 wrote to memory of 2544	1444	27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe	28
PID 1444 wrote to memory of 2584	1444	27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe	29
PID 1444 wrote to memory of 2584	1444	27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe	29
PID 1444 wrote to memory of 2584	1444	27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe	29
PID 1444 wrote to memory of 2584	1444	27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe	29
PID 1444 wrote to memory of 2584	1444	27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe	29
PID 1444 wrote to memory of 2584	1444	27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe	29
PID 1444 wrote to memory of 2584	1444	27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe
  "{path}"
  2⤵
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\27c225daac0c41786f416a73f6d4ee60_JaffaCakes118.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1444-6-0x0000000005BD0000-0x0000000005C52000-memory.dmp

Filesize
520KB

Download
memory/1444-15-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1444-2-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/1444-3-0x0000000000390000-0x00000000003A4000-memory.dmp

Filesize
80KB

Download
memory/1444-4-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1444-5-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/1444-7-0x0000000000630000-0x0000000000660000-memory.dmp

Filesize
192KB

Download
memory/1444-0-0x0000000001320000-0x00000000013DE000-memory.dmp

Filesize
760KB

Download
memory/1444-1-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2584-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2584-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2584-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2584-16-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download