xloader | d2aa010515bc8390084659013a1fd1e3e476e36ce46293281deb95c4469663f9

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31-03-2024 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe
Size

491KB
MD5

4a54677c5f20159f74c46a4dc990c69f
SHA1

b879afb455ca927b6acca59b38f77a2188857ed1
SHA256

d2aa010515bc8390084659013a1fd1e3e476e36ce46293281deb95c4469663f9
SHA512

990405692fbf867bd799d92e52b1378b2d7128c45ec0f6e53367830dbd811f5c33c42c1fefe5b5f4a34cab2d68be9aeffb6252da1557f6efdac142c74b151b60
SSDEEP

12288:gfSBNPdJaQmuRFuh9VAP1ZViSMlqj5hbwCeHggTGatOXExn/5fK:RBtSQm0M0vVAqj5RQHgWGcsEFk

Score

10^/10

xloader b5ce loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b5ce

Decoy

advellerd.xyz

giasuvina.com

arab-xt-pro.com

ahsltu2ua4.com

trasportesemmanuel.com

kissimmeesoccercup.com

studyengland.com

m2volleyballclub.com

shyuehuan.com

elsml.com

blog-x-history.top

coditeu.com

allattachments.net

vigautruc.com

mentication.com

zambiaedu.xyz

filadelfiacenter.com

avlaborsourceinc.info

tameka-stewart.com

studio-cleo.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader payload 2 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/2748-10-0x0000000000400000-0x0000000000429000-memory.dmp xloader
behavioral1/memory/2748-13-0x0000000000910000-0x0000000000C13000-memory.dmp xloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe

description pid process target process

PID 2284 set thread context of 2748 2284 4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe 4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe

pid process

2748 4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe

resource	yara_rule
behavioral1/memory/2748-10-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2748-13-0x0000000000910000-0x0000000000C13000-memory.dmp	xloader

description	pid	process	target process
PID 2284 set thread context of 2748	2284	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe

pid	process
2748	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe

description	pid	process	target process
PID 2284 wrote to memory of 2748	2284	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe
PID 2284 wrote to memory of 2748	2284	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe
PID 2284 wrote to memory of 2748	2284	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe
PID 2284 wrote to memory of 2748	2284	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe
PID 2284 wrote to memory of 2748	2284	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe
PID 2284 wrote to memory of 2748	2284	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe
PID 2284 wrote to memory of 2748	2284	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe	4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Local\Temp\4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a54677c5f20159f74c46a4dc990c69f_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2748

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2284-11-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-1-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-2-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/2284-3-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/2284-4-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-5-0x0000000004C80000-0x0000000004CF4000-memory.dmp

Filesize
464KB

Download
memory/2284-0-0x0000000001320000-0x00000000013A2000-memory.dmp

Filesize
520KB

Download
memory/2748-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2748-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2748-12-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/2748-13-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download