xloader | da0e2504009a426b799d9135979188e2c4533f69c2e981650afc51d5e8e320c2

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
04-04-2024 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe
Size

253KB
MD5

b1e98b432deb419643d81c167fe0dc37
SHA1

305c82fcc0699859e9fe11cc08f8678e23779a3e
SHA256

da0e2504009a426b799d9135979188e2c4533f69c2e981650afc51d5e8e320c2
SHA512

440e0429a4bb817b7ca9bb91f722b6678a6e443a0239a1a859e0de9d8d76f78a4a3c47b2a89b0340f97a9015d852b070788ae1fcc7e0b819115b45c702d661ed
SSDEEP

6144:wBlL/c7DTS77ZWSwgwNbXX3VQ+Zw3JlKKjzUh30RfGK54ydrBv:Ce76hw1NXXFx+KzERtdrh

Score

10^/10

xloader mxnu loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mxnu

Decoy

insightmyhome.com

gabriellamaxey.com

029atk.xyz

marshconstructions.com

technichoffghosts.com

blue-ivy-boutique-au.com

1sunsetgroup.com

elfkuhnispb.store

caoliudh.club

verifiedpaypal.net

jellyice-tr.com

gatescres.com

bloomberq.online

crystaltopagent.net

uggs-line.com

ecommerceplatform.xyz

historyofcambridge.com

sattaking-gaziabad.xyz

digisor.com

beachpawsmobilegrooming.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2216-9-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe

pid process

2184 b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe

pid	process
2184	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe

description	pid	process	target process
PID 2184 set thread context of 2216	2184	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe

pid process

2216 b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe

pid	process
2216	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe

description	pid	process	target process
PID 2184 wrote to memory of 2216	2184	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe
PID 2184 wrote to memory of 2216	2184	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe
PID 2184 wrote to memory of 2216	2184	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe
PID 2184 wrote to memory of 2216	2184	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe
PID 2184 wrote to memory of 2216	2184	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe
PID 2184 wrote to memory of 2216	2184	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe
PID 2184 wrote to memory of 2216	2184	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe	b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b1e98b432deb419643d81c167fe0dc37_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2216

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd3286.tmp\evpz.dll
Filesize
32KB

MD5
c820bfe346d35f1ed0d3017cadb8f16d

SHA1
a98131691df2b4445124304307130888050fe410

SHA256
439e5f590b4bea13a9bfb7c94bbd8fa99f45a310dc44c241db2375b4e8923cb3

SHA512
7d89e8677b46c3456559a0061f992be6169c63ec6a2a2eb7ec73ff36fe1fc28cbdbf3436c74fe528572b14f6865ec0f03e5480782243674ffc4423a00cefc66f

Download Submit
memory/2184-8-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/2184-10-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/2216-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-13-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads