xloader | 062a33046cca90bc6364cc29ccd47ae7f4165d388f5fb699bb88c35c4509bb90

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-04-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe
Size

252KB
MD5

b610b5c669611fbb55ed5965a8cd0c10
SHA1

ecd743dc78d7aedaf33ffe0ddb8a6f242cb28b87
SHA256

062a33046cca90bc6364cc29ccd47ae7f4165d388f5fb699bb88c35c4509bb90
SHA512

33a51739fb7daed438c380fa54a9f8a39d80fffd5da709fab6bd2ccadc156c03a349bda89c4ee2677d4a1cf1fc2b7428be6cc005188b9d2305f7205020c220c3
SSDEEP

6144:wBlL/cN3UreO/tziKfxNBO9673wxrimNgxeh11/eHfiZ:CeN3U9IK5wxrPisz0o

Score

10^/10

xloader mxnu loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mxnu

Decoy

insightmyhome.com

gabriellamaxey.com

029atk.xyz

marshconstructions.com

technichoffghosts.com

blue-ivy-boutique-au.com

1sunsetgroup.com

elfkuhnispb.store

caoliudh.club

verifiedpaypal.net

jellyice-tr.com

gatescres.com

bloomberq.online

crystaltopagent.net

uggs-line.com

ecommerceplatform.xyz

historyofcambridge.com

sattaking-gaziabad.xyz

digisor.com

beachpawsmobilegrooming.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2400-8-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe

pid process

2980 b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe

pid	process
2980	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe

description	pid	process	target process
PID 2980 set thread context of 2400	2980	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe

pid process

2400 b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe

pid	process
2400	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe

description	pid	process	target process
PID 2980 wrote to memory of 2400	2980	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe
PID 2980 wrote to memory of 2400	2980	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe
PID 2980 wrote to memory of 2400	2980	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe
PID 2980 wrote to memory of 2400	2980	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe
PID 2980 wrote to memory of 2400	2980	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe
PID 2980 wrote to memory of 2400	2980	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe
PID 2980 wrote to memory of 2400	2980	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe	b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2980

C:\Users\Admin\AppData\Local\Temp\b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b610b5c669611fbb55ed5965a8cd0c10_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2400

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso40C9.tmp\rznjhun.dll
Filesize
32KB

MD5
49e3e63ae4d93b065720946ee9cfb161

SHA1
35634d8953dc28f7d5f9712e0f9839142f142a59

SHA256
7df0582dfc9b39225e3f5db2c9d707f392fa0cf96c440388bc97f792de260563

SHA512
30a3171524548d60451ecc6e8f6c95315d7e60d4a69e54071e7ef54a916ab4e59ab4d02d5eddf12073ebffc8fc8127eedf133f787ffcb0e8e0f30f9bf699c1d6

Download Submit
memory/2400-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2400-10-0x00000000006F0000-0x00000000009F3000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads