xloader | 8436ced3953396414f8b719973ff09140f3909e188260e226c7b4b58fa39ee44

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/04/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1334561fb31974921383dfad2583192_JaffaCakes118.exe
Size

338KB
MD5

c1334561fb31974921383dfad2583192
SHA1

2068527228a3a742623ae471645dc86f1d82ce0e
SHA256

8436ced3953396414f8b719973ff09140f3909e188260e226c7b4b58fa39ee44
SHA512

6898e267f88f42cd5643d56f65f26907b4820048c544e295d11df8835e193ae5f2ce7e4b5e362bc3b8ef4a1b2aa64e580a26a895aebf9e0191b66aff2f0df661
SSDEEP

6144:PWoxgMkhBZUJNGGVrl66B4De9izV5owUUrAFyF+mwzamGB/q7SBT:PNSBa5V566WDFV5owMF++mmanPT

Score

10^/10

xloader bntn loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

bntn

Decoy

pollynfertility.com

frayahanson.com

longrunconsultancy.com

influencerimpactacademy.com

kentislandeats.com

71zkck.biz

835641.com

sklepmeki.store

lauradanielphotography.com

betnubhelp.com

invoicefunder.com

reignbeautycompany.com

eclipsegl.com

zacharyparkerporward5.com

alexiamalan.top

xn--299akkrtr22f.com

telex.business

pingsportsbet.com

fountainspringsrehab.com

intelbloodstock.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2372-11-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2372-14-0x0000000000A20000-0x0000000000D23000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2832 set thread context of 2372	2832	c1334561fb31974921383dfad2583192_JaffaCakes118.exe	29

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2372	c1334561fb31974921383dfad2583192_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2372	2832	c1334561fb31974921383dfad2583192_JaffaCakes118.exe	29
PID 2832 wrote to memory of 2372	2832	c1334561fb31974921383dfad2583192_JaffaCakes118.exe	29
PID 2832 wrote to memory of 2372	2832	c1334561fb31974921383dfad2583192_JaffaCakes118.exe	29
PID 2832 wrote to memory of 2372	2832	c1334561fb31974921383dfad2583192_JaffaCakes118.exe	29
PID 2832 wrote to memory of 2372	2832	c1334561fb31974921383dfad2583192_JaffaCakes118.exe	29
PID 2832 wrote to memory of 2372	2832	c1334561fb31974921383dfad2583192_JaffaCakes118.exe	29
PID 2832 wrote to memory of 2372	2832	c1334561fb31974921383dfad2583192_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\c1334561fb31974921383dfad2583192_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1334561fb31974921383dfad2583192_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Local\Temp\c1334561fb31974921383dfad2583192_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c1334561fb31974921383dfad2583192_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2372-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2372-14-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download
memory/2372-13-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download
memory/2372-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2372-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2372-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2832-3-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/2832-6-0x0000000004D70000-0x0000000004DC2000-memory.dmp

Filesize
328KB

Download
memory/2832-5-0x0000000004860000-0x00000000048A0000-memory.dmp

Filesize
256KB

Download
memory/2832-4-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/2832-0-0x0000000000150000-0x00000000001AA000-memory.dmp

Filesize
360KB

Download
memory/2832-12-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/2832-2-0x0000000004860000-0x00000000048A0000-memory.dmp

Filesize
256KB

Download
memory/2832-1-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download