xloader | 9744a8f624cc86bce830db5caf4a5a8b2263b51f53ca384908b2557e5f9ce99d

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe
Size

949KB
MD5

e752ae0abe724829b72a2df162596e66
SHA1

123a9f1b3ef781f53833216bba2f93db069d017f
SHA256

9744a8f624cc86bce830db5caf4a5a8b2263b51f53ca384908b2557e5f9ce99d
SHA512

194ebe2332cc2aa6a177353b19d49749743a94a7145f1b83212b500f490a10cb060700a3fcbd545090c0e4401efd2a0fc23990d6291825880433d5271e415a17
SSDEEP

12288:y/WDc9F3nC0Py3gAhqEJbjJEKuR/pKhAgjqzkI9ymd4txhJrqU3Glk5u1EBbCaj:Q7+hX2zywkxhJrRcOuuC

Score

10^/10

xloader ssee loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ssee

Decoy

portalcanaa.com

korzino.com

dlylms.net

smartearphoneshop.com

olimiloshop.com

auvdigitalstack.com

ydxc.chat

yhk868.com

lifeinthedport.com

self-sciencelabs.com

scandicpack.com

hold-sometimes.xyz

beiputei.com

yourrealtorcoach.com

rxods.com

fundsoption.com

ahlstromclothes.com

ksdieselparts.com

accountmangerford.com

kuwaitlogistic.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4580-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3708 set thread context of 4580	3708	e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe	97

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3708	e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe
3708	e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe
4580	e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe
4580	e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3708	e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 2036	3708	e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe	96
PID 3708 wrote to memory of 2036	3708	e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe	96
PID 3708 wrote to memory of 2036	3708	e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe	96
PID 3708 wrote to memory of 4580	3708	e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe	97
PID 3708 wrote to memory of 4580	3708	e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe	97
PID 3708 wrote to memory of 4580	3708	e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe	97
PID 3708 wrote to memory of 4580	3708	e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe	97
PID 3708 wrote to memory of 4580	3708	e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe	97
PID 3708 wrote to memory of 4580	3708	e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe	97

C:\Users\Admin\AppData\Local\Temp\e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Users\Admin\AppData\Local\Temp\e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe"
  2⤵
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e752ae0abe724829b72a2df162596e66_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3708-8-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/3708-6-0x0000000004C40000-0x0000000004C4A000-memory.dmp

Filesize
40KB

Download
memory/3708-2-0x00000000052F0000-0x0000000005894000-memory.dmp

Filesize
5.6MB

Download
memory/3708-3-0x0000000004C90000-0x0000000004D22000-memory.dmp

Filesize
584KB

Download
memory/3708-0-0x00000000001A0000-0x0000000000294000-memory.dmp

Filesize
976KB

Download
memory/3708-5-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/3708-1-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/3708-7-0x0000000004E60000-0x0000000004E78000-memory.dmp

Filesize
96KB

Download
memory/3708-4-0x0000000004D40000-0x0000000004DDC000-memory.dmp

Filesize
624KB

Download
memory/3708-9-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/3708-10-0x0000000006240000-0x00000000062DE000-memory.dmp

Filesize
632KB

Download
memory/3708-11-0x0000000006300000-0x000000000632E000-memory.dmp

Filesize
184KB

Download
memory/3708-14-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4580-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4580-15-0x00000000013F0000-0x000000000173A000-memory.dmp

Filesize
3.3MB

Download
memory/4580-16-0x00000000013F0000-0x000000000173A000-memory.dmp

Filesize
3.3MB

Download