xloader | b6a58224bb0fbca5d4a297bdc2237ffd671e5548ebd6d35434ae1196df97f8d9

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec2f93b390bf003cde1dc7dbb74a4ff2_JaffaCakes118.exe
Size

380KB
MD5

ec2f93b390bf003cde1dc7dbb74a4ff2
SHA1

a7b0bf6d61332901a3eb6c8f175c1e2f71cb3689
SHA256

b6a58224bb0fbca5d4a297bdc2237ffd671e5548ebd6d35434ae1196df97f8d9
SHA512

b7ee3516efa1938d398909a4949c5e129eb8fe206501516c96ef7309998707f9af6eafa975be18e900b9be4c67d8db1d7e76147fb352b97d477d824fad67c227
SSDEEP

6144:ZUGnO5j4HaA0vFBur4xeRt/+TKSyMNF5889eZwlqiaTXAbn9Erl6Vkp80sxH30Oa:qdqaA0vFBur4TByMNr/9nzaTXyn9EwVg

Score

10^/10

xloader qb4a loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

qb4a

Decoy

travelsonabike2.net

eurekaprice.com

bkardd.com

vr893.com

nnsxykj.com

q-p.info

691485.com

magixe.com

frankysfurnituregallery.com

businessloansug.com

rocketcompaniesshady.info

lercoantincenti.com

pelosi4never.com

bide168.com

socialsecuritybonds.com

xn--hy1bj7gtvmh9a15t.com

anjaschaefer.net

wickedfavicon.com

bitesizedstudio.com

ecogiftsuk.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/5028-3-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4112 set thread context of 5028	4112	ec2f93b390bf003cde1dc7dbb74a4ff2_JaffaCakes118.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5028	ec2f93b390bf003cde1dc7dbb74a4ff2_JaffaCakes118.exe
5028	ec2f93b390bf003cde1dc7dbb74a4ff2_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4112	ec2f93b390bf003cde1dc7dbb74a4ff2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 5028	4112	ec2f93b390bf003cde1dc7dbb74a4ff2_JaffaCakes118.exe	85
PID 4112 wrote to memory of 5028	4112	ec2f93b390bf003cde1dc7dbb74a4ff2_JaffaCakes118.exe	85
PID 4112 wrote to memory of 5028	4112	ec2f93b390bf003cde1dc7dbb74a4ff2_JaffaCakes118.exe	85
PID 4112 wrote to memory of 5028	4112	ec2f93b390bf003cde1dc7dbb74a4ff2_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\ec2f93b390bf003cde1dc7dbb74a4ff2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec2f93b390bf003cde1dc7dbb74a4ff2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\ec2f93b390bf003cde1dc7dbb74a4ff2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ec2f93b390bf003cde1dc7dbb74a4ff2_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4112-1-0x0000000000CE0000-0x0000000000DE0000-memory.dmp

Filesize
1024KB

Download
memory/4112-2-0x0000000001520000-0x0000000001522000-memory.dmp

Filesize
8KB

Download
memory/5028-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5028-4-0x00000000010E0000-0x000000000142A000-memory.dmp

Filesize
3.3MB

Download