xloader | 71e6e7d336cab608f2a3f0c6535a2ba1e0b0ec7b505c8f079f6d340f1c28dea8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eee74ecebe1db0d00c91e42c8f9d4291_JaffaCakes118.exe
Size

294KB
MD5

eee74ecebe1db0d00c91e42c8f9d4291
SHA1

cf189ab83818e7ce393e684e35a32523a89bb79b
SHA256

71e6e7d336cab608f2a3f0c6535a2ba1e0b0ec7b505c8f079f6d340f1c28dea8
SHA512

2d20d910d31fa39a929be31bcf222c0922dd989ee3593c223cf0a1ed8c16eb1fd9c03a6e928ed7e2f6b6b908518b87b42404880dde7ec6e80970abc704e1ff5b
SSDEEP

6144:L6IXCyvGniwEKbnsoqoo6tynz5Sdl+23i9IfX71+GWiUlXnCw:TXDvhwZrASynkdQUi9Iv7hW3Cw

Score

10^/10

xloader qb4a loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

qb4a

Decoy

travelsonabike2.net

eurekaprice.com

bkardd.com

vr893.com

nnsxykj.com

q-p.info

691485.com

magixe.com

frankysfurnituregallery.com

businessloansug.com

rocketcompaniesshady.info

lercoantincenti.com

pelosi4never.com

bide168.com

socialsecuritybonds.com

xn--hy1bj7gtvmh9a15t.com

anjaschaefer.net

wickedfavicon.com

bitesizedstudio.com

ecogiftsuk.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2336-3-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4268 set thread context of 2336	4268	eee74ecebe1db0d00c91e42c8f9d4291_JaffaCakes118.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2336	eee74ecebe1db0d00c91e42c8f9d4291_JaffaCakes118.exe
2336	eee74ecebe1db0d00c91e42c8f9d4291_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4268	eee74ecebe1db0d00c91e42c8f9d4291_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 2336	4268	eee74ecebe1db0d00c91e42c8f9d4291_JaffaCakes118.exe	88
PID 4268 wrote to memory of 2336	4268	eee74ecebe1db0d00c91e42c8f9d4291_JaffaCakes118.exe	88
PID 4268 wrote to memory of 2336	4268	eee74ecebe1db0d00c91e42c8f9d4291_JaffaCakes118.exe	88
PID 4268 wrote to memory of 2336	4268	eee74ecebe1db0d00c91e42c8f9d4291_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\eee74ecebe1db0d00c91e42c8f9d4291_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eee74ecebe1db0d00c91e42c8f9d4291_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Local\Temp\eee74ecebe1db0d00c91e42c8f9d4291_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eee74ecebe1db0d00c91e42c8f9d4291_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2336-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2336-4-0x0000000001770000-0x0000000001ABA000-memory.dmp

Filesize
3.3MB

Download
memory/2336-5-0x0000000001770000-0x0000000001ABA000-memory.dmp

Filesize
3.3MB

Download
memory/4268-1-0x0000000000E60000-0x0000000000F60000-memory.dmp

Filesize
1024KB

Download
memory/4268-2-0x0000000002C50000-0x0000000002C52000-memory.dmp

Filesize
8KB

Download