xloader | 237a1e97a6c1bca59ddb80fd572c4f242d1fc90b0b1ad0d9996d8aba93c40b0a

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0194f354acfcdef542970496608eb99_JaffaCakes118.exe
Size

714KB
MD5

f0194f354acfcdef542970496608eb99
SHA1

480b873a53ffb3c5b9bf4e710e65e94123929ae8
SHA256

237a1e97a6c1bca59ddb80fd572c4f242d1fc90b0b1ad0d9996d8aba93c40b0a
SHA512

590663fb62cf49e9c853c1587849a9eb516d27389e0fa2161048fd6f6a96de4670ead03b599b86451146ef6ad05bd20df9d9fc53f8de5ebdd57431f9cc87b7f7
SSDEEP

12288:TL+1gBL8wX6HjpQzbnAm/XB1x4c6GdqoPl43ystsi4m+QJ9t/4gGQvcssYYO6Bya:TL+1fre5zx4c6WTO3oi

Score

10^/10

xloader uqf5 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

uqf5

Decoy

suiddock.com

sweetgyalshop.com

puterigarden.com

orangestoreusa.com

prostirkarpat.com

ajierfoods.com

mindlablearning.com

factiive.net

beautifulbrokenhearts.com

direcionalreservapraca.com

tvhoki.com

themoderncoachinstitute.com

classactionwalgreens.com

haloog.com

sachinkaushik.com

daleearnhardtjrchevyvip.com

disconight.net

ocyslibes.icu

encounterfy.com

infamoudpapertrail.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2580-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 2580	2416	f0194f354acfcdef542970496608eb99_JaffaCakes118.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2580	f0194f354acfcdef542970496608eb99_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2580	2416	f0194f354acfcdef542970496608eb99_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2580	2416	f0194f354acfcdef542970496608eb99_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2580	2416	f0194f354acfcdef542970496608eb99_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2580	2416	f0194f354acfcdef542970496608eb99_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2580	2416	f0194f354acfcdef542970496608eb99_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2580	2416	f0194f354acfcdef542970496608eb99_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2580	2416	f0194f354acfcdef542970496608eb99_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\f0194f354acfcdef542970496608eb99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0194f354acfcdef542970496608eb99_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\f0194f354acfcdef542970496608eb99_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f0194f354acfcdef542970496608eb99_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2416-6-0x0000000004A40000-0x0000000004AA4000-memory.dmp

Filesize
400KB

Download
memory/2416-0-0x00000000012B0000-0x0000000001368000-memory.dmp

Filesize
736KB

Download
memory/2416-2-0x0000000007250000-0x0000000007290000-memory.dmp

Filesize
256KB

Download
memory/2416-3-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2416-4-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2416-5-0x0000000007250000-0x0000000007290000-memory.dmp

Filesize
256KB

Download
memory/2416-1-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2416-7-0x00000000005E0000-0x000000000060E000-memory.dmp

Filesize
184KB

Download
memory/2416-13-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2580-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2580-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2580-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2580-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-14-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download