xloader | 33b5454f7d305d2be3b59aef5cb73077820e63bb6f812358bd5f8a72c17cc5e6

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
Size

837KB
MD5

f3a7017cd3bd289fcf75769b73de473d
SHA1

d6361efe1dcaf124118fc1315e081d698815b80f
SHA256

33b5454f7d305d2be3b59aef5cb73077820e63bb6f812358bd5f8a72c17cc5e6
SHA512

344a3d563fb14c1ceece19dde5e73c1bcba41e459f9308503af506cf3895364fe93e5b971d4bc43f302db461d60e7c032ba8f58d2c408cdfa22840d3e1044934
SSDEEP

12288:IYicjeYrA7Z/oR65AXwgFvuSSjImRQucjdhcSsBpnNZAuZcyFXTPp/pFc0b86XzU:IYooR6qg5Xm01BpjZcyFjB/pDBDpW

Score

10^/10

xloader adn9 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

adn9

Decoy

suffrage19.com

desmareesmontantes.net

polishchuk-myroslava.com

compro-online.com

leadenhallstreettrustees.com

beixiyb.com

startlite.net

thewavelengthco.com

shop-sign-drive.com

angeliquestidhum.com

kaanins.com

reversemortgageloantexas.com

alveolo.net

everythingwholesalers.com

islacros.digital

bainrix.com

brittanyinbloom.com

zfezx08.com

yongqingfanhuali.com

gypsyjewelint.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2648-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

description	pid	process	target process
PID 1168 set thread context of 2648	1168	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exef3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

pid	process
1168	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
1168	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
1168	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
2648	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
2648	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 1168 f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1168	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

description	pid	process	target process
PID 1168 wrote to memory of 1068	1168	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1168 wrote to memory of 1068	1168	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1168 wrote to memory of 1068	1168	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1168 wrote to memory of 2648	1168	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1168 wrote to memory of 2648	1168	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1168 wrote to memory of 2648	1168	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1168 wrote to memory of 2648	1168	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1168 wrote to memory of 2648	1168	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
PID 1168 wrote to memory of 2648	1168	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe	f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Local\Temp\f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe"
2⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3a7017cd3bd289fcf75769b73de473d_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1168-6-0x0000000007550000-0x00000000075EC000-memory.dmp

Filesize
624KB

Download
memory/1168-8-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/1168-2-0x0000000005570000-0x0000000005B14000-memory.dmp

Filesize
5.6MB

Download
memory/1168-3-0x0000000004FC0000-0x0000000005052000-memory.dmp

Filesize
584KB

Download
memory/1168-4-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/1168-5-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/1168-1-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/1168-7-0x0000000005290000-0x00000000052AA000-memory.dmp

Filesize
104KB

Download
memory/1168-0-0x00000000004E0000-0x00000000005B8000-memory.dmp

Filesize
864KB

Download
memory/1168-9-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/1168-10-0x0000000007950000-0x00000000079F0000-memory.dmp

Filesize
640KB

Download
memory/1168-11-0x0000000007760000-0x000000000778E000-memory.dmp

Filesize
184KB

Download
memory/1168-15-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/2648-14-0x0000000001BF0000-0x0000000001F3A000-memory.dmp

Filesize
3.3MB

Download
memory/2648-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download