xloader | 0f09b5a5ad2bf792ed543e2b170d969e40591157ed92b5766c3cc3ab7deb2df1

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe
Size

229KB
MD5

f3df2367a79e7f135a7ddaefb423ae40
SHA1

a08be77c9e91a124e251155643086b3a91f0364c
SHA256

0f09b5a5ad2bf792ed543e2b170d969e40591157ed92b5766c3cc3ab7deb2df1
SHA512

7fac3bf55ceecb2c6c81d65485098164de00f977415b349dc198c2ef9145792032b9a27302e2cc1c1c1e7d5d33c9dfeb38d6c530f6d26e5f6e2eb505b0f64244
SSDEEP

6144:r0FCoUQZijcU2cYM7bEp+CyMNtark1pDXPw56x3u:w7UH2cYM7c+C9ZbXPrk

Score

10^/10

xloader noi6 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

noi6

Decoy

yow.today

rkdreamcreations.com

etheriumtech.com

stretchwrench.com

kiddiecruise.com

stickforward.com

videocineproduccion.com

roofinginamerica.com

amarillasnuevomexico.com

armfieldmillerripley.com

macyburn.club

lvbaoshan.com

shopshelponline.com

thebunnybrands.com

newsxplor.com

momunani.com

rebelnqueen.com

tusguitarras.com

nexab2b.com

e3office.express

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4332-2-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe

description	pid	process	target process
PID 3248 set thread context of 4332	3248	f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe	f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe

pid process

4332 f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe
4332 f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe

pid process

3248 f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe

pid	process
4332	f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe
4332	f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe

pid	process
3248	f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe

description	pid	process	target process
PID 3248 wrote to memory of 4332	3248	f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe	f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe
PID 3248 wrote to memory of 4332	3248	f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe	f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe
PID 3248 wrote to memory of 4332	3248	f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe	f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe
PID 3248 wrote to memory of 4332	3248	f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe	f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3248

C:\Users\Admin\AppData\Local\Temp\f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3df2367a79e7f135a7ddaefb423ae40_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3248-0-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3248-1-0x0000000000A20000-0x0000000000A22000-memory.dmp

Filesize
8KB

Download
memory/4332-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4332-3-0x0000000000A20000-0x0000000000D6A000-memory.dmp

Filesize
3.3MB

Download