xloader | 94ec59e8f70de9f2fc9a4774fc7ed32a7a0495115a813537f77c9aeb505a5bc4

Analysis

max time kernel
92s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe
Size

733KB
MD5

f5e06eac210ad2965522d958281c8c95
SHA1

102aa3b2f0a0f032fd4f830095617674be963525
SHA256

94ec59e8f70de9f2fc9a4774fc7ed32a7a0495115a813537f77c9aeb505a5bc4
SHA512

3e7657b45fdd015d966c78e17af01cf204a6886b951cb66960effbf8b35dec2e5927eb88f71cd272d27ce8e1f7ab9949293ecf0091747b9ba9a4970a33cdce91
SSDEEP

12288:yX2fYp/cCOsBgo0q4wMRYSyKDpbeE9/fJT8c0TXH/wOKviT:yX2fzCOsBgo0q4wMRYzKFHHJTwrHrj

Score

10^/10

xloader wufn loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

wufn

Decoy

rsautoluxe.com

theroseofsharonsalon.com

singnema.com

nathanielwhite108.com

theforumonline.com

iqpt.info

joneshondaservice.com

fafene.com

solanohomebuyerclass.com

zwq.xyz

searchlakeconroehomes.com

briative.com

frystmor.city

systemofyouth.com

sctsmney.com

tv-safetrading.com

thesweetboy.com

occulusblu.com

pawsthemomentpetphotography.com

travelstipsguide.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

CustAttr .NET packer 2 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/4448-8-0x0000000002390000-0x00000000023A2000-memory.dmp	CustAttr
behavioral2/memory/656-17-0x0000000001850000-0x0000000001B9A000-memory.dmp	CustAttr

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/656-13-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe

description	pid	process	target process
PID 4448 set thread context of 656	4448	f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe	f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe

pid process

656 f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe
656 f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe

pid	process
656	f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe
656	f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe

description	pid	process	target process
PID 4448 wrote to memory of 656	4448	f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe	f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe
PID 4448 wrote to memory of 656	4448	f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe	f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe
PID 4448 wrote to memory of 656	4448	f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe	f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe
PID 4448 wrote to memory of 656	4448	f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe	f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe
PID 4448 wrote to memory of 656	4448	f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe	f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe
PID 4448 wrote to memory of 656	4448	f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe	f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Local\Temp\f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5e06eac210ad2965522d958281c8c95_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/656-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/656-17-0x0000000001850000-0x0000000001B9A000-memory.dmp

Filesize
3.3MB

Download
memory/656-16-0x0000000001850000-0x0000000001B9A000-memory.dmp

Filesize
3.3MB

Download
memory/4448-8-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/4448-10-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4448-5-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4448-6-0x0000000004B60000-0x0000000004B6A000-memory.dmp

Filesize
40KB

Download
memory/4448-7-0x0000000004DC0000-0x0000000004E16000-memory.dmp

Filesize
344KB

Download
memory/4448-1-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/4448-9-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/4448-4-0x0000000004BE0000-0x0000000004C72000-memory.dmp

Filesize
584KB

Download
memory/4448-11-0x00000000077D0000-0x000000000784A000-memory.dmp

Filesize
488KB

Download
memory/4448-12-0x00000000061E0000-0x0000000006212000-memory.dmp

Filesize
200KB

Download
memory/4448-3-0x00000000050F0000-0x0000000005694000-memory.dmp

Filesize
5.6MB

Download
memory/4448-15-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/4448-2-0x0000000004AA0000-0x0000000004B3C000-memory.dmp

Filesize
624KB

Download
memory/4448-0-0x0000000000050000-0x000000000010E000-memory.dmp

Filesize
760KB

Download