xloader | 88a982fd729f861a4439a59e632a7d76eb033991c437a2368bc2a834873f1f8a

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe
Size

298KB
MD5

f5e7bf270b60cd8a71fc8be79ea7aae4
SHA1

e9361f22d9b0a2aba641b9cedbaa203ac32e30c6
SHA256

88a982fd729f861a4439a59e632a7d76eb033991c437a2368bc2a834873f1f8a
SHA512

cea75189109aab37974c7f57b7008c18755e362658ef47cfc093708fbe8b8ef06383458f898ebf11b1359b334980a70d18604a79265176d4773c3dfdfe4ab097
SSDEEP

6144:jCeJW1DhGOWLpoLuVLhiade0Huq8PGMZW/d+2t7i+:/WJhGOWLpogLAa40+PGMZHe7l

Score

10^/10

xloader pagi loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

pagi

Decoy

makehrworkable.com

sound-wisdom.com

blacts.com

caenantglamping.com

meridiancpas.com

draughtedinn.co.uk

windywoodshc.com

mintmovileplus.com

pubgeventdailylogin.com

thesocialdzr.com

holapv.com

racevc.com

openpula.pro

wepreventstroke.com

autoclosy.com

enginkarabacak.com

15096eec1652.info

buildthefoundation.net

pwilliamberciklaw.com

paramountrevenueadvisors.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1592-2-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe

description	pid	process	target process
PID 2172 set thread context of 1592	2172	f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe	f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe

pid process

1592 f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe

pid process

2172 f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe

pid	process
1592	f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe

pid	process
2172	f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe

description	pid	process	target process
PID 2172 wrote to memory of 1592	2172	f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe	f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe
PID 2172 wrote to memory of 1592	2172	f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe	f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe
PID 2172 wrote to memory of 1592	2172	f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe	f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe
PID 2172 wrote to memory of 1592	2172	f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe	f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe
PID 2172 wrote to memory of 1592	2172	f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe	f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\AppData\Local\Temp\f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5e7bf270b60cd8a71fc8be79ea7aae4_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1592

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1592-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1592-4-0x00000000009A0000-0x0000000000CA3000-memory.dmp

Filesize
3.0MB

Download
memory/2172-0-0x0000000000980000-0x000000000099A000-memory.dmp

Filesize
104KB

Download
memory/2172-1-0x0000000000200000-0x0000000000202000-memory.dmp

Filesize
8KB

Download
memory/2172-3-0x0000000000980000-0x000000000099A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads