xloader | 52f806c63abcb56facb2b2e12e9df8b142a08d9f35d55923f68cf9681cbdd7cf

Analysis

max time kernel
97s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5e8a440c4d1c017b4a8dfc2bed4608f_JaffaCakes118.exe
Size

224KB
MD5

f5e8a440c4d1c017b4a8dfc2bed4608f
SHA1

5d2b844eeadae6958d46b02ab2615e174b58dbbe
SHA256

52f806c63abcb56facb2b2e12e9df8b142a08d9f35d55923f68cf9681cbdd7cf
SHA512

bd992f4268151bebf01777036d556815357a1e90280206d24b1dc51a400dd45c8336502ba40cddb3bbf3c44f06327fc4e390faa67adc54f62c881c2c3d555d17
SSDEEP

3072:ArSthTTTTTTTTTTTTTbeOB2f1Gb6l3bVMSgu2jmnd1CqsSL/omlT5uhCRKRe4TBo:gcVemEX0SgBmeq1wmqh7MxNKJcNnmW

Score

10^/10

xloader p086 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

p086

Decoy

jinshichain.com

worldpettraveler.com

hightecforpc.com

kj97fm.com

streetnewstv.com

webrew.club

wheretogodubai.com

apostapolitica.net

thecafy.com

vinelosangeles.com

gashinc.com

gutitout.net

bvd-invest.com

realtoroutdesk.com

lawnbowlstournaments.net

nobodyisillegal.com

abogadoorihuela.net

sanistela.com

jksecurityworld.com

peppermintproject.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1420-3-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3784 set thread context of 1420	3784	f5e8a440c4d1c017b4a8dfc2bed4608f_JaffaCakes118.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1420	f5e8a440c4d1c017b4a8dfc2bed4608f_JaffaCakes118.exe
1420	f5e8a440c4d1c017b4a8dfc2bed4608f_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3784	f5e8a440c4d1c017b4a8dfc2bed4608f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 1420	3784	f5e8a440c4d1c017b4a8dfc2bed4608f_JaffaCakes118.exe	88
PID 3784 wrote to memory of 1420	3784	f5e8a440c4d1c017b4a8dfc2bed4608f_JaffaCakes118.exe	88
PID 3784 wrote to memory of 1420	3784	f5e8a440c4d1c017b4a8dfc2bed4608f_JaffaCakes118.exe	88
PID 3784 wrote to memory of 1420	3784	f5e8a440c4d1c017b4a8dfc2bed4608f_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\f5e8a440c4d1c017b4a8dfc2bed4608f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5e8a440c4d1c017b4a8dfc2bed4608f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Users\Admin\AppData\Local\Temp\f5e8a440c4d1c017b4a8dfc2bed4608f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f5e8a440c4d1c017b4a8dfc2bed4608f_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1420-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1420-4-0x00000000013B0000-0x00000000016FA000-memory.dmp

Filesize
3.3MB

Download
memory/1420-5-0x00000000013B0000-0x00000000016FA000-memory.dmp

Filesize
3.3MB

Download
memory/3784-1-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/3784-2-0x0000000002340000-0x0000000002342000-memory.dmp

Filesize
8KB

Download