xloader | c01319e969a567a2494e73bfb5179f75a9dc6a0bfb7e0ac56250dc90a72e8959

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

243d713a5124eb1bb3b1ee2e70c7a404d531da84c68bbfa5a838b092a1058a7a.exe
Size

1.1MB
MD5

f9bc884d392b1cf3476d36733d443bea
SHA1

0355cac4a25abc48cc625b2da9187e7f0d1e5574
SHA256

243d713a5124eb1bb3b1ee2e70c7a404d531da84c68bbfa5a838b092a1058a7a
SHA512

b59affcf56c37f8837ffe1009eda97ae871bed924c83526ddf139dc6ddce304f56ebc4df4dee2d01dfc09147eff1c8cef5692ce331e5ba49349e4fb9e9edaf48
SSDEEP

24576:JYXKi8Tg5e4Nkva4tZxXw4icnnmPHZYD5F3Kd8:JYXKi8Tee64tp7mhYj3Ke

Score

10^/10

xloader usur loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

usur

Decoy

purpopup.com

mrswarrenspodcast.com

blinbins.com

parahomeoffice.com

20next.com

quiala.com

newccosecurity.net

throughthehagstone.com

hnxslawfirm.com

sztoium.icu

fullembodiedwoman.com

sankara-yoga.com

foottrafficcollective.com

acruxvacations.com

jadeena.com

neurotypicalspouse.com

onlyinwallkill.com

laurenkilbane.com

thebendavonte.com

regencydevelopmentstoronto.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2440-14-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1712 set thread context of 2440	1712	243d713a5124eb1bb3b1ee2e70c7a404d531da84c68bbfa5a838b092a1058a7a.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2440	243d713a5124eb1bb3b1ee2e70c7a404d531da84c68bbfa5a838b092a1058a7a.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2440	1712	243d713a5124eb1bb3b1ee2e70c7a404d531da84c68bbfa5a838b092a1058a7a.exe	30
PID 1712 wrote to memory of 2440	1712	243d713a5124eb1bb3b1ee2e70c7a404d531da84c68bbfa5a838b092a1058a7a.exe	30
PID 1712 wrote to memory of 2440	1712	243d713a5124eb1bb3b1ee2e70c7a404d531da84c68bbfa5a838b092a1058a7a.exe	30
PID 1712 wrote to memory of 2440	1712	243d713a5124eb1bb3b1ee2e70c7a404d531da84c68bbfa5a838b092a1058a7a.exe	30
PID 1712 wrote to memory of 2440	1712	243d713a5124eb1bb3b1ee2e70c7a404d531da84c68bbfa5a838b092a1058a7a.exe	30
PID 1712 wrote to memory of 2440	1712	243d713a5124eb1bb3b1ee2e70c7a404d531da84c68bbfa5a838b092a1058a7a.exe	30
PID 1712 wrote to memory of 2440	1712	243d713a5124eb1bb3b1ee2e70c7a404d531da84c68bbfa5a838b092a1058a7a.exe	30

C:\Users\Admin\AppData\Local\Temp\243d713a5124eb1bb3b1ee2e70c7a404d531da84c68bbfa5a838b092a1058a7a.exe
"C:\Users\Admin\AppData\Local\Temp\243d713a5124eb1bb3b1ee2e70c7a404d531da84c68bbfa5a838b092a1058a7a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\243d713a5124eb1bb3b1ee2e70c7a404d531da84c68bbfa5a838b092a1058a7a.exe
  "C:\Users\Admin\AppData\Local\Temp\243d713a5124eb1bb3b1ee2e70c7a404d531da84c68bbfa5a838b092a1058a7a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-6-0x0000000008140000-0x00000000081E2000-memory.dmp

Filesize
648KB

Download
memory/1712-0-0x0000000000EB0000-0x0000000000FD6000-memory.dmp

Filesize
1.1MB

Download
memory/1712-2-0x0000000004420000-0x0000000004460000-memory.dmp

Filesize
256KB

Download
memory/1712-3-0x00000000004B0000-0x00000000004C6000-memory.dmp

Filesize
88KB

Download
memory/1712-4-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/1712-5-0x0000000004420000-0x0000000004460000-memory.dmp

Filesize
256KB

Download
memory/1712-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/1712-7-0x0000000000A30000-0x0000000000A8A000-memory.dmp

Filesize
360KB

Download
memory/1712-15-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2440-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2440-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2440-16-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/2440-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download