xloader | 8151e6031cf57c2b19146881a32fb1fd50b39b6ee5c7cd689c4e2a6216f1433d

Analysis

max time kernel
118s
max time network
133s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8012c68dbfc30b3724d40ddfc39eca4_JaffaCakes118.exe
Size

860KB
MD5

f8012c68dbfc30b3724d40ddfc39eca4
SHA1

130c7691681119b56187104a781c777198708183
SHA256

8151e6031cf57c2b19146881a32fb1fd50b39b6ee5c7cd689c4e2a6216f1433d
SHA512

1394edf09155a3057e22de5ac1082e6d7abce2e6a8530e8a3cb382b87f38bbd4baa93e171f01a1176d1d8829de599034fba8dbf4aaba876628d17816a9bed043
SSDEEP

12288:11Wl8T5+M63xjmeMf3vQY9244jz5X9tPAEAvP:1A24dxYvx4vJvkvP

Score

10^/10

xloader rqe8 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

rqe8

Decoy

bjft.net

abrosnm3.com

badlistens.com

signal-japan.com

schaka.com

kingdompersonalbranding.com

sewmenship.com

lzproperty.com

mojoimpacthosting.com

carinsurancecoverage.care

corporatemercadona.com

mobileswash.com

forevercelebration2026.com

co-het.com

bellesherlou.com

commentsoldgolf.com

onlytwod.group

utesco.info

martstrip.com

onszdgu.icu

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1680-2-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1792 set thread context of 1680	1792	f8012c68dbfc30b3724d40ddfc39eca4_JaffaCakes118.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1680	f8012c68dbfc30b3724d40ddfc39eca4_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1792	f8012c68dbfc30b3724d40ddfc39eca4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1680	1792	f8012c68dbfc30b3724d40ddfc39eca4_JaffaCakes118.exe	27
PID 1792 wrote to memory of 1680	1792	f8012c68dbfc30b3724d40ddfc39eca4_JaffaCakes118.exe	27
PID 1792 wrote to memory of 1680	1792	f8012c68dbfc30b3724d40ddfc39eca4_JaffaCakes118.exe	27
PID 1792 wrote to memory of 1680	1792	f8012c68dbfc30b3724d40ddfc39eca4_JaffaCakes118.exe	27
PID 1792 wrote to memory of 1680	1792	f8012c68dbfc30b3724d40ddfc39eca4_JaffaCakes118.exe	27

C:\Users\Admin\AppData\Local\Temp\f8012c68dbfc30b3724d40ddfc39eca4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8012c68dbfc30b3724d40ddfc39eca4_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\f8012c68dbfc30b3724d40ddfc39eca4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f8012c68dbfc30b3724d40ddfc39eca4_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1680-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1680-5-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1792-0-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1792-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1792-3-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download