xloader | 2aa4e557d70c43b63c4c83dae89a00b09ded7c16317a30cce69d8b44c4ae2c2d

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f826defd978e74a09d47ad5cbe2a6c93_JaffaCakes118.exe
Size

347KB
MD5

f826defd978e74a09d47ad5cbe2a6c93
SHA1

6892b6ebc8301ac535af2391aa0563453082fa4f
SHA256

2aa4e557d70c43b63c4c83dae89a00b09ded7c16317a30cce69d8b44c4ae2c2d
SHA512

44f3e9d07b4b520a5004c11ff903fa2868a423d062fc5f18c7faf0b45343d593db75a36b4585729b95488616a490af1facb66ad98a2d5f061b78021ba9f1c811
SSDEEP

6144:pF49qqKGPBcwqh3SBYA4444444444444BffIq2DPzY1vPT+hn7kg46meJl+Ku:pzvGPOEYdfvEzY56kumeJl+x

Score

10^/10

xloader b6a4 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b6a4

Decoy

reviewsresolutions.com

binhminhgardenshophouse.com

nebulacom.com

kadhambaristudio.com

viltoom.club

supmomma.com

tjszxddc.com

darlingmemories.com

hyperultrapure.com

vibembrio.com

reallycoolmask.com

cumbukita.com

brian-newby.com

abstractaccessories.com

marykinky.com

minnesotareversemtgloans.com

prasetlement.com

xplpgi.com

xn--gdask-y7a.com

uababaseball.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2100-3-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2292 set thread context of 2100	2292	f826defd978e74a09d47ad5cbe2a6c93_JaffaCakes118.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2100	f826defd978e74a09d47ad5cbe2a6c93_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2292	f826defd978e74a09d47ad5cbe2a6c93_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2100	2292	f826defd978e74a09d47ad5cbe2a6c93_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2100	2292	f826defd978e74a09d47ad5cbe2a6c93_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2100	2292	f826defd978e74a09d47ad5cbe2a6c93_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2100	2292	f826defd978e74a09d47ad5cbe2a6c93_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2100	2292	f826defd978e74a09d47ad5cbe2a6c93_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\f826defd978e74a09d47ad5cbe2a6c93_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f826defd978e74a09d47ad5cbe2a6c93_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\f826defd978e74a09d47ad5cbe2a6c93_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f826defd978e74a09d47ad5cbe2a6c93_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2100-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2100-6-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/2100-7-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/2292-1-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/2292-2-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download