xloader | b4bb472d39c592fc4e99ecdd59cc1284255666c72ba5eccc7f5b39780e53141e

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe
Size

418KB
MD5

f97387cf1ed097f9f1185ecb8d63d425
SHA1

a737798f98adfedab12d1b8161ebfc0db31767da
SHA256

b4bb472d39c592fc4e99ecdd59cc1284255666c72ba5eccc7f5b39780e53141e
SHA512

b8aadb681f1e492bea50f722d34a431c5fb46c32fdb23ca54f5bc43474672dae49ef95d3e3188b739561b6f76c8d05b1ab07d34473da2c3a1dcfff18a866185d
SSDEEP

6144:3LTfaVy5OOu+n20JpbO8yfyV68lyixJQ0KDJNXiTF85rDcp0+DMC:vfalOu+n/U8c50WNCFy3x+QC

Score

10^/10

xloader b6a4 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b6a4

Decoy

reviewsresolutions.com

binhminhgardenshophouse.com

nebulacom.com

kadhambaristudio.com

viltoom.club

supmomma.com

tjszxddc.com

darlingmemories.com

hyperultrapure.com

vibembrio.com

reallycoolmask.com

cumbukita.com

brian-newby.com

abstractaccessories.com

marykinky.com

minnesotareversemtgloans.com

prasetlement.com

xplpgi.com

xn--gdask-y7a.com

uababaseball.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2120-3-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3020 set thread context of 2120	3020	f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2584	2120	WerFault.exe	28

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3020	f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe
3020	f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2120	3020	f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe	28
PID 3020 wrote to memory of 2120	3020	f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe	28
PID 3020 wrote to memory of 2120	3020	f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe	28
PID 3020 wrote to memory of 2120	3020	f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe	28
PID 3020 wrote to memory of 2120	3020	f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe	28
PID 2120 wrote to memory of 2584	2120	f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2584	2120	f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2584	2120	f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2584	2120	f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f97387cf1ed097f9f1185ecb8d63d425_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 36
    3⤵
    - Program crash
    PID:2584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2120-3-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/3020-1-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download
memory/3020-2-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download