xloader | cf7d85d93de196b42c3efb7909e8304a2d053f11cd3ee987d6dbde1468b323f7

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fba751eff82d2111736684b45044ed38_JaffaCakes118.exe
Size

804KB
MD5

fba751eff82d2111736684b45044ed38
SHA1

b3727dae5024c3e7f4f11d0bde8df103c815f7e9
SHA256

cf7d85d93de196b42c3efb7909e8304a2d053f11cd3ee987d6dbde1468b323f7
SHA512

113385b0224dab09d0f5041d3ff47833de55b07e97c7350bfb4ff2cbf6a9385fe9451ec9ca09a80800df50f212ea7a32063d3a4b36d1b8afbc81d415f3d1ec9e
SSDEEP

12288:4o6U4KPD48QihhdXBg/nB1LBKxTJtypWqZJyu6Vx+791tWPU62iN:4o6UQ8Qi9XAB1WbkZWnxi0U61

Score

10^/10

xloader p6nu loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

p6nu

Decoy

oncodelogic.com

hielogram.com

zkioc.com

peercoding.com

justingagnonprivatewealth.com

jubilee-painters.com

palmeyayinevi.net

jetsetstar.com

socialbookmarking.website

pizzasofeight.com

ilinkww.com

keefeandadrienne.com

topconsolidationoffers.com

bbota.com

mytwinklinglights.com

ggr-rules.com

tianlano3.com

scientiagenus.com

shivanisharmagroup.com

humblenbundle.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4388-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 4388	2748	fba751eff82d2111736684b45044ed38_JaffaCakes118.exe	100

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4388	fba751eff82d2111736684b45044ed38_JaffaCakes118.exe
4388	fba751eff82d2111736684b45044ed38_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 4388	2748	fba751eff82d2111736684b45044ed38_JaffaCakes118.exe	100
PID 2748 wrote to memory of 4388	2748	fba751eff82d2111736684b45044ed38_JaffaCakes118.exe	100
PID 2748 wrote to memory of 4388	2748	fba751eff82d2111736684b45044ed38_JaffaCakes118.exe	100
PID 2748 wrote to memory of 4388	2748	fba751eff82d2111736684b45044ed38_JaffaCakes118.exe	100
PID 2748 wrote to memory of 4388	2748	fba751eff82d2111736684b45044ed38_JaffaCakes118.exe	100
PID 2748 wrote to memory of 4388	2748	fba751eff82d2111736684b45044ed38_JaffaCakes118.exe	100

C:\Users\Admin\AppData\Local\Temp\fba751eff82d2111736684b45044ed38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fba751eff82d2111736684b45044ed38_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\fba751eff82d2111736684b45044ed38_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fba751eff82d2111736684b45044ed38_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:4500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2748-8-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/2748-4-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/2748-0-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2748-3-0x00000000057D0000-0x0000000005D74000-memory.dmp

Filesize
5.6MB

Download
memory/2748-9-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2748-5-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/2748-6-0x0000000005260000-0x000000000526A000-memory.dmp

Filesize
40KB

Download
memory/2748-10-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/2748-2-0x0000000005180000-0x000000000521C000-memory.dmp

Filesize
624KB

Download
memory/2748-1-0x0000000000740000-0x0000000000810000-memory.dmp

Filesize
832KB

Download
memory/2748-7-0x00000000054D0000-0x0000000005526000-memory.dmp

Filesize
344KB

Download
memory/2748-11-0x0000000007220000-0x00000000072BE000-memory.dmp

Filesize
632KB

Download
memory/2748-12-0x0000000002B90000-0x0000000002BC0000-memory.dmp

Filesize
192KB

Download
memory/2748-16-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4388-15-0x0000000001670000-0x00000000019BA000-memory.dmp

Filesize
3.3MB

Download
memory/4388-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4388-17-0x0000000001670000-0x00000000019BA000-memory.dmp

Filesize
3.3MB

Download