xloader | d00f87049fb2c7cbbf506ca2361e8295fe06926f17e1d2c16cfe3e88a2902f5a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe
Size

345KB
MD5

fd30d28fcbcb1355343d594752b78772
SHA1

33cb0811591d84b68ce5cb07e1050e4dea0ce6cf
SHA256

d00f87049fb2c7cbbf506ca2361e8295fe06926f17e1d2c16cfe3e88a2902f5a
SHA512

5367ea6f2fea98f3942abc25b0c628d34443280f90eeae3d22d10686b428113237dd5708160ee5c790dc12c14a3a5b3505afc2c143d1392b93949cf3749e0f6b
SSDEEP

6144:5CU7yTJH63y+Ah44w19QG3pLKSiUZrNVfs8V:oU7sOp4nS9QuNN2

Score

10^/10

xloader iq3g loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

iq3g

Decoy

itbcx.com

katielegget.com

myneighorsbasement.com

charts.wiki

toricolucci.com

ntlichengmodel.com

onsaleja.com

nailsbyleentje.com

freya-lux.com

moodyblack.com

mseoljaehwi.com

successfulsend.com

dr-roach.com

nargilegalerisi.com

animalhoney.com

indiarankers.com

botcantaysitokata.club

okinawakurashinavi.com

ceev-japan.com

shsqyy.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/4376-2-0x00000000016E0000-0x000000000170A000-memory.dmp	xloader
behavioral2/memory/1760-3-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4376 set thread context of 1760	4376	fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1760	fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe
1760	fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 1760	4376	fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe	88
PID 4376 wrote to memory of 1760	4376	fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe	88
PID 4376 wrote to memory of 1760	4376	fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe	88
PID 4376 wrote to memory of 1760	4376	fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe	88
PID 4376 wrote to memory of 1760	4376	fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe	88
PID 4376 wrote to memory of 1760	4376	fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Local\Temp\fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fd30d28fcbcb1355343d594752b78772_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1760-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1760-6-0x0000000000B50000-0x0000000000E9A000-memory.dmp

Filesize
3.3MB

Download
memory/4376-1-0x00000000017B0000-0x00000000018B0000-memory.dmp

Filesize
1024KB

Download
memory/4376-2-0x00000000016E0000-0x000000000170A000-memory.dmp

Filesize
168KB

Download