xloader | 8da806444010084307c77bf3a69f66ca36c15920bd7b9f60fdcf35fccd460701

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe
Size

1014KB
MD5

fd84eb337a51966294ba08722170bf46
SHA1

1f529d60e2dc50deaac59af322708039da33c3be
SHA256

8da806444010084307c77bf3a69f66ca36c15920bd7b9f60fdcf35fccd460701
SHA512

a522ba8c6daddbf69f711ef859c7e8fb79e2ab00372e6626af9119d82ef8cf22b0e2ebcc1897cd88810be5ee01b11e0950dbf0853ceb630de3e916ac3bacd847
SSDEEP

12288:rFhlsU1cTDO+emag5IFyPK7yMmeP1vwdyAook1GZEUFA1Vk82C867LiuNyxv2AdU:rFhlXcOyeL3JStX+PbLk2QHQ

Score

10^/10

xloader zgrat p6f2 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

p6f2

Decoy

redsnews.com

vr859.com

postmasterstudios.com

hampsteadorganizer.com

hangshop.net

maheshwaramlawcollege.com

5156087.com

gtaaddict.com

faj.xyz

drivechicagoillinois.com

neerutech.com

b2brahmas.com

freshlookks.com

propertyparallel.tech

tlwbyads.com

sellektorkids.com

dexs.fyi

kileybrock.com

nervstudio.com

tosg-ltd.com

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1924-4-0x0000000000380000-0x0000000000396000-memory.dmp	family_zgrat_v1

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2756-9-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe

description	pid	process	target process
PID 1924 set thread context of 2756	1924	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe

pid process

2756 fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe

pid	process
2756	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe

description	pid	process	target process
PID 1924 wrote to memory of 2756	1924	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe
PID 1924 wrote to memory of 2756	1924	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe
PID 1924 wrote to memory of 2756	1924	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe
PID 1924 wrote to memory of 2756	1924	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe
PID 1924 wrote to memory of 2756	1924	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe
PID 1924 wrote to memory of 2756	1924	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe
PID 1924 wrote to memory of 2756	1924	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe	fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd84eb337a51966294ba08722170bf46_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2756

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1924-0-0x0000000000800000-0x0000000000904000-memory.dmp

Filesize
1.0MB

Download
memory/1924-1-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1924-2-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1924-3-0x0000000000450000-0x00000000004D0000-memory.dmp

Filesize
512KB

Download
memory/1924-4-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/1924-10-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2756-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2756-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2756-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2756-6-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2756-11-0x0000000000B60000-0x0000000000E63000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads