xloader | e94ab3e9bc6dfb0889e82075cbef674de3c160a8d4bbf9b3d596381bebf492af

Analysis

max time kernel
142s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe
Size

688KB
MD5

fdaa7ea645b190b5049db5e11ee65456
SHA1

c96956ef38e91160217379b008b4534d5c7862c6
SHA256

e94ab3e9bc6dfb0889e82075cbef674de3c160a8d4bbf9b3d596381bebf492af
SHA512

95cb0f1614d065db83e7ac94f9fb3587f02d72118ce2b91e7480eb801b484acca64a388eb1e2c944abdc069698d4e888307c1a2d534bfae1fd903d34a577ef9f
SSDEEP

12288:DeZh7/duQkE35lyl9JTY7lVWrMQ4ZwCFaGZS2m:D8dZ5le87zWoQ4ZlaGZy

Score

10^/10

xloader mej0 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

mej0

Decoy

mtxs8.com

quickskiplondon.com

sltplanner.com

generatedate.com

amsinspections.com

tomrings.com

109friends.com

freelovereading.com

avalapartners.com

nordiqueluxury.com

inmbex.com

everybankatm.com

bo1899.com

ashymeadow.com

pubgm-chickendinner.com

takudolunch.com

carlagremiao.com

actonetheatre.com

wemhealth.com

khasomat.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4016-12-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe

description	pid	Process	procid_target
PID 4820 set thread context of 4016	4820	fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe	101

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe

pid	Process
4016	fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe
4016	fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe
4016	fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe

description	pid	Process	procid_target
PID 4820 wrote to memory of 4016	4820	fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe	101
PID 4820 wrote to memory of 4016	4820	fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe	101
PID 4820 wrote to memory of 4016	4820	fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe	101
PID 4820 wrote to memory of 4016	4820	fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe	101
PID 4820 wrote to memory of 4016	4820	fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe	101
PID 4820 wrote to memory of 4016	4820	fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe	101

C:\Users\Admin\AppData\Local\Temp\fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Users\Admin\AppData\Local\Temp\fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fdaa7ea645b190b5049db5e11ee65456_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3460 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:3616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4016-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4016-14-0x0000000001A10000-0x0000000001D5A000-memory.dmp

Filesize
3.3MB

Download
memory/4820-6-0x00000000051A0000-0x00000000051BC000-memory.dmp

Filesize
112KB

Download
memory/4820-3-0x0000000004BF0000-0x0000000004C82000-memory.dmp

Filesize
584KB

Download
memory/4820-4-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/4820-5-0x0000000004CC0000-0x0000000004CCA000-memory.dmp

Filesize
40KB

Download
memory/4820-0-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4820-7-0x0000000006310000-0x00000000063AC000-memory.dmp

Filesize
624KB

Download
memory/4820-8-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4820-9-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/4820-10-0x00000000008C0000-0x0000000000926000-memory.dmp

Filesize
408KB

Download
memory/4820-11-0x0000000000960000-0x000000000098E000-memory.dmp

Filesize
184KB

Download
memory/4820-2-0x0000000005250000-0x00000000057F4000-memory.dmp

Filesize
5.6MB

Download
memory/4820-1-0x00000000001A0000-0x0000000000252000-memory.dmp

Filesize
712KB

Download
memory/4820-15-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download