xloader | 91a166f9a29ad832c9640078210a47e5afa928ab1a79a7b40d3b358e9c8bc5d5

Analysis

max time kernel
143s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe
Size

466KB
MD5

fda0d823b262ac2b1bd76a2053c29692
SHA1

73f72d7c987d44d1f236c138c5617b527c5ba340
SHA256

91a166f9a29ad832c9640078210a47e5afa928ab1a79a7b40d3b358e9c8bc5d5
SHA512

230e3a12c58a61c2348463b5acb92a6b557419b79e0427882750caa84d3c7e8fcec92ff6151f4f22b6eb967da138c931ed56f0dedadf1af1ac5d809508e74507
SSDEEP

12288:AsXSBAmUT9BbRsXFkN8xDqT2LWWJOxTa:AsCBAme9Bb2Xq8xk2LWx

Score

10^/10

xloader fqiq loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

fqiq

Decoy

driventow.com

ipatchwork.today

bolder.equipment

seal-brother.com

mountlaketerraceapartments.com

weeden.xyz

sanlifalan.com

athafood.com

isshinn1.com

creationslazzaroni.com

eclecticrenaissancewoman.com

satellitephonstore.com

cotchildcare.com

yamacorp.digital

ff4cuno43.xyz

quicksticks.community

govindfinance.com

farmersfirstseed.com

megacinema.club

tablescaperendezvous4two.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3740-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe

description	pid	process	target process
PID 4848 set thread context of 3740	4848	fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe	fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe

pid process

3740 fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe
3740 fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe

pid	process
3740	fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe
3740	fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe

description	pid	process	target process
PID 4848 wrote to memory of 3740	4848	fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe	fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe
PID 4848 wrote to memory of 3740	4848	fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe	fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe
PID 4848 wrote to memory of 3740	4848	fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe	fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe
PID 4848 wrote to memory of 3740	4848	fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe	fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe
PID 4848 wrote to memory of 3740	4848	fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe	fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe
PID 4848 wrote to memory of 3740	4848	fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe	fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fda0d823b262ac2b1bd76a2053c29692_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:1372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3740-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3740-15-0x0000000001930000-0x0000000001C7A000-memory.dmp

Filesize
3.3MB

Download
memory/4848-6-0x00000000054F0000-0x00000000054FA000-memory.dmp

Filesize
40KB

Download
memory/4848-3-0x00000000056F0000-0x0000000005876000-memory.dmp

Filesize
1.5MB

Download
memory/4848-4-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/4848-5-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/4848-0-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/4848-7-0x0000000005B00000-0x0000000005B0A000-memory.dmp

Filesize
40KB

Download
memory/4848-8-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/4848-9-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/4848-10-0x0000000007030000-0x00000000070CC000-memory.dmp

Filesize
624KB

Download
memory/4848-11-0x0000000007170000-0x00000000071C2000-memory.dmp

Filesize
328KB

Download
memory/4848-2-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/4848-14-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/4848-1-0x0000000000AB0000-0x0000000000B2A000-memory.dmp

Filesize
488KB

Download