xloader | b8fecafb0ea8ed59d3c66ea34f14f25f1354589750fc854ff78c11e10cc3421b

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Transfer Swift Copy.exe
Size

528KB
MD5

0d5bfa60273cf3871c7596b7aa2fc447
SHA1

451461604085634e62758f142fbca0bdbf12a044
SHA256

e51b63aacca71c639c6f3b12a6b0eede821c54567125b52a21a0a24ec540d04a
SHA512

33afea5b2367b0f4a0f222d14d4fe531c8b076ff1c253897b4e69f9a2956637573284cb7433d75e09d6aeb6f1891a3b962672cd7be561f25e0649def528276a2
SSDEEP

12288:ZhQVh9a17gNm5YnXDdx2OjKhNHySntntjEyjIOm+mmmTIhfCGONcR9Ok:ZhQVh9FDdx2GKzSSt9ZSsmToik

Score

10^/10

xloader u8aa loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

u8aa

Decoy

quantexchanges.com

hizliarac.com

dropsdementanovohamburgo.com

tcinsurancegroup.net

byobvendors.com

arteasba.com

azrealtorsmastermind.com

voiceof5aabtv.com

zoom-bloopers.com

jxsenmei.com

interia-poczta.email

coolgiftbaskets.net

magetu.info

weedliberal.com

drsergiocastilloangiologo.com

starinsiderau.com

weightneutralmetflex.com

youxiandian.com

liberation.media

ferrari-news.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3868-2-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3868-6-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1932-11-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1932-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

Transfer Swift Copy.exeTransfer Swift Copy.execmmon32.exe

description	pid	Process	procid_target
PID 1004 set thread context of 3868	1004	Transfer Swift Copy.exe	85
PID 3868 set thread context of 3448	3868	Transfer Swift Copy.exe	57
PID 1932 set thread context of 3448	1932	cmmon32.exe	57

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Transfer Swift Copy.execmmon32.exe

pid	Process
3868	Transfer Swift Copy.exe
3868	Transfer Swift Copy.exe
3868	Transfer Swift Copy.exe
3868	Transfer Swift Copy.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe
1932	cmmon32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Transfer Swift Copy.exeTransfer Swift Copy.execmmon32.exe

pid	Process
1004	Transfer Swift Copy.exe
3868	Transfer Swift Copy.exe
3868	Transfer Swift Copy.exe
3868	Transfer Swift Copy.exe
1932	cmmon32.exe
1932	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Transfer Swift Copy.execmmon32.exe

description	pid	Process
Token: SeDebugPrivilege	3868	Transfer Swift Copy.exe
Token: SeDebugPrivilege	1932	cmmon32.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid	Process
3448	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Transfer Swift Copy.exeExplorer.EXEcmmon32.exe

description	pid	Process	procid_target
PID 1004 wrote to memory of 3868	1004	Transfer Swift Copy.exe	85
PID 1004 wrote to memory of 3868	1004	Transfer Swift Copy.exe	85
PID 1004 wrote to memory of 3868	1004	Transfer Swift Copy.exe	85
PID 1004 wrote to memory of 3868	1004	Transfer Swift Copy.exe	85
PID 3448 wrote to memory of 1932	3448	Explorer.EXE	86
PID 3448 wrote to memory of 1932	3448	Explorer.EXE	86
PID 3448 wrote to memory of 1932	3448	Explorer.EXE	86
PID 1932 wrote to memory of 4424	1932	cmmon32.exe	91
PID 1932 wrote to memory of 4424	1932	cmmon32.exe	91
PID 1932 wrote to memory of 4424	1932	cmmon32.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\Transfer Swift Copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Transfer Swift Copy.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Users\Admin\AppData\Local\Temp\Transfer Swift Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Transfer Swift Copy.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3868
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Transfer Swift Copy.exe"
    3⤵
    PID:4424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1004-3-0x0000000000FA0000-0x0000000000FF4000-memory.dmp

Filesize
336KB

Download
memory/1004-1-0x0000000000EB0000-0x0000000000EB2000-memory.dmp

Filesize
8KB

Download
memory/1004-0-0x0000000000FA0000-0x0000000000FF4000-memory.dmp

Filesize
336KB

Download
memory/1932-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1932-15-0x00000000021B0000-0x000000000223F000-memory.dmp

Filesize
572KB

Download
memory/1932-12-0x00000000023C0000-0x000000000270A000-memory.dmp

Filesize
3.3MB

Download
memory/1932-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1932-10-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/1932-9-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/3448-8-0x0000000008840000-0x000000000897D000-memory.dmp

Filesize
1.2MB

Download
memory/3448-18-0x0000000008B10000-0x0000000008C4C000-memory.dmp

Filesize
1.2MB

Download
memory/3448-19-0x0000000008B10000-0x0000000008C4C000-memory.dmp

Filesize
1.2MB

Download
memory/3448-22-0x0000000008B10000-0x0000000008C4C000-memory.dmp

Filesize
1.2MB

Download
memory/3868-7-0x0000000001460000-0x0000000001470000-memory.dmp

Filesize
64KB

Download
memory/3868-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3868-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3868-4-0x00000000018F0000-0x0000000001C3A000-memory.dmp

Filesize
3.3MB

Download