xloader | d72b2c9f7dc00da9c2933bdd67a59dc0f8923d1478d2b22efc3ab1d52196a5c4

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scn14092020.scr
Size

380KB
MD5

f028d6c9991258c5c75e9f234d4dee79
SHA1

2f6b7f76bb4a3342f3450e1cc9ef539c2028c59e
SHA256

576f0ed5ae69ececc1bb11492479101c0281af46cb86a73eae9195376ab02717
SHA512

d3fd7200dad40ce073d477205abf7736e9aa9aab492fec1f42c318f65c2a9e132ab45d6b9c52fa3d7c535db63c392d370e2ee2b4787845c4f5f5408ba352f8be
SSDEEP

6144:Jr5KTzUvCH42ZGb9XF1csV2DoT/oENADXgjDxGXMSwGxDUxQTf2ujAhzs7g8LX9:Z5KEvCH4kGvqfPrDg3kXMitohz38LX9

Score

10^/10

xloader d9s8 loader rat

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

d9s8

Decoy

adriaguest.com

connerparty.com

jblmhomestore.net

23works.com

environmentsafetymemphis.com

hqxmf.com

hivepublications.com

keebcat.com

smalltownlawns.com

brasserie-lafayette.com

kq-iot.com

theghostfestival.com

dmhowardstudio.com

nittayabeauty.com

thebardi.com

transcash-pocket-money.com

stick.tips

revolucaomindfulness.com

clicrhonealpes.com

ekcraftmasters.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2268-10-0x0000000000400000-0x0000000000431000-memory.dmp	xloader
behavioral1/memory/2268-6-0x0000000000400000-0x0000000000431000-memory.dmp	xloader

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

scn14092020.scr

pid	Process
2140	scn14092020.scr
2140	scn14092020.scr
2140	scn14092020.scr
2140	scn14092020.scr

Suspicious use of SetThreadContext 1 IoCs

Processes:

scn14092020.scr

description	pid	Process	procid_target
PID 2140 set thread context of 2268	2140	scn14092020.scr	28

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2312	2268	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

scn14092020.scr

pid	Process
2140	scn14092020.scr

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

scn14092020.scr

description	pid	Process
Token: SeDebugPrivilege	2140	scn14092020.scr

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

scn14092020.scrscn14092020.scr

description	pid	Process	procid_target
PID 2140 wrote to memory of 2268	2140	scn14092020.scr	28
PID 2140 wrote to memory of 2268	2140	scn14092020.scr	28
PID 2140 wrote to memory of 2268	2140	scn14092020.scr	28
PID 2140 wrote to memory of 2268	2140	scn14092020.scr	28
PID 2140 wrote to memory of 2268	2140	scn14092020.scr	28
PID 2140 wrote to memory of 2268	2140	scn14092020.scr	28
PID 2140 wrote to memory of 2268	2140	scn14092020.scr	28
PID 2140 wrote to memory of 2268	2140	scn14092020.scr	28
PID 2268 wrote to memory of 2312	2268	scn14092020.scr	29
PID 2268 wrote to memory of 2312	2268	scn14092020.scr	29
PID 2268 wrote to memory of 2312	2268	scn14092020.scr	29
PID 2268 wrote to memory of 2312	2268	scn14092020.scr	29

C:\Users\Admin\AppData\Local\Temp\scn14092020.scr
"C:\Users\Admin\AppData\Local\Temp\scn14092020.scr" /S
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\scn14092020.scr
  "C:\Users\Admin\AppData\Local\Temp\scn14092020.scr"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 36
    3⤵
    - Program crash
    PID:2312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2140-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

Filesize
4KB

Download
memory/2140-1-0x000000000F330000-0x000000000F394000-memory.dmp

Filesize
400KB

Download
memory/2140-2-0x00000000005B0000-0x00000000005F8000-memory.dmp

Filesize
288KB

Download
memory/2140-3-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2140-11-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2268-5-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2268-10-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2268-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2268-6-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2268-4-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download