xloader | 9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe
Size

651KB
MD5

f41074eaa3e27940c9659ed547264c46
SHA1

b95ec335db31a00d2ec118afec3ff1a5885f93d4
SHA256

9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6
SHA512

65c8b8f2fb091725bf5ce52777882f325ef08c72ae9693bebdf45e9d65b46c6b36f6b59f36ab3b5ffd1325ec43c52df49f5afd78597bda4fc664642d5609a498
SSDEEP

12288:2fBafvIKSe9qVlyQSRanh4cMVPzF62RIoDKbB38kjrhmlrFrncR:24f/R0VlyAh4DUoDKV38kjrUrF

Score

10^/10

xloader uem3 loader rat

Malware Config

Extracted

Family

xloader

Version

2.7

Campaign

uem3

Decoy

darwinschools.com

polytherm-vloerverwarming.com

sinibelanja.website

erasemy.info

domainedelapoujade.info

freidaperry.com

ensoustudio.com

xjyjjy.com

ezhuilike.com

equipoheza.com

vtsr-health.com

elanagro.online

savas-jewelry.com

hispahoo.com

nlsc.chat

wharxl.icu

funandfoodboat.com

usdtsearch.com

experimentguardian.xyz

bikeell.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2636-11-0x0000000000400000-0x000000000042B000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe

description	pid	Process	procid_target
PID 1716 set thread context of 2636	1716	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe

pid	Process
2636	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe

description	pid	Process	procid_target
PID 1716 wrote to memory of 2636	1716	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe	30
PID 1716 wrote to memory of 2636	1716	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe	30
PID 1716 wrote to memory of 2636	1716	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe	30
PID 1716 wrote to memory of 2636	1716	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe	30
PID 1716 wrote to memory of 2636	1716	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe	30
PID 1716 wrote to memory of 2636	1716	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe	30
PID 1716 wrote to memory of 2636	1716	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe	30

C:\Users\Admin\AppData\Local\Temp\9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe
"C:\Users\Admin\AppData\Local\Temp\9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe
  "C:\Users\Admin\AppData\Local\Temp\9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1716-6-0x00000000007E0000-0x0000000000812000-memory.dmp

Filesize
200KB

Download
memory/1716-1-0x0000000000DE0000-0x0000000000E8A000-memory.dmp

Filesize
680KB

Download
memory/1716-2-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/1716-3-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/1716-4-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/1716-5-0x0000000004900000-0x0000000004968000-memory.dmp

Filesize
416KB

Download
memory/1716-0-0x000000007446E000-0x000000007446F000-memory.dmp

Filesize
4KB

Download
memory/1716-12-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2636-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2636-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2636-13-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download