xloader | 9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6

Analysis

max time kernel
136s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe
Size

651KB
MD5

f41074eaa3e27940c9659ed547264c46
SHA1

b95ec335db31a00d2ec118afec3ff1a5885f93d4
SHA256

9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6
SHA512

65c8b8f2fb091725bf5ce52777882f325ef08c72ae9693bebdf45e9d65b46c6b36f6b59f36ab3b5ffd1325ec43c52df49f5afd78597bda4fc664642d5609a498
SSDEEP

12288:2fBafvIKSe9qVlyQSRanh4cMVPzF62RIoDKbB38kjrhmlrFrncR:24f/R0VlyAh4DUoDKV38kjrUrF

Score

10^/10

xloader uem3 loader rat

Malware Config

Extracted

Family

xloader

Version

2.7

Campaign

uem3

Decoy

darwinschools.com

polytherm-vloerverwarming.com

sinibelanja.website

erasemy.info

domainedelapoujade.info

freidaperry.com

ensoustudio.com

xjyjjy.com

ezhuilike.com

equipoheza.com

vtsr-health.com

elanagro.online

savas-jewelry.com

hispahoo.com

nlsc.chat

wharxl.icu

funandfoodboat.com

usdtsearch.com

experimentguardian.xyz

bikeell.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5068-12-0x0000000000400000-0x000000000042B000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe

description	pid	Process	procid_target
PID 4388 set thread context of 5068	4388	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe	101

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe

pid	Process
5068	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe
5068	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe

description	pid	Process	procid_target
PID 4388 wrote to memory of 5068	4388	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe	101
PID 4388 wrote to memory of 5068	4388	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe	101
PID 4388 wrote to memory of 5068	4388	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe	101
PID 4388 wrote to memory of 5068	4388	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe	101
PID 4388 wrote to memory of 5068	4388	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe	101
PID 4388 wrote to memory of 5068	4388	9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe	101

C:\Users\Admin\AppData\Local\Temp\9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe
"C:\Users\Admin\AppData\Local\Temp\9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Local\Temp\9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe
  "C:\Users\Admin\AppData\Local\Temp\9b38c45acf649b5db02318330583b66e8f70f637a54ef40db50afbef85a0cbb6.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4388-6-0x0000000006370000-0x000000000637E000-memory.dmp

Filesize
56KB

Download
memory/4388-8-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4388-2-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/4388-3-0x0000000005000000-0x0000000005092000-memory.dmp

Filesize
584KB

Download
memory/4388-4-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/4388-5-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4388-1-0x00000000004D0000-0x000000000057A000-memory.dmp

Filesize
680KB

Download
memory/4388-7-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/4388-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/4388-9-0x0000000006A70000-0x0000000006AD8000-memory.dmp

Filesize
416KB

Download
memory/4388-10-0x0000000007DE0000-0x0000000007E7C000-memory.dmp

Filesize
624KB

Download
memory/4388-11-0x0000000006930000-0x0000000006962000-memory.dmp

Filesize
200KB

Download
memory/4388-14-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/5068-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5068-15-0x0000000001710000-0x0000000001A5A000-memory.dmp

Filesize
3.3MB

Download