xloader | b63ecc7941b1c62dc98d59344ec81a623276033f889fa43628010fc54030e100

Analysis

max time kernel
140s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

629b3cbb423e7b5b51f23a87b99a92e6_JaffaCakes118.exe
Size

435KB
MD5

629b3cbb423e7b5b51f23a87b99a92e6
SHA1

014c1d1873fbb5f18581b1da3414417bc55a5cc9
SHA256

b63ecc7941b1c62dc98d59344ec81a623276033f889fa43628010fc54030e100
SHA512

4892da02d3262c7a4d781917474fee3cb5b22ed494b670c43cd53429eef0e7a8e7603efb68bd427be34d83037ff7900d79278a0195c5a1c8d3ee68253ad6ad00
SSDEEP

6144:Sr5w4udmLIY3llsUfFUlakZZlXV5VNIFdjSLjD9bHkXauTHmS0e901zp:mWSzbsckakZR5zqduLjpbE/K3d1p

Score

10^/10

xloader h3qo loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

h3qo

Decoy

dhflow.com

jyindex.com

ezcleanhandle.com

trungtamcongdong.online

simsprotectionagency.com

easylivemeet.com

blackvikingfashionhouse.com

52banxue.com

girlsinit.com

drhemo.com

freethefarmers.com

velvetrosephotography.com

geometricbotaniclas.com

skyandspirit.com

deltacomunicacao.com

mucademy.com

jaboilfieldsolutions.net

howtowinatblackjacknow.com

anytimegrowth.com

simranluthra.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2948-3-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 692 set thread context of 2948	692	629b3cbb423e7b5b51f23a87b99a92e6_JaffaCakes118.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2948	629b3cbb423e7b5b51f23a87b99a92e6_JaffaCakes118.exe
2948	629b3cbb423e7b5b51f23a87b99a92e6_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
692	629b3cbb423e7b5b51f23a87b99a92e6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 2948	692	629b3cbb423e7b5b51f23a87b99a92e6_JaffaCakes118.exe	87
PID 692 wrote to memory of 2948	692	629b3cbb423e7b5b51f23a87b99a92e6_JaffaCakes118.exe	87
PID 692 wrote to memory of 2948	692	629b3cbb423e7b5b51f23a87b99a92e6_JaffaCakes118.exe	87
PID 692 wrote to memory of 2948	692	629b3cbb423e7b5b51f23a87b99a92e6_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\629b3cbb423e7b5b51f23a87b99a92e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\629b3cbb423e7b5b51f23a87b99a92e6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:692
- C:\Users\Admin\AppData\Local\Temp\629b3cbb423e7b5b51f23a87b99a92e6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\629b3cbb423e7b5b51f23a87b99a92e6_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/692-1-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/2948-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2948-4-0x0000000001310000-0x000000000165A000-memory.dmp

Filesize
3.3MB

Download
memory/2948-5-0x0000000001310000-0x000000000165A000-memory.dmp

Filesize
3.3MB

Download