xloader | 3adaa1111196714a172b66f0deb9013f5b86c1671a7d126b69703d64e358f624

Analysis

max time kernel
10s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c377447f098f43601e8c21609c41e1c_JaffaCakes118.exe
Size

228KB
MD5

0c377447f098f43601e8c21609c41e1c
SHA1

8da17dacc87338c630430071efe7850ef34c0184
SHA256

3adaa1111196714a172b66f0deb9013f5b86c1671a7d126b69703d64e358f624
SHA512

b8746e95f87b7e948db46d4270ee10dc9a6fa1ef9e97defeda2a27053523928c9e8c79371799c2eb48569ca4f983801e15fd476de1a15f2b5c7e65703d32fdb0
SSDEEP

3072:/6HGteVUP/qOu43gC4S9HbJhElye1x8JtVTrrTlznlAPOwJFnS1mekUZPPRkTRKF:/dQOJu4wC3tfVSQnl6JFnom3UtPSTRSL

Score

10^/10

xloader ieqo discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ieqo

Decoy

new-post-25782.xyz

podcastrrr.com

babyspageelong.com

boaddeo.club

distribuzionemedica.com

peaceofminderbinder.com

abbyrosemusic.com

odessawildliferemoval.com

prosperasight.com

liibbyapp.com

shandaferguson.com

kirsehiryenihaber.com

secured07b-chase.com

leanonmelifeadvice.com

securemtgs.com

temgk255.space

lunasparallevar.com

transportesdario.com

redwork.club

directopolis.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2116-2-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 2116	2088	0c377447f098f43601e8c21609c41e1c_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c377447f098f43601e8c21609c41e1c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2116	0c377447f098f43601e8c21609c41e1c_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2088	0c377447f098f43601e8c21609c41e1c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2116	2088	0c377447f098f43601e8c21609c41e1c_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2116	2088	0c377447f098f43601e8c21609c41e1c_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2116	2088	0c377447f098f43601e8c21609c41e1c_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2116	2088	0c377447f098f43601e8c21609c41e1c_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2116	2088	0c377447f098f43601e8c21609c41e1c_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\0c377447f098f43601e8c21609c41e1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c377447f098f43601e8c21609c41e1c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\0c377447f098f43601e8c21609c41e1c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0c377447f098f43601e8c21609c41e1c_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2088-0-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/2088-1-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2116-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download