xloader | 4280bb4e70e3ea349291f5674181b61c81a81a4dab4d6d52cae1e4e01a77928e

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16/10/2024, 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b152fa511993e3fababdeed5fadc362_JaffaCakes118.exe
Size

816KB
MD5

4b152fa511993e3fababdeed5fadc362
SHA1

83b56d11cd855f1a760a1b810b5ee15ae2cd3452
SHA256

4280bb4e70e3ea349291f5674181b61c81a81a4dab4d6d52cae1e4e01a77928e
SHA512

2796cc71b0799866748a744e12809e336ce806f25bb84bf747e2947222bf2507475520451c321d420729cd0e6a9c5e8b9b4fb95ac3f2c413c8ee107f31fb13fd
SSDEEP

24576:R8LQozB5IlUYJDQ6UBAWtI9Pdu0nEZ8OZWT621ZHogD:+LQND7cAWtwPg0i

Score

10^/10

xloader rq6j discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

rq6j

Decoy

xiubanpei.com

cinderellaplus.com

jamascompany.com

bartarpay.net

iieom-l7f.net

wesleymerritt.com

applefolds.info

susanjkirkpatrick.com

bhavishyfoundations.com

joboval.com

countingdowntothecomans.com

mariamasal.com

michaelcajero.net

tradekindness.net

wonderwall.pro

babymaths.com

webdevalley.com

sculptingtreestudio.com

iblamatrading.com

quefautil.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2520-15-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 2520	2668	4b152fa511993e3fababdeed5fadc362_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b152fa511993e3fababdeed5fadc362_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2520	4b152fa511993e3fababdeed5fadc362_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2520	2668	4b152fa511993e3fababdeed5fadc362_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2520	2668	4b152fa511993e3fababdeed5fadc362_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2520	2668	4b152fa511993e3fababdeed5fadc362_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2520	2668	4b152fa511993e3fababdeed5fadc362_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2520	2668	4b152fa511993e3fababdeed5fadc362_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2520	2668	4b152fa511993e3fababdeed5fadc362_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2520	2668	4b152fa511993e3fababdeed5fadc362_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\4b152fa511993e3fababdeed5fadc362_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b152fa511993e3fababdeed5fadc362_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\4b152fa511993e3fababdeed5fadc362_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4b152fa511993e3fababdeed5fadc362_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2520-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-17-0x0000000000C90000-0x0000000000F93000-memory.dmp

Filesize
3.0MB

Download
memory/2520-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2520-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2668-3-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-6-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-7-0x0000000006750000-0x00000000067F0000-memory.dmp

Filesize
640KB

Download
memory/2668-8-0x0000000000590000-0x00000000005BE000-memory.dmp

Filesize
184KB

Download
memory/2668-5-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

Filesize
4KB

Download
memory/2668-4-0x0000000000390000-0x00000000003A6000-memory.dmp

Filesize
88KB

Download
memory/2668-0-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

Filesize
4KB

Download
memory/2668-2-0x00000000048B0000-0x0000000004946000-memory.dmp

Filesize
600KB

Download
memory/2668-16-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-1-0x0000000000BB0000-0x0000000000C82000-memory.dmp

Filesize
840KB

Download