xloader | 26fb8675c58beebfed1a2c246fa5fd658ed0286305dc64683fe4d34b41cc5a66

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5de16e644095099e744f588690e7e400_JaffaCakes118.exe
Size

229KB
MD5

5de16e644095099e744f588690e7e400
SHA1

0e3dc321554ae6081ee7f4437353457d7360d121
SHA256

26fb8675c58beebfed1a2c246fa5fd658ed0286305dc64683fe4d34b41cc5a66
SHA512

a7087b2f0a294ab4268ec2d498fa23d075de0adf714de81d57d7910135387e12aa90adc50eba183246cc9d834778405818af5630dda6adf968ad25582c2c47b6
SSDEEP

6144:10khhhhhhhhhhhhhN8gBVP+MO4L952L6sCpKN2LKgP1Gkohh8h8mHxpBmPZO:GkhhhhhhhhhhhhhOgvP+MzL95X7P1Ghi

Score

10^/10

xloader noi6 discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

noi6

Decoy

yow.today

rkdreamcreations.com

etheriumtech.com

stretchwrench.com

kiddiecruise.com

stickforward.com

videocineproduccion.com

roofinginamerica.com

amarillasnuevomexico.com

armfieldmillerripley.com

macyburn.club

lvbaoshan.com

shopshelponline.com

thebunnybrands.com

newsxplor.com

momunani.com

rebelnqueen.com

tusguitarras.com

nexab2b.com

e3office.express

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2160-3-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

5de16e644095099e744f588690e7e400_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2336 set thread context of 2160	2336	5de16e644095099e744f588690e7e400_JaffaCakes118.exe	32

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5de16e644095099e744f588690e7e400_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5de16e644095099e744f588690e7e400_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5de16e644095099e744f588690e7e400_JaffaCakes118.exe

pid	Process
2160	5de16e644095099e744f588690e7e400_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

5de16e644095099e744f588690e7e400_JaffaCakes118.exe

pid	Process
2336	5de16e644095099e744f588690e7e400_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

5de16e644095099e744f588690e7e400_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2336 wrote to memory of 2160	2336	5de16e644095099e744f588690e7e400_JaffaCakes118.exe	32
PID 2336 wrote to memory of 2160	2336	5de16e644095099e744f588690e7e400_JaffaCakes118.exe	32
PID 2336 wrote to memory of 2160	2336	5de16e644095099e744f588690e7e400_JaffaCakes118.exe	32
PID 2336 wrote to memory of 2160	2336	5de16e644095099e744f588690e7e400_JaffaCakes118.exe	32
PID 2336 wrote to memory of 2160	2336	5de16e644095099e744f588690e7e400_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\5de16e644095099e744f588690e7e400_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5de16e644095099e744f588690e7e400_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\5de16e644095099e744f588690e7e400_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5de16e644095099e744f588690e7e400_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2160-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2336-2-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2336-1-0x0000000000090000-0x0000000000190000-memory.dmp

Filesize
1024KB

Download