xloader | 03122f0024975ef8688129a291f7a5398a8ef02cf65f452daf3bfb2edbb3ae80

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
Size

935KB
MD5

fe93fd7b777639146c4927a698ab4c33
SHA1

43d8501440f8df5e5429090f9af6335c6b32c292
SHA256

03122f0024975ef8688129a291f7a5398a8ef02cf65f452daf3bfb2edbb3ae80
SHA512

e6ddc3e452e37f6b69d7066ff8f1b3e4e6eb93f53e64398ef01993fa2d412497189af8f9e085e7c3f58ddc894589bb507ab7909474ebb19447b3d59c6cc02743
SSDEEP

12288:gqaDADB/q7EhGteOdlClsYKWa52SyhvvzhJrOIpPjYeiMSs3p+:gvQ/vQenTW5YvLTCIpHiiE

Score

10^/10

xloader di4p loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

di4p

Decoy

thegeeksbeanie.net

ertugrulefendi.com

avwastemanagement.com

themindfulayurveda.com

jackietalk.com

medicineshome.com

infiniteactuaries.com

brightergreens.com

titchlondon.com

kisuke-jinbocho.com

bloggerpremiumtemplates.com

fixxatag.com

windinder.com

xn--gs-prcision-fbb.com

touteslesmaisons.com

dispute72-paypal.com

redchairsewingroom.com

comparisontech.net

fazedrop.com

tradein-car.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/5032-12-0x0000000000400000-0x0000000000428000-memory.dmp xloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe

description pid process target process

PID 2588 set thread context of 5032 2588 fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe

pid process

5032 fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
5032 fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe

resource	yara_rule
behavioral2/memory/5032-12-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

description	pid	process	target process
PID 2588 set thread context of 5032	2588	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe

pid	process
5032	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
5032	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe

description	pid	process	target process
PID 2588 wrote to memory of 5032	2588	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
PID 2588 wrote to memory of 5032	2588	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
PID 2588 wrote to memory of 5032	2588	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
PID 2588 wrote to memory of 5032	2588	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
PID 2588 wrote to memory of 5032	2588	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
PID 2588 wrote to memory of 5032	2588	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe	fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\AppData\Local\Temp\fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe93fd7b777639146c4927a698ab4c33_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2588-8-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/2588-6-0x0000000005180000-0x000000000519C000-memory.dmp

Filesize
112KB

Download
memory/2588-2-0x00000000054A0000-0x0000000005A44000-memory.dmp

Filesize
5.6MB

Download
memory/2588-3-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/2588-1-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/2588-5-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

Filesize
40KB

Download
memory/2588-0-0x0000000000490000-0x0000000000580000-memory.dmp

Filesize
960KB

Download
memory/2588-7-0x00000000060F0000-0x000000000618C000-memory.dmp

Filesize
624KB

Download
memory/2588-4-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/2588-9-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/2588-10-0x00000000068A0000-0x0000000006940000-memory.dmp

Filesize
640KB

Download
memory/2588-11-0x0000000008ED0000-0x0000000008F3E000-memory.dmp

Filesize
440KB

Download
memory/2588-14-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/5032-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5032-15-0x00000000012F0000-0x000000000163A000-memory.dmp

Filesize
3.3MB

Download
memory/5032-16-0x00000000012F0000-0x000000000163A000-memory.dmp

Filesize
3.3MB

Download