xloader | 1c25b56211f31c6b5b12f3f2f108fcbe15095a815475bc1601a80222b1d4b220

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3032632f0a00a33817224cb306b18795_JaffaCakes118.exe
Size

325KB
MD5

3032632f0a00a33817224cb306b18795
SHA1

03af6f9714444e6ab41949e67d05cfdfbb0b3faa
SHA256

1c25b56211f31c6b5b12f3f2f108fcbe15095a815475bc1601a80222b1d4b220
SHA512

7196af265617655f6ed60cf51e79d9b671793bd12d17aeb024c7220075fd01e7730bacd8d07236be17537bddf460a5e33532307a6cd6c92b16067e71a7952800
SSDEEP

6144:PZVDcH77hl6sxVoVnwLboDKMv3/NUOdUPUV:PnIHvv5UVwLMD73/NUOdUMV

Score

10^/10

xloader zgrat bs85 loader rat

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

bs85

Decoy

needcoupon.net

studio-nock.com

gladiadorcalistenia.com

proctaur.com

motemo.com

jackedhammerfitness.com

monkeysinthesky.com

milagrotacosandcantina.com

buddyresort.com

liaocheng8.xyz

vegauitdeoven.com

henriquezelectric.net

mxzc365.com

eneeds.net

elementsbuy.com

klinaton.com

choicescapes.net

waveadmit.guru

lakehoustonrugby.com

office-by-experts.com

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/2276-7-0x0000000000370000-0x0000000000384000-memory.dmp family_zgrat_v1
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Xloader payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/2964-14-0x0000000000400000-0x0000000000428000-memory.dmp xloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

3032632f0a00a33817224cb306b18795_JaffaCakes118.exe

description pid process target process

PID 2276 set thread context of 2964 2276 3032632f0a00a33817224cb306b18795_JaffaCakes118.exe 3032632f0a00a33817224cb306b18795_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3032632f0a00a33817224cb306b18795_JaffaCakes118.exe

pid process

2964 3032632f0a00a33817224cb306b18795_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3032632f0a00a33817224cb306b18795_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2276 3032632f0a00a33817224cb306b18795_JaffaCakes118.exe

resource	yara_rule
behavioral1/memory/2276-7-0x0000000000370000-0x0000000000384000-memory.dmp	family_zgrat_v1

resource	yara_rule
behavioral1/memory/2964-14-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

description	pid	process	target process
PID 2276 set thread context of 2964	2276	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe

pid	process
2964	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2276	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3032632f0a00a33817224cb306b18795_JaffaCakes118.exe

description	pid	process	target process
PID 2276 wrote to memory of 2964	2276	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe
PID 2276 wrote to memory of 2964	2276	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe
PID 2276 wrote to memory of 2964	2276	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe
PID 2276 wrote to memory of 2964	2276	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe
PID 2276 wrote to memory of 2964	2276	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe
PID 2276 wrote to memory of 2964	2276	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe
PID 2276 wrote to memory of 2964	2276	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe	3032632f0a00a33817224cb306b18795_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3032632f0a00a33817224cb306b18795_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3032632f0a00a33817224cb306b18795_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Local\Temp\3032632f0a00a33817224cb306b18795_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3032632f0a00a33817224cb306b18795_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2964

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2276-6-0x0000000000BF0000-0x0000000000C28000-memory.dmp

Filesize
224KB

Download
memory/2276-0-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/2276-2-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2276-3-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2276-4-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/2276-5-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2276-1-0x0000000001070000-0x00000000010C6000-memory.dmp

Filesize
344KB

Download
memory/2276-7-0x0000000000370000-0x0000000000384000-memory.dmp

Filesize
80KB

Download
memory/2276-15-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2964-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2964-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2964-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2964-16-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download