xloader | 5d5d3759e3350abef81021ccf0af5932de24d1e04b93342906f6f86d023ed871

General

Target

fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
Size

728KB
MD5

64af41000584694858d0fcc37b1bf69b
SHA1

707c77c61fafdd736c1e02bfdbc8ce7ce24cc759
SHA256

fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa
SHA512

dff4927081ff280eb4e707660c596adfbf8ada0f02cdbf8dd2414cb368b8036708558e854b892eda7dc0049c11df6ff1044cb0ec7c9ae9a32851ba3790fd7177

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.pedroiniesta.net/n7ad/

Decoy

orchardevent.com

inthebeginningshop.com

keodm.com

hangthejury.com

cannabisllp.com

letsratethis.com

milanfashionperu.com

adcvip.com

professionalcprclasses.com

checkmytradesmanswork.com

sloanksmith.com

apnajamshedpur.com

665448.com

zryld.com

cabot.city

graet.design

furbabiesandflowers.com

silkisensations.com

sawubonastore.com

screenwinz18.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/564-66-0x000000000041D090-mapping.dmp	xloader
behavioral1/memory/564-65-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe

description	pid	process	target process
PID 788 set thread context of 564	788	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe

pid process

564 fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe

pid	process
564	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe

description	pid	process	target process
PID 788 wrote to memory of 564	788	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
PID 788 wrote to memory of 564	788	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
PID 788 wrote to memory of 564	788	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
PID 788 wrote to memory of 564	788	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
PID 788 wrote to memory of 564	788	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
PID 788 wrote to memory of 564	788	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
PID 788 wrote to memory of 564	788	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe

C:\Users\Admin\AppData\Local\Temp\fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
"C:\Users\Admin\AppData\Local\Temp\fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:788

C:\Users\Admin\AppData\Local\Temp\fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
"C:\Users\Admin\AppData\Local\Temp\fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:564

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-66-0x000000000041D090-mapping.dmp

Download
memory/564-65-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/564-68-0x0000000000B80000-0x0000000000E83000-memory.dmp

Filesize
3.0MB

Download
memory/788-59-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/788-61-0x0000000000450000-0x000000000045E000-memory.dmp

Filesize
56KB

Download
memory/788-62-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/788-63-0x0000000004FE0000-0x0000000005087000-memory.dmp

Filesize
668KB

Download
memory/788-64-0x0000000002110000-0x0000000002171000-memory.dmp

Filesize
388KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads