xloader | 5d5d3759e3350abef81021ccf0af5932de24d1e04b93342906f6f86d023ed871

General

Target

fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
Size

728KB
MD5

64af41000584694858d0fcc37b1bf69b
SHA1

707c77c61fafdd736c1e02bfdbc8ce7ce24cc759
SHA256

fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa
SHA512

dff4927081ff280eb4e707660c596adfbf8ada0f02cdbf8dd2414cb368b8036708558e854b892eda7dc0049c11df6ff1044cb0ec7c9ae9a32851ba3790fd7177

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.pedroiniesta.net/n7ad/

Decoy

orchardevent.com

inthebeginningshop.com

keodm.com

hangthejury.com

cannabisllp.com

letsratethis.com

milanfashionperu.com

adcvip.com

professionalcprclasses.com

checkmytradesmanswork.com

sloanksmith.com

apnajamshedpur.com

665448.com

zryld.com

cabot.city

graet.design

furbabiesandflowers.com

silkisensations.com

sawubonastore.com

screenwinz18.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3044-125-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3044-126-0x000000000041D090-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe

description	pid	process	target process
PID 784 set thread context of 3044	784	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe

pid	process
3044	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
3044	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe

description	pid	process	target process
PID 784 wrote to memory of 3044	784	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
PID 784 wrote to memory of 3044	784	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
PID 784 wrote to memory of 3044	784	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
PID 784 wrote to memory of 3044	784	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
PID 784 wrote to memory of 3044	784	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
PID 784 wrote to memory of 3044	784	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe

C:\Users\Admin\AppData\Local\Temp\fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
"C:\Users\Admin\AppData\Local\Temp\fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe
"C:\Users\Admin\AppData\Local\Temp\fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa.bin.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3044

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-114-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/784-116-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/784-117-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/784-118-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/784-119-0x0000000004FC0000-0x00000000054BE000-memory.dmp

Filesize
5.0MB

Download
memory/784-120-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/784-121-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/784-122-0x00000000050D0000-0x00000000050DE000-memory.dmp

Filesize
56KB

Download
memory/784-123-0x0000000000E60000-0x0000000000F07000-memory.dmp

Filesize
668KB

Download
memory/784-124-0x0000000000F10000-0x0000000000F71000-memory.dmp

Filesize
388KB

Download
memory/3044-125-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3044-126-0x000000000041D090-mapping.dmp

Download
memory/3044-128-0x0000000001AD0000-0x0000000001DF0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads