xloader | 306197e367d32ebeb65e18cd9607f58268f6e4751de77ae1cf8f5270e660c1f6

General

Target

6c15b3de8c54e5e3339a446af50fc48a.exe
Size

904KB
MD5

6c15b3de8c54e5e3339a446af50fc48a
SHA1

1133619a11f7410cf2ee2ca0e42324898e524154
SHA256

306197e367d32ebeb65e18cd9607f58268f6e4751de77ae1cf8f5270e660c1f6
SHA512

6bd0a44da885f085bafa277169c79fcb4411c928b850e16cea3b3119ad81b23a3497c211150ba8cb386a649ef7ed9f89ab026e570844dab2b83762b4dce36a6a

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.tjbc-bearing.com/u6bi/

Decoy

5588aiai.com

sint-ecommerce.com

epreyn.com

unexpectedbrewing.com

pomiandpam.com

viverdebatatas.com

dirham.world

accademiadelfuturo.net

mengyaheng.com

ilocalrealtor.com

glomiotel.website

metal1sa.com

kslife.net

maxfitnesslakeoconee.com

hoteldeleauvive.com

sidingzhou.com

getvocall.com

basicryptomining.com

indiasofannapolis.com

tresorbrut.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3776-128-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3776-129-0x000000000041D040-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

6c15b3de8c54e5e3339a446af50fc48a.exe

description pid process target process

PID 3944 set thread context of 3776 3944 6c15b3de8c54e5e3339a446af50fc48a.exe 6c15b3de8c54e5e3339a446af50fc48a.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6c15b3de8c54e5e3339a446af50fc48a.exe

pid process

3776 6c15b3de8c54e5e3339a446af50fc48a.exe
3776 6c15b3de8c54e5e3339a446af50fc48a.exe

description	pid	process	target process
PID 3944 set thread context of 3776	3944	6c15b3de8c54e5e3339a446af50fc48a.exe	6c15b3de8c54e5e3339a446af50fc48a.exe

pid	process
3776	6c15b3de8c54e5e3339a446af50fc48a.exe
3776	6c15b3de8c54e5e3339a446af50fc48a.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6c15b3de8c54e5e3339a446af50fc48a.exe

description	pid	process	target process
PID 3944 wrote to memory of 3776	3944	6c15b3de8c54e5e3339a446af50fc48a.exe	6c15b3de8c54e5e3339a446af50fc48a.exe
PID 3944 wrote to memory of 3776	3944	6c15b3de8c54e5e3339a446af50fc48a.exe	6c15b3de8c54e5e3339a446af50fc48a.exe
PID 3944 wrote to memory of 3776	3944	6c15b3de8c54e5e3339a446af50fc48a.exe	6c15b3de8c54e5e3339a446af50fc48a.exe
PID 3944 wrote to memory of 3776	3944	6c15b3de8c54e5e3339a446af50fc48a.exe	6c15b3de8c54e5e3339a446af50fc48a.exe
PID 3944 wrote to memory of 3776	3944	6c15b3de8c54e5e3339a446af50fc48a.exe	6c15b3de8c54e5e3339a446af50fc48a.exe
PID 3944 wrote to memory of 3776	3944	6c15b3de8c54e5e3339a446af50fc48a.exe	6c15b3de8c54e5e3339a446af50fc48a.exe

C:\Users\Admin\AppData\Local\Temp\6c15b3de8c54e5e3339a446af50fc48a.exe
"C:\Users\Admin\AppData\Local\Temp\6c15b3de8c54e5e3339a446af50fc48a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\AppData\Local\Temp\6c15b3de8c54e5e3339a446af50fc48a.exe
  "C:\Users\Admin\AppData\Local\Temp\6c15b3de8c54e5e3339a446af50fc48a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3776-128-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3776-130-0x0000000001590000-0x00000000018B0000-memory.dmp

Filesize
3.1MB

Download
memory/3776-129-0x000000000041D040-mapping.dmp

Download
memory/3944-123-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/3944-119-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/3944-120-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/3944-121-0x0000000005E40000-0x0000000005E41000-memory.dmp

Filesize
4KB

Download
memory/3944-122-0x0000000005440000-0x000000000593E000-memory.dmp

Filesize
5.0MB

Download
memory/3944-114-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/3944-124-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/3944-125-0x0000000007320000-0x000000000733B000-memory.dmp

Filesize
108KB

Download
memory/3944-126-0x0000000008F20000-0x0000000008F8F000-memory.dmp

Filesize
444KB

Download
memory/3944-127-0x0000000008F90000-0x0000000008FBB000-memory.dmp

Filesize
172KB

Download
memory/3944-118-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/3944-117-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/3944-116-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing