xloader | 3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61

Resubmissions

21-07-2021 21:42

210721-p6tfd1312a 10

21-07-2021 16:56

210721-32kqsm4kzn 10

Analysis

max time kernel
1560s
max time network
1607s
platform
windows7_x64
resource
win7v20210410
submitted
21-07-2021 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe
Size

767KB
MD5

0ddeb0b17f45b044ca999164550dd25c
SHA1

98c59b8743624e0354d47e51ccbc52d37c2260ec
SHA256

3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61
SHA512

83e87605ba0e523d9f1c215e2695f95d5a5f886e0151412212ec7c9abd0acebca5a2f2fd42df4fc292fc8ba72991cb38b8426179d4f103c1389ba6b44e8fe917

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

http://www.partypacktv.net/a3ea/

Decoy

yvsgge.com

shooter2.com

ugcfashion.com

deltaefficiencies.com

raidertomb.com

atiempoconguadalupe.com

whmmhh.com

hangar360aircraft.com

toughcookiemasks.store

blindowlch.com

yipo.info

mindsomamove.com

theresalobstahlike.com

nova-select.com

socetegen.com

platinaman.com

datsu-nihon.com

jumpstartinggenius.com

slxplay.com

rightwaysdecor.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/684-69-0x000000000041D030-mapping.dmp	xloader
behavioral1/memory/684-68-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe

description	pid	process	target process
PID 1668 set thread context of 684	1668	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe

pid	process
1668	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe
1668	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe
684	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe

description pid process

Token: SeDebugPrivilege 1668 3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe

description	pid	process
Token: SeDebugPrivilege	1668	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe

description	pid	process	target process
PID 1668 wrote to memory of 684	1668	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe
PID 1668 wrote to memory of 684	1668	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe
PID 1668 wrote to memory of 684	1668	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe
PID 1668 wrote to memory of 684	1668	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe
PID 1668 wrote to memory of 684	1668	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe
PID 1668 wrote to memory of 684	1668	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe
PID 1668 wrote to memory of 684	1668	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe	3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe

C:\Users\Admin\AppData\Local\Temp\3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe
"C:\Users\Admin\AppData\Local\Temp\3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe
  C:\Users\Admin\AppData\Local\Temp\3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/684-69-0x000000000041D030-mapping.dmp

Download
memory/684-68-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/684-70-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/1668-59-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1668-61-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/1668-62-0x0000000002070000-0x00000000020D1000-memory.dmp

Filesize
388KB

Download
memory/1668-67-0x0000000005170000-0x00000000051E8000-memory.dmp

Filesize
480KB

Download