xloader | 11d84c7f9c579c2e58f4acc04d488d5f1c6cc0439609099eabec42444f5ef952

Analysis

max time kernel
1s
max time network
39s
platform
windows7_x64
resource
win7v20210408
submitted
22-07-2021 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

686dc98567009e47eac88e95804b9dde.exe
Size

172KB
MD5

686dc98567009e47eac88e95804b9dde
SHA1

5788c30289d12f69d5cf323049d8d3c3a3e73cda
SHA256

11d84c7f9c579c2e58f4acc04d488d5f1c6cc0439609099eabec42444f5ef952
SHA512

1450afd067710a6c2385858a2d4c7a0afeb02516885ec2515de696fc89c18f985097089af39708ba0e8088547f6fcc0a6285136a5175c169be764d9ec40924ce

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

http://www.extinctionbrews.com/dy8g/

Decoy

mzyxi-rkah-y.net

okinawarongnho.com

qq66520.com

nimbus.watch

cwdelrio.com

regalshopper.com

avito-payment.life

jorgeporcayo.com

galvinsky.digital

guys-only.com

asmfruits-almacenes.com

boatrace-life04.net

cochez.club

thelastvictor.net

janieleconte.com

ivoirepneus.com

saludflv.info

mydreamtv.net

austinphy.com

cajunseafoodstcloud.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1404-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

686dc98567009e47eac88e95804b9dde.exe

description pid process target process

PID 520 set thread context of 1404 520 686dc98567009e47eac88e95804b9dde.exe 686dc98567009e47eac88e95804b9dde.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

686dc98567009e47eac88e95804b9dde.exe

pid process

1404 686dc98567009e47eac88e95804b9dde.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

686dc98567009e47eac88e95804b9dde.exe

pid process

520 686dc98567009e47eac88e95804b9dde.exe

description	pid	process	target process
PID 520 set thread context of 1404	520	686dc98567009e47eac88e95804b9dde.exe	686dc98567009e47eac88e95804b9dde.exe

pid	process
1404	686dc98567009e47eac88e95804b9dde.exe

pid	process
520	686dc98567009e47eac88e95804b9dde.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

686dc98567009e47eac88e95804b9dde.exe

description	pid	process	target process
PID 520 wrote to memory of 1404	520	686dc98567009e47eac88e95804b9dde.exe	686dc98567009e47eac88e95804b9dde.exe
PID 520 wrote to memory of 1404	520	686dc98567009e47eac88e95804b9dde.exe	686dc98567009e47eac88e95804b9dde.exe
PID 520 wrote to memory of 1404	520	686dc98567009e47eac88e95804b9dde.exe	686dc98567009e47eac88e95804b9dde.exe
PID 520 wrote to memory of 1404	520	686dc98567009e47eac88e95804b9dde.exe	686dc98567009e47eac88e95804b9dde.exe
PID 520 wrote to memory of 1404	520	686dc98567009e47eac88e95804b9dde.exe	686dc98567009e47eac88e95804b9dde.exe

C:\Users\Admin\AppData\Local\Temp\686dc98567009e47eac88e95804b9dde.exe
"C:\Users\Admin\AppData\Local\Temp\686dc98567009e47eac88e95804b9dde.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\AppData\Local\Temp\686dc98567009e47eac88e95804b9dde.exe
"C:\Users\Admin\AppData\Local\Temp\686dc98567009e47eac88e95804b9dde.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1404

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-59-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/520-61-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1404-60-0x000000000041D090-mapping.dmp

Download
memory/1404-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1404-63-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download