xloader | 3759a4136f3ab450b1c26121511bdfea101baf948b580af60516c8c2d5c7b900

Analysis

max time kernel
2s
max time network
54s
platform
windows7_x64
resource
win7v20210408
submitted
27-07-2021 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

321ebf1c2e57ae454232ee12b6892164.exe
Size

383KB
MD5

321ebf1c2e57ae454232ee12b6892164
SHA1

db9f088a05203a6caf9656e59731f027adfe1bd0
SHA256

3759a4136f3ab450b1c26121511bdfea101baf948b580af60516c8c2d5c7b900
SHA512

afc14c50480f173932da1c0f7d80ef7667eb95a8c8f66279f8481c4ef85a669c8c0ac15582b6762521b78d34af7510c374dd1b30e3fd14e1d273639b4c85e083

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

http://www.extinctionbrews.com/dy8g/

Decoy

mzyxi-rkah-y.net

okinawarongnho.com

qq66520.com

nimbus.watch

cwdelrio.com

regalshopper.com

avito-payment.life

jorgeporcayo.com

galvinsky.digital

guys-only.com

asmfruits-almacenes.com

boatrace-life04.net

cochez.club

thelastvictor.net

janieleconte.com

ivoirepneus.com

saludflv.info

mydreamtv.net

austinphy.com

cajunseafoodstcloud.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1964-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

321ebf1c2e57ae454232ee12b6892164.exe

description pid process target process

PID 1092 set thread context of 1964 1092 321ebf1c2e57ae454232ee12b6892164.exe 321ebf1c2e57ae454232ee12b6892164.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

321ebf1c2e57ae454232ee12b6892164.exe

pid process

1964 321ebf1c2e57ae454232ee12b6892164.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

321ebf1c2e57ae454232ee12b6892164.exe

pid process

1092 321ebf1c2e57ae454232ee12b6892164.exe

description	pid	process	target process
PID 1092 set thread context of 1964	1092	321ebf1c2e57ae454232ee12b6892164.exe	321ebf1c2e57ae454232ee12b6892164.exe

pid	process
1964	321ebf1c2e57ae454232ee12b6892164.exe

pid	process
1092	321ebf1c2e57ae454232ee12b6892164.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

321ebf1c2e57ae454232ee12b6892164.exe

description	pid	process	target process
PID 1092 wrote to memory of 1964	1092	321ebf1c2e57ae454232ee12b6892164.exe	321ebf1c2e57ae454232ee12b6892164.exe
PID 1092 wrote to memory of 1964	1092	321ebf1c2e57ae454232ee12b6892164.exe	321ebf1c2e57ae454232ee12b6892164.exe
PID 1092 wrote to memory of 1964	1092	321ebf1c2e57ae454232ee12b6892164.exe	321ebf1c2e57ae454232ee12b6892164.exe
PID 1092 wrote to memory of 1964	1092	321ebf1c2e57ae454232ee12b6892164.exe	321ebf1c2e57ae454232ee12b6892164.exe
PID 1092 wrote to memory of 1964	1092	321ebf1c2e57ae454232ee12b6892164.exe	321ebf1c2e57ae454232ee12b6892164.exe

C:\Users\Admin\AppData\Local\Temp\321ebf1c2e57ae454232ee12b6892164.exe
"C:\Users\Admin\AppData\Local\Temp\321ebf1c2e57ae454232ee12b6892164.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\321ebf1c2e57ae454232ee12b6892164.exe
"C:\Users\Admin\AppData\Local\Temp\321ebf1c2e57ae454232ee12b6892164.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1964

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-60-0x0000000075AF1000-0x0000000075AF3000-memory.dmp

Filesize
8KB

Download
memory/1092-62-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/1964-61-0x000000000041D090-mapping.dmp

Download
memory/1964-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1964-64-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download