xloader | d1933850d05d345bc57356333ebe41446a5e1f7a7b09626a6906202f174852c1

Analysis

max time kernel
61s
max time network
113s
platform
windows10_x64
resource
win10v20210410
submitted
30/07/2021, 15:25 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b.exe
Size

629KB
MD5

401dd1e7907e4e7f7cc2c5bbb958df9d
SHA1

39b943e797c7a932f4a65a7d8f90bea31e0d7c05
SHA256

6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b
SHA512

27c9aa747bf843cb49a253253f8055cf2d856258294582e5ba1c7b6548b003ee56b37f5eabaaae9578c98784dce8011271e01be97d2dab752855b3244be7e069

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

http://www.lazz.life/mm8v/

Decoy

candobiotec.com

furnikna.com

smartmoto-canada.com

austinsubarusouth.com

seauxfierce.com

ashcomgh.com

salvamentoselcastor.com

lifetioncoin.tech

mypay.money

eczaci-tr.com

fireloxmusic.com

prendafamily.com

chroniclefighter.com

ogopizza.online

qualiacare.com

kamenjoy.com

shinanogroup.com

zaceniadult.info

thehetaira.com

enter-coworking.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

resource	yara_rule
behavioral27/memory/1300-125-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral27/memory/1300-126-0x000000000041D000-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3916 set thread context of 1300	3916	6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b.exe	79

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1300	6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b.exe
1300	6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 1300	3916	6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b.exe	79
PID 3916 wrote to memory of 1300	3916	6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b.exe	79
PID 3916 wrote to memory of 1300	3916	6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b.exe	79
PID 3916 wrote to memory of 1300	3916	6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b.exe	79
PID 3916 wrote to memory of 1300	3916	6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b.exe	79
PID 3916 wrote to memory of 1300	3916	6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b.exe	79

C:\Users\Admin\AppData\Local\Temp\6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b.exe
"C:\Users\Admin\AppData\Local\Temp\6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b.exe
  "C:\Users\Admin\AppData\Local\Temp\6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1300-125-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1300-127-0x0000000001630000-0x0000000001950000-memory.dmp

Filesize
3.1MB

Download
memory/3916-121-0x0000000005660000-0x0000000005B5E000-memory.dmp

Filesize
5.0MB

Download
memory/3916-119-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/3916-120-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/3916-114-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/3916-122-0x00000000056C0000-0x00000000056DB000-memory.dmp

Filesize
108KB

Download
memory/3916-123-0x0000000007B40000-0x0000000007BAF000-memory.dmp

Filesize
444KB

Download
memory/3916-124-0x0000000007BB0000-0x0000000007BDB000-memory.dmp

Filesize
172KB

Download
memory/3916-118-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/3916-117-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/3916-116-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download