xloader | b40312b973ddb1ec411375991f52c6d19204e650d90507445782aaa05bc02e46

General

Target

b911af1e5d84afbe42050f97cef3573b.exe
Size

856KB
MD5

b911af1e5d84afbe42050f97cef3573b
SHA1

706a40efe57a6351736054e3758de58573465a95
SHA256

b40312b973ddb1ec411375991f52c6d19204e650d90507445782aaa05bc02e46
SHA512

7effa2081a2e6e04fdee3d4696944a5d2bb80a16e8e2d173c173c80958e4ab69a9a9c52e8bcbb587a358ef6836569e298167acd9b05c4f0cedcdd31b6cdf440d

Score

10^/10

xloader ahdu loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ahdu

C2

http://www.casinoregio.com/ahdu/

Decoy

premiumfreebie.com

spintheblackestcircles.com

okaidoku-shop.net

zonaseguradregistropremios.com

wzocflfow.com

maanyah.com

warrioredjuan.com

uniquelypizza.com

wondertreehr.com

ddriiverzautozs.com

mattenterline.com

urenium.com

salonjedibreakthrough.com

imgkurd.com

pierrejacqueslyon.com

quimicasurandina.com

jkpfukgmt.icu

ansariclinic.com

ashleysema.design

arkadiafoliage.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3992-124-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3992-125-0x000000000041D080-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

b911af1e5d84afbe42050f97cef3573b.exe

description pid process target process

PID 636 set thread context of 3992 636 b911af1e5d84afbe42050f97cef3573b.exe b911af1e5d84afbe42050f97cef3573b.exe

description	pid	process	target process
PID 636 set thread context of 3992	636	b911af1e5d84afbe42050f97cef3573b.exe	b911af1e5d84afbe42050f97cef3573b.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b911af1e5d84afbe42050f97cef3573b.exeb911af1e5d84afbe42050f97cef3573b.exe

pid	process
636	b911af1e5d84afbe42050f97cef3573b.exe
636	b911af1e5d84afbe42050f97cef3573b.exe
3992	b911af1e5d84afbe42050f97cef3573b.exe
3992	b911af1e5d84afbe42050f97cef3573b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b911af1e5d84afbe42050f97cef3573b.exe

description pid process

Token: SeDebugPrivilege 636 b911af1e5d84afbe42050f97cef3573b.exe

description	pid	process
Token: SeDebugPrivilege	636	b911af1e5d84afbe42050f97cef3573b.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b911af1e5d84afbe42050f97cef3573b.exe

description	pid	process	target process
PID 636 wrote to memory of 1248	636	b911af1e5d84afbe42050f97cef3573b.exe	b911af1e5d84afbe42050f97cef3573b.exe
PID 636 wrote to memory of 1248	636	b911af1e5d84afbe42050f97cef3573b.exe	b911af1e5d84afbe42050f97cef3573b.exe
PID 636 wrote to memory of 1248	636	b911af1e5d84afbe42050f97cef3573b.exe	b911af1e5d84afbe42050f97cef3573b.exe
PID 636 wrote to memory of 3992	636	b911af1e5d84afbe42050f97cef3573b.exe	b911af1e5d84afbe42050f97cef3573b.exe
PID 636 wrote to memory of 3992	636	b911af1e5d84afbe42050f97cef3573b.exe	b911af1e5d84afbe42050f97cef3573b.exe
PID 636 wrote to memory of 3992	636	b911af1e5d84afbe42050f97cef3573b.exe	b911af1e5d84afbe42050f97cef3573b.exe
PID 636 wrote to memory of 3992	636	b911af1e5d84afbe42050f97cef3573b.exe	b911af1e5d84afbe42050f97cef3573b.exe
PID 636 wrote to memory of 3992	636	b911af1e5d84afbe42050f97cef3573b.exe	b911af1e5d84afbe42050f97cef3573b.exe
PID 636 wrote to memory of 3992	636	b911af1e5d84afbe42050f97cef3573b.exe	b911af1e5d84afbe42050f97cef3573b.exe

C:\Users\Admin\AppData\Local\Temp\b911af1e5d84afbe42050f97cef3573b.exe
"C:\Users\Admin\AppData\Local\Temp\b911af1e5d84afbe42050f97cef3573b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\b911af1e5d84afbe42050f97cef3573b.exe
"C:\Users\Admin\AppData\Local\Temp\b911af1e5d84afbe42050f97cef3573b.exe"
2⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\b911af1e5d84afbe42050f97cef3573b.exe
"C:\Users\Admin\AppData\Local\Temp\b911af1e5d84afbe42050f97cef3573b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3992

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-114-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/636-116-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/636-117-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/636-118-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/636-119-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/636-120-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/636-121-0x00000000056F0000-0x0000000005701000-memory.dmp

Filesize
68KB

Download
memory/636-122-0x0000000007A20000-0x0000000007AC3000-memory.dmp

Filesize
652KB

Download
memory/636-123-0x000000000A130000-0x000000000A164000-memory.dmp

Filesize
208KB

Download
memory/3992-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3992-125-0x000000000041D080-mapping.dmp

Download
memory/3992-126-0x0000000001320000-0x0000000001640000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads