xloader | 5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8

General

Target

5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe
Size

634KB
MD5

99ed5f72e5742e549a6ec78655fd3cfc
SHA1

31a4f6fc81c45e49f4787cebe622256fa74d8a06
SHA256

5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8
SHA512

45abc2973402ba0ae81b4e708c257c9e8f5fe472b1fdf969766697a5226481764b0bf8d9be8dd99effd47e7556ed0110b48b892c315d850b952ed700ac2f9711

Score

10^/10

xloader cuig loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cuig

C2

http://www.qtih.top/cuig/

Decoy

sofiathinks-elderly.net

lahamicoast.info

2shengman.com

cbsautoplex.com

arcana-candles.com

genrage.com

kukumiou.xyz

thequizerking.com

sonataproductions.com

rebuildgomnmf.xyz

ubcoin.store

yiyouxue.net

firstlifehome.com

mdx-inc.net

gotbn-c01.com

dinobrindes.store

jcm-iso.com

cliente-mais.com

mloujewelry.com

correoversoi.quest

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2972-125-0x000000000041D3F0-mapping.dmp	xloader
behavioral2/memory/2972-124-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe

description	pid	process	target process
PID 1032 set thread context of 2972	1032	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe

pid	process
1032	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe
1032	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe
1032	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe
1032	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe
1032	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe
1032	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe
2972	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe
2972	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe

description pid process

Token: SeDebugPrivilege 1032 5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe

description	pid	process
Token: SeDebugPrivilege	1032	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe

description	pid	process	target process
PID 1032 wrote to memory of 2972	1032	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe
PID 1032 wrote to memory of 2972	1032	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe
PID 1032 wrote to memory of 2972	1032	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe
PID 1032 wrote to memory of 2972	1032	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe
PID 1032 wrote to memory of 2972	1032	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe
PID 1032 wrote to memory of 2972	1032	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe	5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe

C:\Users\Admin\AppData\Local\Temp\5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe
"C:\Users\Admin\AppData\Local\Temp\5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe
"C:\Users\Admin\AppData\Local\Temp\5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8.bin.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2972

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-114-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1032-116-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/1032-117-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/1032-118-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/1032-119-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/1032-120-0x0000000005000000-0x0000000005007000-memory.dmp

Filesize
28KB

Download
memory/1032-121-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/1032-122-0x0000000005D10000-0x0000000005D70000-memory.dmp

Filesize
384KB

Download
memory/1032-123-0x0000000008360000-0x000000000838B000-memory.dmp

Filesize
172KB

Download
memory/2972-125-0x000000000041D3F0-mapping.dmp

Download
memory/2972-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2972-126-0x00000000010B0000-0x00000000013D0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads