xloader | 995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3

General

Target

995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe
Size

761KB
MD5

1c3047465bb31dd2ac45101680301992
SHA1

36219c9148dafb036bc5871c440cbcf959d1b683
SHA256

995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3
SHA512

cc4ef5a89b34067434e478a8e9d96e212dc1cdb0b8c128d7ab6890e91cb4c4f0170270b86ae872219c4adfbe1bcb19490beadbe65ae4f296aabc9b802ed93d74

Score

10^/10

xloader arup loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

arup

C2

http://www.sapphiretype.com/arup/

Decoy

mezonpezon.com

bellapbd.com

xn--2kr800ab2z.group

cupecoysuites.com

extractselect.com

cherrycooky.com

reshawna.com

bluewinetours.com

dez2fly.com

washedproductions.com

om-asahi-kasei-jp.com

talkingpoint.tours

avaspacecompany.com

fbtvmall.com

trocaoferta.com

mionegozio.com

reitschuetz.com

basepicks.com

networkagricity.com

kastore.club

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3956-126-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/3956-127-0x000000000041D4B0-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe

description	pid	process	target process
PID 628 set thread context of 3956	628	995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe	995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe

pid	process
3956	995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe
3956	995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe

description	pid	process	target process
PID 628 wrote to memory of 3956	628	995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe	995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe
PID 628 wrote to memory of 3956	628	995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe	995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe
PID 628 wrote to memory of 3956	628	995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe	995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe
PID 628 wrote to memory of 3956	628	995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe	995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe
PID 628 wrote to memory of 3956	628	995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe	995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe
PID 628 wrote to memory of 3956	628	995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe	995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe

C:\Users\Admin\AppData\Local\Temp\995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe
"C:\Users\Admin\AppData\Local\Temp\995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Local\Temp\995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe
"C:\Users\Admin\AppData\Local\Temp\995c349e77a02cf1d77af852797437f2cd89914f41f493fa7f352549f374d7d3.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3956

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/628-114-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/628-116-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/628-117-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/628-118-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/628-119-0x0000000004D20000-0x000000000521E000-memory.dmp

Filesize
5.0MB

Download
memory/628-120-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/628-121-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/628-122-0x0000000005200000-0x000000000521D000-memory.dmp

Filesize
116KB

Download
memory/628-123-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/628-124-0x0000000007AB0000-0x0000000007B1B000-memory.dmp

Filesize
428KB

Download
memory/628-125-0x0000000007B40000-0x0000000007B7B000-memory.dmp

Filesize
236KB

Download
memory/3956-126-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3956-127-0x000000000041D4B0-mapping.dmp

Download
memory/3956-128-0x00000000012B0000-0x00000000015D0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads