xloader | 4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4

General

Target

4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
Size

50KB
MD5

9d95cf845f980370aec4ab7a815f1803
SHA1

a21b5d35b87a3ca35dbf313689d720c07903c9e7
SHA256

4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4
SHA512

1607ac27b7cf4c033f6b24e618939ab8a635fb44eb3801fd079494590b44ccb3720271456e6d3fd6e37f74d02128923c4bd8bb1580dbe5051547bd2dac98d0d6

Score

10^/10

xloader mexq loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mexq

C2

http://www.aliexpress-br.com/mexq/

Decoy

cyebang.com

hcswwsz.com

50003008.com

yfly624.xyz

trungtamhohap.xyz

sotlbb.com

bizhan69.com

brandmty.net

fucibou.xyz

orderinformantmailer.store

nobleminers.com

divinevoid.com

quickappraisal.net

adventuretravelsworld.com

ashainitiativemp.com

ikkbs-a02.com

rd26x.com

goraeda.com

abbastanza.info

andypartridge.photography

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1308-121-0x0000000000400000-0x0000000000453000-memory.dmp	xloader
behavioral1/memory/1308-122-0x000000000041D4F0-mapping.dmp	xloader

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe

pid	process
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe

description	pid	process	target process
PID 2404 set thread context of 1308	2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1312 2404 WerFault.exe 4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe

pid	pid_target	process	target process
1312	2404	WerFault.exe	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exeWerFault.exe

pid	process
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
1308	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
1308	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
Token: SeRestorePrivilege	1312	WerFault.exe
Token: SeBackupPrivilege	1312	WerFault.exe
Token: SeDebugPrivilege	1312	WerFault.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe

description	pid	process	target process
PID 2404 wrote to memory of 496	2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
PID 2404 wrote to memory of 496	2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
PID 2404 wrote to memory of 496	2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
PID 2404 wrote to memory of 1288	2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
PID 2404 wrote to memory of 1288	2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
PID 2404 wrote to memory of 1288	2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
PID 2404 wrote to memory of 1308	2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
PID 2404 wrote to memory of 1308	2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
PID 2404 wrote to memory of 1308	2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
PID 2404 wrote to memory of 1308	2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
PID 2404 wrote to memory of 1308	2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
PID 2404 wrote to memory of 1308	2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
PID 2404 wrote to memory of 1308	2404	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe	4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe

C:\Users\Admin\AppData\Local\Temp\4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
"C:\Users\Admin\AppData\Local\Temp\4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Local\Temp\4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
"C:\Users\Admin\AppData\Local\Temp\4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe"
2⤵
PID:496

C:\Users\Admin\AppData\Local\Temp\4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
"C:\Users\Admin\AppData\Local\Temp\4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe"
2⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe
"C:\Users\Admin\AppData\Local\Temp\4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1784
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1308-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1308-122-0x000000000041D4F0-mapping.dmp

Download
memory/1308-123-0x0000000000F20000-0x0000000001240000-memory.dmp

Filesize
3.1MB

Download
memory/2404-115-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2404-117-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/2404-118-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/2404-119-0x0000000005BE0000-0x0000000005C4A000-memory.dmp

Filesize
424KB

Download
memory/2404-120-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads