xloader | 0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b

General

Target

0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe
Size

417KB
MD5

188a0c1b3179c00fa189e73b772dcd72
SHA1

efa12177184000acf7236187b9582ba204ac1387
SHA256

0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b
SHA512

8feec5cadd9710eda47653eb26041c99b7915d5a664f90b9daabfddb65651be6161c9b21bece2943c8d8ae54a1ec44f6aaabbb1bd964791abe3cc020d771bad0

Score

10^/10

xloader wogm loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

wogm

C2

http://www.eygtogel021.com/wogm/

Decoy

sub-dude.net

repeatcustom.com

goodspaz.com

sinagropuree.com

jyh8886.com

muescabynes.quest

stark.agency

nolimit168.com

hypermediastore.com

arab-xt-pro.com

gruppovimar.com

santamariamoto.express

affaridistribuciones.com

straetah.com

collectionsbyvivi.com

nalainteriores.com

weeklywars.com

insightmyhome.com

ucml.net

herderguru.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2916-124-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2916-125-0x000000000041D430-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe

description	pid	process	target process
PID 3208 set thread context of 2916	3208	0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe	0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe

pid	process
2916	0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe
2916	0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe

description	pid	process	target process
PID 3208 wrote to memory of 2916	3208	0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe	0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe
PID 3208 wrote to memory of 2916	3208	0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe	0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe
PID 3208 wrote to memory of 2916	3208	0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe	0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe
PID 3208 wrote to memory of 2916	3208	0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe	0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe
PID 3208 wrote to memory of 2916	3208	0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe	0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe
PID 3208 wrote to memory of 2916	3208	0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe	0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe

C:\Users\Admin\AppData\Local\Temp\0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe
"C:\Users\Admin\AppData\Local\Temp\0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3208

C:\Users\Admin\AppData\Local\Temp\0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe
"C:\Users\Admin\AppData\Local\Temp\0997b2cc23e6aa9743c78ccaba88fb036bc03937011a12bbb367e6b457461c0b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2916-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2916-125-0x000000000041D430-mapping.dmp

Download
memory/2916-126-0x00000000018C0000-0x0000000001BE0000-memory.dmp

Filesize
3.1MB

Download
memory/3208-115-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/3208-117-0x0000000007590000-0x0000000007591000-memory.dmp

Filesize
4KB

Download
memory/3208-118-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/3208-119-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/3208-120-0x0000000007090000-0x000000000758E000-memory.dmp

Filesize
5.0MB

Download
memory/3208-121-0x000000000A920000-0x000000000A927000-memory.dmp

Filesize
28KB

Download
memory/3208-122-0x0000000008D70000-0x0000000008D71000-memory.dmp

Filesize
4KB

Download
memory/3208-123-0x0000000008E10000-0x0000000008E5B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads