xloader | fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e

General

Target

fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe
Size

322KB
MD5

980c080857ff5a30b52a62d8649042da
SHA1

526b740fdf0c8d3d16de1cbe6fc687719a6c2814
SHA256

fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e
SHA512

1212fe6df9117071aef70e8a9b35f8354771d31e55606c4f41c3d0e45ab14c0c819bb2d5f745b02c6d59a2da5adcbf9b61fc70c6d630bd97d45ae219247e563e

Score

10^/10

xloader mwev loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mwev

C2

http://www.scion-go-getter.com/mwev/

Decoy

9linefarms.com

meadow-spring.com

texascountrycharts.com

chinatowndeliver.com

grindsword.com

thegurusigavebirthto.com

rip-online.com

lm-safe-keepingtoyof6.xyz

plumbtechconsulting.com

jgoerlach.com

inbloomsolutions.com

foxandmew.com

tikomobile.store

waybunch.com

thepatriottutor.com

qask.top

pharmacylinked.com

ishii-miona.com

sugarandrocks.com

anabolenpower.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1416-126-0x000000000041D480-mapping.dmp	xloader
behavioral1/memory/1416-125-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe

description	pid	process	target process
PID 3048 set thread context of 1416	3048	fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe	fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe

pid	process
1416	fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe
1416	fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe

description	pid	process	target process
PID 3048 wrote to memory of 1416	3048	fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe	fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe
PID 3048 wrote to memory of 1416	3048	fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe	fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe
PID 3048 wrote to memory of 1416	3048	fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe	fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe
PID 3048 wrote to memory of 1416	3048	fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe	fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe
PID 3048 wrote to memory of 1416	3048	fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe	fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe
PID 3048 wrote to memory of 1416	3048	fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe	fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe

C:\Users\Admin\AppData\Local\Temp\fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe
"C:\Users\Admin\AppData\Local\Temp\fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe
"C:\Users\Admin\AppData\Local\Temp\fafcee9b031f24dbd150b43afbb5cac24bbdccfa4125f4f3017bdd8e94926e9e.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1416-126-0x000000000041D480-mapping.dmp

Download
memory/1416-125-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1416-127-0x00000000019D0000-0x0000000001CF0000-memory.dmp

Filesize
3.1MB

Download
memory/3048-115-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/3048-117-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/3048-118-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/3048-119-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/3048-120-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/3048-121-0x0000000004C10000-0x000000000510E000-memory.dmp

Filesize
5.0MB

Download
memory/3048-122-0x0000000004EF0000-0x0000000004EF7000-memory.dmp

Filesize
28KB

Download
memory/3048-123-0x000000007F5F0000-0x000000007F5F1000-memory.dmp

Filesize
4KB

Download
memory/3048-124-0x0000000006980000-0x00000000069CB000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads