xloader | e059ab9141d67e0b2e9eb83d34ba88e480f7091bcd97b78466386a17b44a235e

General

Target

91679f42cd3ba051b5c7ce37d45b222c.exe
Size

570KB
MD5

91679f42cd3ba051b5c7ce37d45b222c
SHA1

decc607894a299033ed3ede115a3bce51d21020b
SHA256

e059ab9141d67e0b2e9eb83d34ba88e480f7091bcd97b78466386a17b44a235e
SHA512

b3dd48fc2267a50e9468e0e0be746e224618fd4aaab07e69c3f32c473831145a9fdd6a4cf87266f284bed9c9d1bf227f21f244d15242582f096dc4bf9c64855a

Score

10^/10

xloader pufi loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pufi

C2

http://www.homestechs.com/pufi/

Decoy

fusiongroupgames.net

hugevari.com

rebeccagriffiths.com

trocaoferta.com

theslashapp.com

codezonesoftware.xyz

sottocommunications.com

minicreators.online

course2millions.com

hfm5n1dhkjqwpe.xyz

xlab-ub.com

silvanaribeirocake.com

thefabinteriordesign.com

mg-leadership.com

petbort.com

ndust.net

203040302.xyz

jakital.com

shophuunghia.info

rednacionaldejuecesrd.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4008-124-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4008-125-0x000000000041D450-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

91679f42cd3ba051b5c7ce37d45b222c.exe

description pid process target process

PID 2096 set thread context of 4008 2096 91679f42cd3ba051b5c7ce37d45b222c.exe 91679f42cd3ba051b5c7ce37d45b222c.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

91679f42cd3ba051b5c7ce37d45b222c.exe

pid process

4008 91679f42cd3ba051b5c7ce37d45b222c.exe
4008 91679f42cd3ba051b5c7ce37d45b222c.exe

description	pid	process	target process
PID 2096 set thread context of 4008	2096	91679f42cd3ba051b5c7ce37d45b222c.exe	91679f42cd3ba051b5c7ce37d45b222c.exe

pid	process
4008	91679f42cd3ba051b5c7ce37d45b222c.exe
4008	91679f42cd3ba051b5c7ce37d45b222c.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

91679f42cd3ba051b5c7ce37d45b222c.exe

description	pid	process	target process
PID 2096 wrote to memory of 4008	2096	91679f42cd3ba051b5c7ce37d45b222c.exe	91679f42cd3ba051b5c7ce37d45b222c.exe
PID 2096 wrote to memory of 4008	2096	91679f42cd3ba051b5c7ce37d45b222c.exe	91679f42cd3ba051b5c7ce37d45b222c.exe
PID 2096 wrote to memory of 4008	2096	91679f42cd3ba051b5c7ce37d45b222c.exe	91679f42cd3ba051b5c7ce37d45b222c.exe
PID 2096 wrote to memory of 4008	2096	91679f42cd3ba051b5c7ce37d45b222c.exe	91679f42cd3ba051b5c7ce37d45b222c.exe
PID 2096 wrote to memory of 4008	2096	91679f42cd3ba051b5c7ce37d45b222c.exe	91679f42cd3ba051b5c7ce37d45b222c.exe
PID 2096 wrote to memory of 4008	2096	91679f42cd3ba051b5c7ce37d45b222c.exe	91679f42cd3ba051b5c7ce37d45b222c.exe

C:\Users\Admin\AppData\Local\Temp\91679f42cd3ba051b5c7ce37d45b222c.exe
"C:\Users\Admin\AppData\Local\Temp\91679f42cd3ba051b5c7ce37d45b222c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Admin\AppData\Local\Temp\91679f42cd3ba051b5c7ce37d45b222c.exe
"C:\Users\Admin\AppData\Local\Temp\91679f42cd3ba051b5c7ce37d45b222c.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2096-115-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2096-117-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/2096-118-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/2096-119-0x0000000004AC0000-0x0000000004FBE000-memory.dmp

Filesize
5.0MB

Download
memory/2096-120-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/2096-121-0x0000000007040000-0x0000000007046000-memory.dmp

Filesize
24KB

Download
memory/2096-122-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/2096-123-0x0000000007320000-0x000000000736B000-memory.dmp

Filesize
300KB

Download
memory/4008-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4008-125-0x000000000041D450-mapping.dmp

Download
memory/4008-126-0x0000000001150000-0x0000000001470000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing