xloader | e65d1335f3495f7d469bea81683253ee0845b3b3980cfaea09c4a7837a6c66eb

General

Target

c01d5c630294241db988b68176f2d00f.exe
Size

473KB
MD5

c01d5c630294241db988b68176f2d00f
SHA1

2f53b05dcc5b3d5b13457f7452c4626f647fb887
SHA256

e65d1335f3495f7d469bea81683253ee0845b3b3980cfaea09c4a7837a6c66eb
SHA512

144d9633b19611a98af9858a8a6868fd3e023821de9d221428b9d91ebff83a1a3e6c97c3c8b4c22baff610e56ce641787d49fe65cffec973a140fef44a3f6c5a

Score

10^/10

xloader ef6c loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ef6c

C2

http://www.fis.photos/ef6c/

Decoy

gicaredocs.com

govusergroup.com

conversationspit.com

brondairy.com

rjtherealest.com

xn--9m1bq8wgkag3rjvb.com

mylori.net

softandcute.store

ahljsm.com

shacksolid.com

weekendmusecollection.com

gaminghallarna.net

pgonline111.online

44mpt.xyz

ambrandt.com

eddytattoo.com

blendeqes.com

upinmyfeels.com

lacucinadesign.com

docomoau.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1604-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1604-64-0x000000000041D3D0-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

c01d5c630294241db988b68176f2d00f.exe

description pid process target process

PID 552 set thread context of 1604 552 c01d5c630294241db988b68176f2d00f.exe c01d5c630294241db988b68176f2d00f.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c01d5c630294241db988b68176f2d00f.exec01d5c630294241db988b68176f2d00f.exe

pid process

552 c01d5c630294241db988b68176f2d00f.exe
1604 c01d5c630294241db988b68176f2d00f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c01d5c630294241db988b68176f2d00f.exe

description pid process

Token: SeDebugPrivilege 552 c01d5c630294241db988b68176f2d00f.exe

description	pid	process	target process
PID 552 set thread context of 1604	552	c01d5c630294241db988b68176f2d00f.exe	c01d5c630294241db988b68176f2d00f.exe

pid	process
552	c01d5c630294241db988b68176f2d00f.exe
1604	c01d5c630294241db988b68176f2d00f.exe

description	pid	process
Token: SeDebugPrivilege	552	c01d5c630294241db988b68176f2d00f.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

c01d5c630294241db988b68176f2d00f.exe

description	pid	process	target process
PID 552 wrote to memory of 808	552	c01d5c630294241db988b68176f2d00f.exe	c01d5c630294241db988b68176f2d00f.exe
PID 552 wrote to memory of 808	552	c01d5c630294241db988b68176f2d00f.exe	c01d5c630294241db988b68176f2d00f.exe
PID 552 wrote to memory of 808	552	c01d5c630294241db988b68176f2d00f.exe	c01d5c630294241db988b68176f2d00f.exe
PID 552 wrote to memory of 808	552	c01d5c630294241db988b68176f2d00f.exe	c01d5c630294241db988b68176f2d00f.exe
PID 552 wrote to memory of 1604	552	c01d5c630294241db988b68176f2d00f.exe	c01d5c630294241db988b68176f2d00f.exe
PID 552 wrote to memory of 1604	552	c01d5c630294241db988b68176f2d00f.exe	c01d5c630294241db988b68176f2d00f.exe
PID 552 wrote to memory of 1604	552	c01d5c630294241db988b68176f2d00f.exe	c01d5c630294241db988b68176f2d00f.exe
PID 552 wrote to memory of 1604	552	c01d5c630294241db988b68176f2d00f.exe	c01d5c630294241db988b68176f2d00f.exe
PID 552 wrote to memory of 1604	552	c01d5c630294241db988b68176f2d00f.exe	c01d5c630294241db988b68176f2d00f.exe
PID 552 wrote to memory of 1604	552	c01d5c630294241db988b68176f2d00f.exe	c01d5c630294241db988b68176f2d00f.exe
PID 552 wrote to memory of 1604	552	c01d5c630294241db988b68176f2d00f.exe	c01d5c630294241db988b68176f2d00f.exe

C:\Users\Admin\AppData\Local\Temp\c01d5c630294241db988b68176f2d00f.exe
"C:\Users\Admin\AppData\Local\Temp\c01d5c630294241db988b68176f2d00f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Local\Temp\c01d5c630294241db988b68176f2d00f.exe
"C:\Users\Admin\AppData\Local\Temp\c01d5c630294241db988b68176f2d00f.exe"
2⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\c01d5c630294241db988b68176f2d00f.exe
"C:\Users\Admin\AppData\Local\Temp\c01d5c630294241db988b68176f2d00f.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/552-55-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/552-57-0x0000000076431000-0x0000000076433000-memory.dmp

Filesize
8KB

Download
memory/552-58-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/552-59-0x0000000000560000-0x0000000000564000-memory.dmp

Filesize
16KB

Download
memory/552-60-0x0000000004A70000-0x0000000004AC9000-memory.dmp

Filesize
356KB

Download
memory/1604-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1604-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1604-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1604-64-0x000000000041D3D0-mapping.dmp

Download
memory/1604-65-0x00000000009F0000-0x0000000000CF3000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing