xloader | 25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b

General

Target

25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
Size

525KB
MD5

2047db38e2d0017545a2842b5266b9ad
SHA1

298b391c34e934bda7808a54e601b6c64dfba05c
SHA256

25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b
SHA512

42301389bb71daf31c8ac50640eee94a6e7ecef85e07e7ff3f78d3a6e69eb68207ffadb50cc417bf724ce124c6c21e7eb16f1baaf9fb05c1fbabae07d1481fd7

Score

10^/10

xloader u0n0 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u0n0

C2

http://www.52xjg3.xyz/u0n0/

Decoy

learnwithvr.net

minismi2.com

slimfitbottle.com

gzartisan.com

fullfamilyclub.com

adaptationstudios.com

domynt.com

aboydnfuid.com

dirtroaddesigns.net

timhortons-ca.xyz

gladiator-111.com

breakingza.com

njjbds.com

keithrgordon.com

litestore365.host

unichromegame.com

wundversorgung-tirol.com

wholistic-choice.com

shingletownrrn.com

kapikenya.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1800-127-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1800-128-0x000000000041D440-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe

description	pid	process	target process
PID 3744 set thread context of 1800	3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe

pid	process
3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
1800	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
1800	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe

description pid process

Token: SeDebugPrivilege 3744 25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe

description	pid	process
Token: SeDebugPrivilege	3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe

description	pid	process	target process
PID 3744 wrote to memory of 3204	3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
PID 3744 wrote to memory of 3204	3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
PID 3744 wrote to memory of 3204	3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
PID 3744 wrote to memory of 2804	3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
PID 3744 wrote to memory of 2804	3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
PID 3744 wrote to memory of 2804	3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
PID 3744 wrote to memory of 1800	3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
PID 3744 wrote to memory of 1800	3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
PID 3744 wrote to memory of 1800	3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
PID 3744 wrote to memory of 1800	3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
PID 3744 wrote to memory of 1800	3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
PID 3744 wrote to memory of 1800	3744	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe	25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe

C:\Users\Admin\AppData\Local\Temp\25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
"C:\Users\Admin\AppData\Local\Temp\25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
"C:\Users\Admin\AppData\Local\Temp\25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe"
2⤵
PID:3204

C:\Users\Admin\AppData\Local\Temp\25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
"C:\Users\Admin\AppData\Local\Temp\25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe"
2⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe
"C:\Users\Admin\AppData\Local\Temp\25e4adba5d0ef98cb4f2a30b964254c5189d687d8af747533fe380907f36173b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1800-127-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1800-128-0x000000000041D440-mapping.dmp

Download
memory/1800-129-0x0000000000F70000-0x0000000001290000-memory.dmp

Filesize
3.1MB

Download
memory/3744-118-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3744-120-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/3744-121-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3744-122-0x0000000004FD0000-0x00000000054CE000-memory.dmp

Filesize
5.0MB

Download
memory/3744-123-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/3744-124-0x00000000085B0000-0x00000000085B4000-memory.dmp

Filesize
16KB

Download
memory/3744-125-0x00000000088E0000-0x00000000088E1000-memory.dmp

Filesize
4KB

Download
memory/3744-126-0x0000000008A80000-0x0000000008AD9000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads