xloader | 23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e

General

Target

23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
Size

406KB
MD5

192b796d92d190c45204571599c38c86
SHA1

611559df5b74934dea4c81a5490e2c64a73ee6e0
SHA256

23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e
SHA512

da9e4bb2300d2968125427d122d5e81cecf2d342dc2c17fc16d5dc1ac7f511d53e75233c1844c1948f6a82740818166229e7ea2411a40351c54e8e97a3b4ec42

Score

10^/10

xloader mwev loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mwev

C2

http://www.scion-go-getter.com/mwev/

Decoy

9linefarms.com

meadow-spring.com

texascountrycharts.com

chinatowndeliver.com

grindsword.com

thegurusigavebirthto.com

rip-online.com

lm-safe-keepingtoyof6.xyz

plumbtechconsulting.com

jgoerlach.com

inbloomsolutions.com

foxandmew.com

tikomobile.store

waybunch.com

thepatriottutor.com

qask.top

pharmacylinked.com

ishii-miona.com

sugarandrocks.com

anabolenpower.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3108-128-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/3108-129-0x000000000041D480-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe

description	pid	process	target process
PID 2580 set thread context of 3108	2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe

pid	process
2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
3108	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
3108	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe

description pid process

Token: SeDebugPrivilege 2580 23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe

description	pid	process
Token: SeDebugPrivilege	2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe

description	pid	process	target process
PID 2580 wrote to memory of 532	2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
PID 2580 wrote to memory of 532	2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
PID 2580 wrote to memory of 532	2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
PID 2580 wrote to memory of 652	2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
PID 2580 wrote to memory of 652	2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
PID 2580 wrote to memory of 652	2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
PID 2580 wrote to memory of 3108	2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
PID 2580 wrote to memory of 3108	2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
PID 2580 wrote to memory of 3108	2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
PID 2580 wrote to memory of 3108	2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
PID 2580 wrote to memory of 3108	2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
PID 2580 wrote to memory of 3108	2580	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe	23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe

C:\Users\Admin\AppData\Local\Temp\23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
"C:\Users\Admin\AppData\Local\Temp\23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Users\Admin\AppData\Local\Temp\23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
"C:\Users\Admin\AppData\Local\Temp\23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe"
2⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
"C:\Users\Admin\AppData\Local\Temp\23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe"
2⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe
"C:\Users\Admin\AppData\Local\Temp\23c8bfea897f9833766ceab96299a77ad19ed1e0897b7e30d56d2c56c30d2d4e.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2580-118-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2580-120-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/2580-121-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/2580-122-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/2580-123-0x00000000051E0000-0x00000000051E8000-memory.dmp

Filesize
32KB

Download
memory/2580-124-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/2580-125-0x0000000005030000-0x00000000050C2000-memory.dmp

Filesize
584KB

Download
memory/2580-126-0x0000000005EB0000-0x0000000005EB1000-memory.dmp

Filesize
4KB

Download
memory/2580-127-0x0000000005F50000-0x0000000005FA8000-memory.dmp

Filesize
352KB

Download
memory/3108-128-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3108-129-0x000000000041D480-mapping.dmp

Download
memory/3108-130-0x00000000016A0000-0x00000000019C0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads