xloader | ce5ef050cbfe862b46edb70c1d3ee90b1fc3940ef93ee7fffe642589673d331b

General

Target

5c3e5bb82655b9e9d4c4de37b8261e9c.exe
Size

1.0MB
MD5

5c3e5bb82655b9e9d4c4de37b8261e9c
SHA1

8729efef21702fa0af0ddf315fb6f07e1086fe65
SHA256

ce5ef050cbfe862b46edb70c1d3ee90b1fc3940ef93ee7fffe642589673d331b
SHA512

f0684c7dd659506fbf446e5f0a543b03964a3eeb0e53345e99efa8582e1e743fb01a2caeb6febb4efba32cfb5aff959dd9f8bc1c06aa1397671dd8e16c5299b3

Score

10^/10

xloader ea0r loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1972-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1972-64-0x000000000041D410-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

5c3e5bb82655b9e9d4c4de37b8261e9c.exe

description pid process target process

PID 1664 set thread context of 1972 1664 5c3e5bb82655b9e9d4c4de37b8261e9c.exe 5c3e5bb82655b9e9d4c4de37b8261e9c.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

5c3e5bb82655b9e9d4c4de37b8261e9c.exe5c3e5bb82655b9e9d4c4de37b8261e9c.exe

pid process

1664 5c3e5bb82655b9e9d4c4de37b8261e9c.exe
1664 5c3e5bb82655b9e9d4c4de37b8261e9c.exe
1972 5c3e5bb82655b9e9d4c4de37b8261e9c.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5c3e5bb82655b9e9d4c4de37b8261e9c.exe

description pid process

Token: SeDebugPrivilege 1664 5c3e5bb82655b9e9d4c4de37b8261e9c.exe

description	pid	process	target process
PID 1664 set thread context of 1972	1664	5c3e5bb82655b9e9d4c4de37b8261e9c.exe	5c3e5bb82655b9e9d4c4de37b8261e9c.exe

pid	process
1664	5c3e5bb82655b9e9d4c4de37b8261e9c.exe
1664	5c3e5bb82655b9e9d4c4de37b8261e9c.exe
1972	5c3e5bb82655b9e9d4c4de37b8261e9c.exe

description	pid	process
Token: SeDebugPrivilege	1664	5c3e5bb82655b9e9d4c4de37b8261e9c.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

5c3e5bb82655b9e9d4c4de37b8261e9c.exe

description	pid	process	target process
PID 1664 wrote to memory of 1972	1664	5c3e5bb82655b9e9d4c4de37b8261e9c.exe	5c3e5bb82655b9e9d4c4de37b8261e9c.exe
PID 1664 wrote to memory of 1972	1664	5c3e5bb82655b9e9d4c4de37b8261e9c.exe	5c3e5bb82655b9e9d4c4de37b8261e9c.exe
PID 1664 wrote to memory of 1972	1664	5c3e5bb82655b9e9d4c4de37b8261e9c.exe	5c3e5bb82655b9e9d4c4de37b8261e9c.exe
PID 1664 wrote to memory of 1972	1664	5c3e5bb82655b9e9d4c4de37b8261e9c.exe	5c3e5bb82655b9e9d4c4de37b8261e9c.exe
PID 1664 wrote to memory of 1972	1664	5c3e5bb82655b9e9d4c4de37b8261e9c.exe	5c3e5bb82655b9e9d4c4de37b8261e9c.exe
PID 1664 wrote to memory of 1972	1664	5c3e5bb82655b9e9d4c4de37b8261e9c.exe	5c3e5bb82655b9e9d4c4de37b8261e9c.exe
PID 1664 wrote to memory of 1972	1664	5c3e5bb82655b9e9d4c4de37b8261e9c.exe	5c3e5bb82655b9e9d4c4de37b8261e9c.exe

C:\Users\Admin\AppData\Local\Temp\5c3e5bb82655b9e9d4c4de37b8261e9c.exe
"C:\Users\Admin\AppData\Local\Temp\5c3e5bb82655b9e9d4c4de37b8261e9c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\5c3e5bb82655b9e9d4c4de37b8261e9c.exe
"C:\Users\Admin\AppData\Local\Temp\5c3e5bb82655b9e9d4c4de37b8261e9c.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1664-55-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/1664-57-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1664-58-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/1664-59-0x0000000000430000-0x0000000000435000-memory.dmp

Filesize
20KB

Download
memory/1664-60-0x0000000005700000-0x0000000005816000-memory.dmp

Filesize
1.1MB

Download
memory/1972-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1972-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1972-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1972-64-0x000000000041D410-mapping.dmp

Download
memory/1972-65-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing