xloader | a15402c5f869a1c02421742c27dd71c2448bb037d391a6bf130be06b2f976e2f

General

Target

0e99d13aafcc5e8fadc45d8b85336d9b.exe
Size

582KB
MD5

0e99d13aafcc5e8fadc45d8b85336d9b
SHA1

6573c9dd229e50981aa24128ad02a07e99805369
SHA256

a15402c5f869a1c02421742c27dd71c2448bb037d391a6bf130be06b2f976e2f
SHA512

d2c22cff7ad0e8ea73b4d6a82f732d5d4f10033598040d545f00711d5a9c10c2d78e5c5aa17c8cacf9434e361f4b947a33c4849e800e2f3df7b73245ecd69d5a

Score

10^/10

xloader pnug loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pnug

Decoy

natureate.com

ita-pots.website

sucohansmushroom.com

produrielrosen.com

gosystemupdatenow.online

jiskra.art

janwiench.com

norfolkfoodhall.com

iloveaddictss.com

pogozip.com

buyinstapva.com

teardirectionfreedom.xyz

0205168.com

apaixonadosporpugs.online

jawscoinc.com

crafter.quest

wikipedianow.com

radiopuls.net

kendama-co.com

goodstudycanada.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2892-125-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2892-126-0x000000000041D400-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

0e99d13aafcc5e8fadc45d8b85336d9b.exe

description pid process target process

PID 2476 set thread context of 2892 2476 0e99d13aafcc5e8fadc45d8b85336d9b.exe 0e99d13aafcc5e8fadc45d8b85336d9b.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0e99d13aafcc5e8fadc45d8b85336d9b.exe

pid process

2892 0e99d13aafcc5e8fadc45d8b85336d9b.exe
2892 0e99d13aafcc5e8fadc45d8b85336d9b.exe

description	pid	process	target process
PID 2476 set thread context of 2892	2476	0e99d13aafcc5e8fadc45d8b85336d9b.exe	0e99d13aafcc5e8fadc45d8b85336d9b.exe

pid	process
2892	0e99d13aafcc5e8fadc45d8b85336d9b.exe
2892	0e99d13aafcc5e8fadc45d8b85336d9b.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0e99d13aafcc5e8fadc45d8b85336d9b.exe

description	pid	process	target process
PID 2476 wrote to memory of 2892	2476	0e99d13aafcc5e8fadc45d8b85336d9b.exe	0e99d13aafcc5e8fadc45d8b85336d9b.exe
PID 2476 wrote to memory of 2892	2476	0e99d13aafcc5e8fadc45d8b85336d9b.exe	0e99d13aafcc5e8fadc45d8b85336d9b.exe
PID 2476 wrote to memory of 2892	2476	0e99d13aafcc5e8fadc45d8b85336d9b.exe	0e99d13aafcc5e8fadc45d8b85336d9b.exe
PID 2476 wrote to memory of 2892	2476	0e99d13aafcc5e8fadc45d8b85336d9b.exe	0e99d13aafcc5e8fadc45d8b85336d9b.exe
PID 2476 wrote to memory of 2892	2476	0e99d13aafcc5e8fadc45d8b85336d9b.exe	0e99d13aafcc5e8fadc45d8b85336d9b.exe
PID 2476 wrote to memory of 2892	2476	0e99d13aafcc5e8fadc45d8b85336d9b.exe	0e99d13aafcc5e8fadc45d8b85336d9b.exe

C:\Users\Admin\AppData\Local\Temp\0e99d13aafcc5e8fadc45d8b85336d9b.exe
"C:\Users\Admin\AppData\Local\Temp\0e99d13aafcc5e8fadc45d8b85336d9b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Admin\AppData\Local\Temp\0e99d13aafcc5e8fadc45d8b85336d9b.exe
"C:\Users\Admin\AppData\Local\Temp\0e99d13aafcc5e8fadc45d8b85336d9b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2476-115-0x0000000000130000-0x00000000001C8000-memory.dmp

Filesize
608KB

Download
memory/2476-116-0x0000000000130000-0x00000000001C8000-memory.dmp

Filesize
608KB

Download
memory/2476-117-0x0000000005020000-0x000000000551E000-memory.dmp

Filesize
5.0MB

Download
memory/2476-118-0x0000000004BC0000-0x0000000004C52000-memory.dmp

Filesize
584KB

Download
memory/2476-119-0x0000000004B50000-0x0000000004B5A000-memory.dmp

Filesize
40KB

Download
memory/2476-120-0x0000000004E30000-0x0000000004ECC000-memory.dmp

Filesize
624KB

Download
memory/2476-121-0x0000000004B20000-0x000000000501E000-memory.dmp

Filesize
5.0MB

Download
memory/2476-122-0x0000000004DE0000-0x0000000004DEE000-memory.dmp

Filesize
56KB

Download
memory/2476-123-0x0000000006710000-0x000000000675B000-memory.dmp

Filesize
300KB

Download
memory/2476-124-0x0000000006940000-0x000000000699E000-memory.dmp

Filesize
376KB

Download
memory/2892-125-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2892-126-0x000000000041D400-mapping.dmp

Download
memory/2892-127-0x00000000016C0000-0x00000000019E0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing