xloader | 32fea88907cbefd31749cedfc8b85d3775fca2f65b15594dde355624b3ad7cc8

General

Target

2f7c9029b930382a47dc1559e4127d78.exe
Size

387KB
MD5

2f7c9029b930382a47dc1559e4127d78
SHA1

51399a722779b33442d47b3a147114503cb9dc71
SHA256

32fea88907cbefd31749cedfc8b85d3775fca2f65b15594dde355624b3ad7cc8
SHA512

5fc3a74ee8ed72dfae8e167dc5f3228c60c44ab462139eefa21a0943eeca5f768889197b154d1c4afc921715197bf591924c123c17195619a016cb3cdc39f37c

Score

10^/10

xloader i5nb loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

i5nb

Decoy

monkenram.com

ryhairclinic.com

smtrbrndmethod.com

skvela-plet.com

1sa.space

duplicatedaves.com

tudesafiofit.com

stolenartnfts.com

htmconfeccoes.com

popitparadise.com

brightlightservices.net

restaurangveckan.one

yourlittlehelp.store

vsley.com

xxxpornmodels.com

lei.ink

ouch247tap.com

paradgmpharma.com

airdrop-binance.com

hip-hopyhvqha.online

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/708-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

2f7c9029b930382a47dc1559e4127d78.exe

description pid process target process

PID 1212 set thread context of 708 1212 2f7c9029b930382a47dc1559e4127d78.exe 2f7c9029b930382a47dc1559e4127d78.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2f7c9029b930382a47dc1559e4127d78.exe

pid process

708 2f7c9029b930382a47dc1559e4127d78.exe

description	pid	process	target process
PID 1212 set thread context of 708	1212	2f7c9029b930382a47dc1559e4127d78.exe	2f7c9029b930382a47dc1559e4127d78.exe

pid	process
708	2f7c9029b930382a47dc1559e4127d78.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

2f7c9029b930382a47dc1559e4127d78.exe

description	pid	process	target process
PID 1212 wrote to memory of 708	1212	2f7c9029b930382a47dc1559e4127d78.exe	2f7c9029b930382a47dc1559e4127d78.exe
PID 1212 wrote to memory of 708	1212	2f7c9029b930382a47dc1559e4127d78.exe	2f7c9029b930382a47dc1559e4127d78.exe
PID 1212 wrote to memory of 708	1212	2f7c9029b930382a47dc1559e4127d78.exe	2f7c9029b930382a47dc1559e4127d78.exe
PID 1212 wrote to memory of 708	1212	2f7c9029b930382a47dc1559e4127d78.exe	2f7c9029b930382a47dc1559e4127d78.exe
PID 1212 wrote to memory of 708	1212	2f7c9029b930382a47dc1559e4127d78.exe	2f7c9029b930382a47dc1559e4127d78.exe
PID 1212 wrote to memory of 708	1212	2f7c9029b930382a47dc1559e4127d78.exe	2f7c9029b930382a47dc1559e4127d78.exe
PID 1212 wrote to memory of 708	1212	2f7c9029b930382a47dc1559e4127d78.exe	2f7c9029b930382a47dc1559e4127d78.exe

C:\Users\Admin\AppData\Local\Temp\2f7c9029b930382a47dc1559e4127d78.exe
"C:\Users\Admin\AppData\Local\Temp\2f7c9029b930382a47dc1559e4127d78.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\2f7c9029b930382a47dc1559e4127d78.exe
"C:\Users\Admin\AppData\Local\Temp\2f7c9029b930382a47dc1559e4127d78.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:708

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/708-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/708-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/708-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/708-63-0x0000000000AA0000-0x0000000000DA3000-memory.dmp

Filesize
3.0MB

Download
memory/1212-55-0x0000000000190000-0x00000000001F8000-memory.dmp

Filesize
416KB

Download
memory/1212-56-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1212-57-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1212-58-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/1212-59-0x0000000004F70000-0x0000000004FD2000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing