xloader | 9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93

General

Target

9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe
Size

509KB
MD5

196b7f181400d2e97eb9579059cc900c
SHA1

4db7ff3d766b0fb98a6c70a4272aaf71a1a60180
SHA256

9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93
SHA512

e64427df89db6a971c453ad481477e78632732c3ca7b1b544324fc9ccb1e00a6d830879ff0408adefeff7f28cd5e3308f4c3f2a34f34a3e2334080de8489d6fa

Score

10^/10

xloader u0n0 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u0n0

Decoy

learnwithvr.net

minismi2.com

slimfitbottle.com

gzartisan.com

fullfamilyclub.com

adaptationstudios.com

domynt.com

aboydnfuid.com

dirtroaddesigns.net

timhortons-ca.xyz

gladiator-111.com

breakingza.com

njjbds.com

keithrgordon.com

litestore365.host

unichromegame.com

wundversorgung-tirol.com

wholistic-choice.com

shingletownrrn.com

kapikenya.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4472-126-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe

description	pid	process	target process
PID 3724 set thread context of 4472	3724	9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe	9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe

pid	process
4472	9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe
4472	9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe

description	pid	process	target process
PID 3724 wrote to memory of 4472	3724	9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe	9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe
PID 3724 wrote to memory of 4472	3724	9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe	9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe
PID 3724 wrote to memory of 4472	3724	9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe	9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe
PID 3724 wrote to memory of 4472	3724	9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe	9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe
PID 3724 wrote to memory of 4472	3724	9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe	9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe
PID 3724 wrote to memory of 4472	3724	9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe	9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe

C:\Users\Admin\AppData\Local\Temp\9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe
"C:\Users\Admin\AppData\Local\Temp\9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Local\Temp\9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe
"C:\Users\Admin\AppData\Local\Temp\9343e815779a3b9b9520e1f781b89a20d1a7a961e56cb98e266880b7ab9e8f93.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3724-118-0x00000000000E0000-0x0000000000164000-memory.dmp

Filesize
528KB

Download
memory/3724-119-0x0000000004F80000-0x000000000547E000-memory.dmp

Filesize
5.0MB

Download
memory/3724-120-0x0000000004990000-0x0000000004A22000-memory.dmp

Filesize
584KB

Download
memory/3724-121-0x0000000004A80000-0x0000000004F7E000-memory.dmp

Filesize
5.0MB

Download
memory/3724-122-0x0000000004A30000-0x0000000004A3A000-memory.dmp

Filesize
40KB

Download
memory/3724-123-0x0000000004F00000-0x0000000004F0C000-memory.dmp

Filesize
48KB

Download
memory/3724-124-0x0000000005760000-0x00000000057FC000-memory.dmp

Filesize
624KB

Download
memory/3724-125-0x0000000005710000-0x0000000005760000-memory.dmp

Filesize
320KB

Download
memory/4472-126-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4472-127-0x00000000015F0000-0x0000000001910000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads