xloader | 60b97b4d45e3850d57a661bf37987909c1f99096384123594cc1b79d5449348f

Resubmissions

28-02-2022 11:21

220228-nf6sbseag4 10

28-02-2022 10:20

220228-mc49naeaa3 10

Analysis

max time kernel
1559s
max time network
1562s
platform
windows7_x64
resource
win7-en-20211208
submitted
28-02-2022 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d6dba1a42b0579aea51e3875bd171c4.exe
Size

1.0MB
MD5

5d6dba1a42b0579aea51e3875bd171c4
SHA1

bacbe628d565ede6c15550469e912a1c6bba16ee
SHA256

60b97b4d45e3850d57a661bf37987909c1f99096384123594cc1b79d5449348f
SHA512

20ba7979b210768c4cb83f1849e240b28389a946d2ac12986bffb1a8309ddbcb33ac0235b30a821fdccbe0c11aa19de61037f92dcb8b1d0e1d5a0243ed540b0f

Score

10^/10

xloader mc3w loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mc3w

Decoy

pegasusworlddigital.com

lumbungpanganreborn.com

familyresourcesystems.com

smallbusniessbenefits.com

strategia-firm.xyz

rokkos.club

geo1.tirol

dreamnft.xyz

yourprofits6.com

plshi.top

atmosferas.net

appcast-76.com

lilufigu.digital

jobby.guide

bregnic.art

stooshbotanicals.com

tiktok-lifts.com

dozercafe.com

parmarthmissionhospital.com

yufude.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1204-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

5d6dba1a42b0579aea51e3875bd171c4.exe

description pid process target process

PID 1668 set thread context of 1204 1668 5d6dba1a42b0579aea51e3875bd171c4.exe 5d6dba1a42b0579aea51e3875bd171c4.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5d6dba1a42b0579aea51e3875bd171c4.exe

pid process

1204 5d6dba1a42b0579aea51e3875bd171c4.exe

description	pid	process	target process
PID 1668 set thread context of 1204	1668	5d6dba1a42b0579aea51e3875bd171c4.exe	5d6dba1a42b0579aea51e3875bd171c4.exe

pid	process
1204	5d6dba1a42b0579aea51e3875bd171c4.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

5d6dba1a42b0579aea51e3875bd171c4.exe

description	pid	process	target process
PID 1668 wrote to memory of 1204	1668	5d6dba1a42b0579aea51e3875bd171c4.exe	5d6dba1a42b0579aea51e3875bd171c4.exe
PID 1668 wrote to memory of 1204	1668	5d6dba1a42b0579aea51e3875bd171c4.exe	5d6dba1a42b0579aea51e3875bd171c4.exe
PID 1668 wrote to memory of 1204	1668	5d6dba1a42b0579aea51e3875bd171c4.exe	5d6dba1a42b0579aea51e3875bd171c4.exe
PID 1668 wrote to memory of 1204	1668	5d6dba1a42b0579aea51e3875bd171c4.exe	5d6dba1a42b0579aea51e3875bd171c4.exe
PID 1668 wrote to memory of 1204	1668	5d6dba1a42b0579aea51e3875bd171c4.exe	5d6dba1a42b0579aea51e3875bd171c4.exe
PID 1668 wrote to memory of 1204	1668	5d6dba1a42b0579aea51e3875bd171c4.exe	5d6dba1a42b0579aea51e3875bd171c4.exe
PID 1668 wrote to memory of 1204	1668	5d6dba1a42b0579aea51e3875bd171c4.exe	5d6dba1a42b0579aea51e3875bd171c4.exe

C:\Users\Admin\AppData\Local\Temp\5d6dba1a42b0579aea51e3875bd171c4.exe
"C:\Users\Admin\AppData\Local\Temp\5d6dba1a42b0579aea51e3875bd171c4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\5d6dba1a42b0579aea51e3875bd171c4.exe
"C:\Users\Admin\AppData\Local\Temp\5d6dba1a42b0579aea51e3875bd171c4.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-64-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/1668-55-0x000000007496E000-0x000000007496F000-memory.dmp

Filesize
4KB

Download
memory/1668-56-0x0000000000DE0000-0x0000000000EF2000-memory.dmp

Filesize
1.1MB

Download
memory/1668-57-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/1668-58-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/1668-59-0x0000000004E90000-0x0000000004F54000-memory.dmp

Filesize
784KB

Download
memory/1668-60-0x0000000000D00000-0x0000000000D44000-memory.dmp

Filesize
272KB

Download