xloader | 31f44a55873cb84506a1213469e0c884eb7f8b4dea91197bedf8a892c1404654

General

Target

PO.exe
Size

906KB
MD5

d87832e3f675ffd9d871f455ffa55ff1
SHA1

8d2a9daa0caf5fad0159ed2233d56bf94b8e7337
SHA256

31f44a55873cb84506a1213469e0c884eb7f8b4dea91197bedf8a892c1404654
SHA512

779258a90d6552c09b132b01b80418054c9a972d797d91c8e202644594a487da60653777137f6acf1ad8ad4d7e8b873bb88505338a126923f9876c9c7499adf9

Score

10^/10

xloader yrcy loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

yrcy

Decoy

sturlabas.com

tantrungcompany.com

wildgraceyogahealing.com

wsparalegal.com

8xhgq.xyz

mysaylav.com

amelntl.net

cooleshow.online

adventuresbydisneyathome.com

sprinklekart.com

prostitutkitambovasuck.info

pakdao.com

finsith.com

nightpartner82.xyz

sex9a4ufbj.com

ketohousee.com

mairie-les-cammazes.com

elebots.xyz

highqualityremodeling.net

teamsterslocal553.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1956-64-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO.exe

description pid process target process

PID 1636 set thread context of 1956 1636 PO.exe RegSvcs.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2016 1956 WerFault.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

PO.exe

pid process

1636 PO.exe
1636 PO.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PO.exe

description pid process

Token: SeDebugPrivilege 1636 PO.exe

description	pid	process	target process
PID 1636 set thread context of 1956	1636	PO.exe	RegSvcs.exe

pid	pid_target	process	target process
2016	1956	WerFault.exe	RegSvcs.exe

pid	process
1636	PO.exe
1636	PO.exe

description	pid	process
Token: SeDebugPrivilege	1636	PO.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

PO.exeRegSvcs.exe

description	pid	process	target process
PID 1636 wrote to memory of 1956	1636	PO.exe	RegSvcs.exe
PID 1636 wrote to memory of 1956	1636	PO.exe	RegSvcs.exe
PID 1636 wrote to memory of 1956	1636	PO.exe	RegSvcs.exe
PID 1636 wrote to memory of 1956	1636	PO.exe	RegSvcs.exe
PID 1636 wrote to memory of 1956	1636	PO.exe	RegSvcs.exe
PID 1636 wrote to memory of 1956	1636	PO.exe	RegSvcs.exe
PID 1636 wrote to memory of 1956	1636	PO.exe	RegSvcs.exe
PID 1636 wrote to memory of 1956	1636	PO.exe	RegSvcs.exe
PID 1636 wrote to memory of 1956	1636	PO.exe	RegSvcs.exe
PID 1636 wrote to memory of 1956	1636	PO.exe	RegSvcs.exe
PID 1956 wrote to memory of 2016	1956	RegSvcs.exe	WerFault.exe
PID 1956 wrote to memory of 2016	1956	RegSvcs.exe	WerFault.exe
PID 1956 wrote to memory of 2016	1956	RegSvcs.exe	WerFault.exe
PID 1956 wrote to memory of 2016	1956	RegSvcs.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 36
3⤵
- Program crash
PID:2016

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1636-54-0x0000000001130000-0x0000000001218000-memory.dmp

Filesize
928KB

Download
memory/1636-55-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/1636-56-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/1636-57-0x0000000000320000-0x0000000000332000-memory.dmp

Filesize
72KB

Download
memory/1636-58-0x0000000007E60000-0x0000000007F0E000-memory.dmp

Filesize
696KB

Download
memory/1636-59-0x0000000000B80000-0x0000000000BB0000-memory.dmp

Filesize
192KB

Download
memory/1956-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1956-64-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing