xloader | d0fd68de07eaddfd233b49bad8c222121ee284d8f783900d22e074accbcf7c2e

General

Target

dAkPKAwtoDLxTrD.exe
Size

836KB
MD5

70546f38493221036fa4704f272ca6da
SHA1

33994e6316abe2f24c448d916fb53c5468d0f76e
SHA256

d0fd68de07eaddfd233b49bad8c222121ee284d8f783900d22e074accbcf7c2e
SHA512

a1cd4799dcd8e7b9cc56df71388faf0749e69a832e0b2ceb16f1956659ac1d24d8f1906e34b9ee2f94f686a43e80556014bb9f01a5ba5160224a40e30e30efbe

Score

10^/10

xloader b8eu loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b8eu

Decoy

coeusconsultancy.com

allutravel.com

frustratedsportsfan.com

notch.host

cvkur.com

dunamisathletics.com

citycourtlafayetteclass.com

tastingpay.com

beriteautoglass.com

mexicanaenergy.com

karaokepkllkb.xyz

equiposymaquinasparamineria.com

fsmgayrimenkulbursa.com

femmequidanseaveclalune.com

frfrjrbfkfncifnsnqwnxbcb.com

jmwxhsbktiyq7.xyz

nevirame.com

wppaulwriter.com

anandiaper.xyz

krasamart.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1048-64-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

dAkPKAwtoDLxTrD.exe

description pid process target process

PID 756 set thread context of 1048 756 dAkPKAwtoDLxTrD.exe dAkPKAwtoDLxTrD.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

564 1048 WerFault.exe dAkPKAwtoDLxTrD.exe

description	pid	process	target process
PID 756 set thread context of 1048	756	dAkPKAwtoDLxTrD.exe	dAkPKAwtoDLxTrD.exe

pid	pid_target	process	target process
564	1048	WerFault.exe	dAkPKAwtoDLxTrD.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

dAkPKAwtoDLxTrD.exedAkPKAwtoDLxTrD.exe

description	pid	process	target process
PID 756 wrote to memory of 1048	756	dAkPKAwtoDLxTrD.exe	dAkPKAwtoDLxTrD.exe
PID 756 wrote to memory of 1048	756	dAkPKAwtoDLxTrD.exe	dAkPKAwtoDLxTrD.exe
PID 756 wrote to memory of 1048	756	dAkPKAwtoDLxTrD.exe	dAkPKAwtoDLxTrD.exe
PID 756 wrote to memory of 1048	756	dAkPKAwtoDLxTrD.exe	dAkPKAwtoDLxTrD.exe
PID 756 wrote to memory of 1048	756	dAkPKAwtoDLxTrD.exe	dAkPKAwtoDLxTrD.exe
PID 756 wrote to memory of 1048	756	dAkPKAwtoDLxTrD.exe	dAkPKAwtoDLxTrD.exe
PID 756 wrote to memory of 1048	756	dAkPKAwtoDLxTrD.exe	dAkPKAwtoDLxTrD.exe
PID 1048 wrote to memory of 564	1048	dAkPKAwtoDLxTrD.exe	WerFault.exe
PID 1048 wrote to memory of 564	1048	dAkPKAwtoDLxTrD.exe	WerFault.exe
PID 1048 wrote to memory of 564	1048	dAkPKAwtoDLxTrD.exe	WerFault.exe
PID 1048 wrote to memory of 564	1048	dAkPKAwtoDLxTrD.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\dAkPKAwtoDLxTrD.exe
"C:\Users\Admin\AppData\Local\Temp\dAkPKAwtoDLxTrD.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\dAkPKAwtoDLxTrD.exe
"C:\Users\Admin\AppData\Local\Temp\dAkPKAwtoDLxTrD.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 36
3⤵
- Program crash
PID:564

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-54-0x0000000001230000-0x0000000001308000-memory.dmp

Filesize
864KB

Download
memory/756-56-0x0000000007190000-0x0000000007191000-memory.dmp

Filesize
4KB

Download
memory/756-55-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/756-57-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/756-58-0x0000000008370000-0x000000000841E000-memory.dmp

Filesize
696KB

Download
memory/756-59-0x00000000006C0000-0x00000000006F0000-memory.dmp

Filesize
192KB

Download
memory/1048-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1048-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1048-64-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing