xloader | 02ad8318feb2f8ce745e2cefa321f18d19b7ad72085664371033fada68bd6b91

General

Target

RQM6HLsZQYLa9qt.exe
Size

1.3MB
MD5

2d42eded04b592b539951f61742a736a
SHA1

d0c31bc164b18121ceb884859a9a5a5547ee437e
SHA256

02ad8318feb2f8ce745e2cefa321f18d19b7ad72085664371033fada68bd6b91
SHA512

634e5223d883e42be784a02c4882109140ef7a42a781d4142978bf7a3da40ae4c535a5dffca1e26160542338c437fe44ce8f84f8ab32b7df328ad7837517f4ff

Score

10^/10

xloader wdc8 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

wdc8

Decoy

mygotomaid.com

joyoushealthandwellnessspa.com

wefundprojects.com

magicbasketbourse.net

vitos3.xyz

oligopoly.city

beauty-bihada.asia

visitnewrichmond.com

crgeniusworld.biz

bantasis.com

transsexual.pro

casagraph.com

eastjamrecords.com

howtotrainyourmustache.com

heiappropriate.xyz

bataperu.com

ces341.com

prajahitha.com

manuelagattegger.com

wolfpackmotorcycletours.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/968-61-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/968-62-0x000000000041D4C0-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

RQM6HLsZQYLa9qt.exe

description pid process target process

PID 1092 set thread context of 968 1092 RQM6HLsZQYLa9qt.exe RQM6HLsZQYLa9qt.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2028 968 WerFault.exe RQM6HLsZQYLa9qt.exe

description	pid	process	target process
PID 1092 set thread context of 968	1092	RQM6HLsZQYLa9qt.exe	RQM6HLsZQYLa9qt.exe

pid	pid_target	process	target process
2028	968	WerFault.exe	RQM6HLsZQYLa9qt.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

RQM6HLsZQYLa9qt.exeRQM6HLsZQYLa9qt.exe

description	pid	process	target process
PID 1092 wrote to memory of 968	1092	RQM6HLsZQYLa9qt.exe	RQM6HLsZQYLa9qt.exe
PID 1092 wrote to memory of 968	1092	RQM6HLsZQYLa9qt.exe	RQM6HLsZQYLa9qt.exe
PID 1092 wrote to memory of 968	1092	RQM6HLsZQYLa9qt.exe	RQM6HLsZQYLa9qt.exe
PID 1092 wrote to memory of 968	1092	RQM6HLsZQYLa9qt.exe	RQM6HLsZQYLa9qt.exe
PID 1092 wrote to memory of 968	1092	RQM6HLsZQYLa9qt.exe	RQM6HLsZQYLa9qt.exe
PID 1092 wrote to memory of 968	1092	RQM6HLsZQYLa9qt.exe	RQM6HLsZQYLa9qt.exe
PID 1092 wrote to memory of 968	1092	RQM6HLsZQYLa9qt.exe	RQM6HLsZQYLa9qt.exe
PID 968 wrote to memory of 2028	968	RQM6HLsZQYLa9qt.exe	WerFault.exe
PID 968 wrote to memory of 2028	968	RQM6HLsZQYLa9qt.exe	WerFault.exe
PID 968 wrote to memory of 2028	968	RQM6HLsZQYLa9qt.exe	WerFault.exe
PID 968 wrote to memory of 2028	968	RQM6HLsZQYLa9qt.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RQM6HLsZQYLa9qt.exe
"C:\Users\Admin\AppData\Local\Temp\RQM6HLsZQYLa9qt.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\RQM6HLsZQYLa9qt.exe
"C:\Users\Admin\AppData\Local\Temp\RQM6HLsZQYLa9qt.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 36
3⤵
- Program crash
PID:2028

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/968-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/968-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/968-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/968-62-0x000000000041D4C0-mapping.dmp

Download
memory/1092-54-0x00000000008E0000-0x0000000000A3A000-memory.dmp

Filesize
1.4MB

Download
memory/1092-55-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/1092-56-0x0000000008200000-0x00000000082FA000-memory.dmp

Filesize
1000KB

Download
memory/1092-57-0x0000000000660000-0x0000000000690000-memory.dmp

Filesize
192KB

Download
memory/2028-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing