xloader | 4448-133-0x0000000000400000-0x000000000042A000-memory[.]dmp

General

Target

4448-133-0x0000000000400000-0x000000000042A000-memory.dmp
Size

168KB
MD5

c9c6672a0a42bea8b2473dcbbe0b0dcf
SHA1

c8523d7ad66ce794e653555099ab183f893de4e2
SHA256

4449877bcff1885b6b2862d528094e374c61a107880a153f0bc29463699893bc
SHA512

211dfa5c28b55480a7cf2c5a91dff07d56cbc16b38f62a26ca30f50c620957c50dbf2ebd2ba3a01542aa48249a8df1495278cc974d6af446b5e1540509f65c52
SSDEEP

3072:cxJpHjrvms4YAoSqFwM5NMm2tmPv9kZDoItHnpzk2KQY5bCZKCof:cdDFhCM5yNW9kZkItHnpzkfrR

Score

10^/10

rat arh2 xloader

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

arh2

Decoy

anniversaryalert.com

kinship.space

buabdullagroup.com

ghostprotectionagency.com

scion-go-getter.com

skindeepapp.com

kysp3.xyz

bonitaspringshomesearch.com

bestdeals2022.online

themarketingstinger.com

chengkayouxuan.com

fendoremi.com

j-stra.com

klingelecn.net

deluxecarepro.com

huanbaodg.com

mes-dents-blanches.com

solutionsemissionsimplifiee.com

abedbashir.tech

good-collection.store

Signatures

Xloader Payload 1 IoCs
rat

Processes:

resource yara_rule

sample xloader
Xloader family
xloader

resource	yara_rule
sample	xloader

Files

4448-133-0x0000000000400000-0x000000000042A000-memory.dmp
.exe windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 159KB - Virtual size: 158KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 159KB - Virtual size: 158KB

.rsrc Size: 1024B - Virtual size: 960B

.text
Size: 159KB - Virtual size: 158KB

.rsrc
Size: 1024B - Virtual size: 960B