xloader | d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf

Analysis

max time kernel
58s
max time network
72s
platform
windows10_x64
resource
win10-20220414-en
submitted
17-05-2022 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
Size

600KB
MD5

24dc968b12dbfc6012c80e02d90a298a
SHA1

7791277c7160e3faa214c8a3cdef5ca6f88f4e10
SHA256

d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf
SHA512

b03cdc096ea227daff61e384628178b4522e010b83a28741bc655132038763b116d7308c1b28177e4dcbe789de4bdea796faa6620f0f79f9efbd411e509b1578

Score

10^/10

xloader r007 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

r007

Decoy

trashpandaservice.com

mobileads.network

ascolstore.com

gelsinextra.com

bonestell.net

heitoll.xyz

ceapgis.com

mon-lapin.biz

miq-eva.com

rematedesillas.com

playingonline.xyz

hausense.quest

tnyzw.com

appsdial.com

addcolor.city

hagenoblog.com

michaelwesleyj.com

she-zain.com

lorhsems.com

karmaserena.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1488-188-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral1/memory/1488-189-0x000000000041D9B0-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe

description	pid	process	target process
PID 2328 set thread context of 1488	2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exed5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe

pid	process
2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
1488	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
1488	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe

description pid process

Token: SeDebugPrivilege 2328 d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe

description	pid	process
Token: SeDebugPrivilege	2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe

description	pid	process	target process
PID 2328 wrote to memory of 4664	2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
PID 2328 wrote to memory of 4664	2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
PID 2328 wrote to memory of 4664	2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
PID 2328 wrote to memory of 1496	2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
PID 2328 wrote to memory of 1496	2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
PID 2328 wrote to memory of 1496	2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
PID 2328 wrote to memory of 1488	2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
PID 2328 wrote to memory of 1488	2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
PID 2328 wrote to memory of 1488	2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
PID 2328 wrote to memory of 1488	2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
PID 2328 wrote to memory of 1488	2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
PID 2328 wrote to memory of 1488	2328	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe	d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe

C:\Users\Admin\AppData\Local\Temp\d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
"C:\Users\Admin\AppData\Local\Temp\d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328

C:\Users\Admin\AppData\Local\Temp\d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
"C:\Users\Admin\AppData\Local\Temp\d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe"
2⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
"C:\Users\Admin\AppData\Local\Temp\d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe"
2⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe
"C:\Users\Admin\AppData\Local\Temp\d5a6a2433889b448cfa5ce29b7782a5eec937958cc571c1adf8993325474f6cf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1488-188-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1488-189-0x000000000041D9B0-mapping.dmp

Download
memory/1488-190-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/1488-196-0x0000000000F40000-0x0000000001260000-memory.dmp

Filesize
3.1MB

Download
memory/2328-118-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-119-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-120-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-121-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-122-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-123-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-124-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-125-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-126-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-127-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-128-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-129-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-130-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-131-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-132-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-133-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-134-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-135-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-136-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-137-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-138-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-139-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-140-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-141-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-142-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-143-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-144-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-145-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-146-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-147-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-148-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-149-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-150-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-151-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-152-0x0000000000770000-0x000000000080C000-memory.dmp

Filesize
624KB

Download
memory/2328-153-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-154-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-155-0x00000000056C0000-0x0000000005BBE000-memory.dmp

Filesize
5.0MB

Download
memory/2328-156-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-157-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/2328-158-0x00000000051C0000-0x000000000525C000-memory.dmp

Filesize
624KB

Download
memory/2328-159-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-160-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-161-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-162-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-163-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-164-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-165-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-166-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-167-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-168-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-169-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-170-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-171-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-172-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-173-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-174-0x0000000001340000-0x000000000134A000-memory.dmp

Filesize
40KB

Download
memory/2328-175-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-176-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-177-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-178-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-179-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-180-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-181-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-182-0x0000000005330000-0x000000000533E000-memory.dmp

Filesize
56KB

Download
memory/2328-183-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-184-0x0000000008AC0000-0x0000000008B56000-memory.dmp

Filesize
600KB

Download
memory/2328-185-0x0000000008BF0000-0x0000000008C56000-memory.dmp

Filesize
408KB

Download
memory/2328-186-0x0000000008B90000-0x0000000008BC8000-memory.dmp

Filesize
224KB

Download
memory/2328-187-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2328-192-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download