xloader | 2f37acc02dcd18187787832e1037ee817645c1aa3db6a2c2e41b1aabd38e1acd

Analysis

max time kernel
51s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

urgent order.exe
Size

479KB
MD5

c8bc19e40ae65636493dda2221dcc671
SHA1

22c4b475842a1881a36de31176f9e03215730f55
SHA256

2f37acc02dcd18187787832e1037ee817645c1aa3db6a2c2e41b1aabd38e1acd
SHA512

739ce4f3aa550c6bef498f2f1f6c0e10cea0659c6aa381fa8dfc63727f2a832bd4e40de53272a2436bf6403d7899609b28690901595a2c5232eb1d3cc5c71379

Score

10^/10

xloader i3gs loader rat

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

i3gs

Decoy

cbheyusk.xyz

magesticbuckphotography.com

fre2robux.xyz

viwaves.com

aveoblackops.com

doctorcoon.com

ariasin.com

ecommercelojass.com

hidden-stone.com

formoney.space

4camerlcas.com

ycygdq.com

wnubd.info

lovelygalore.space

jennafergrace-us.com

antojitoschamoy.com

metafarmacias.net

ownersstar.com

bllogin.com

lgzah.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1948-57-0x0000000000940000-0x000000000096B000-memory.dmp	xloader

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2020 1948 WerFault.exe urgent order.exe

pid	pid_target	process	target process
2020	1948	WerFault.exe	urgent order.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

urgent order.exe

description	pid	process	target process
PID 1948 wrote to memory of 2020	1948	urgent order.exe	WerFault.exe
PID 1948 wrote to memory of 2020	1948	urgent order.exe	WerFault.exe
PID 1948 wrote to memory of 2020	1948	urgent order.exe	WerFault.exe
PID 1948 wrote to memory of 2020	1948	urgent order.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\urgent order.exe
"C:\Users\Admin\AppData\Local\Temp\urgent order.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 600
2⤵
- Program crash
PID:2020

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1948-54-0x0000000000B90000-0x0000000000C0E000-memory.dmp

Filesize
504KB

Download
memory/1948-55-0x0000000000AF0000-0x0000000000B5E000-memory.dmp

Filesize
440KB

Download
memory/1948-56-0x0000000000470000-0x00000000004BC000-memory.dmp

Filesize
304KB

Download
memory/1948-57-0x0000000000940000-0x000000000096B000-memory.dmp

Filesize
172KB

Download
memory/2020-58-0x0000000000000000-mapping.dmp

Download