xloader | cacc2fce9fcad0d3c1cdfba7595e558e839a191b2c6f9dd6215236747fb04b3a

General

Target

Gkumwpprp.exe
Size

466KB
MD5

586fd59bae867e97a33e998346b3034e
SHA1

ca5f8535736e031203f1494332b809604b53e986
SHA256

cacc2fce9fcad0d3c1cdfba7595e558e839a191b2c6f9dd6215236747fb04b3a
SHA512

a4bd54f93bc31b89bca8c565780ad083368e4bfc8e1fe2c5eef519464fefba601043f253ed1da4768be73d31c4dfa0d68af92a58d38768e223b1cca968a046c5

Score

10^/10

xloader i3gs loader rat

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

i3gs

Decoy

cbheyusk.xyz

magesticbuckphotography.com

fre2robux.xyz

viwaves.com

aveoblackops.com

doctorcoon.com

ariasin.com

ecommercelojass.com

hidden-stone.com

formoney.space

4camerlcas.com

ycygdq.com

wnubd.info

lovelygalore.space

jennafergrace-us.com

antojitoschamoy.com

metafarmacias.net

ownersstar.com

bllogin.com

lgzah.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1044-65-0x0000000000480000-0x00000000004AB000-memory.dmp	xloader

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1976 1044 WerFault.exe Gkumwpprp.exe

pid	pid_target	process	target process
1976	1044	WerFault.exe	Gkumwpprp.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Gkumwpprp.exe

description	pid	process	target process
PID 1044 wrote to memory of 1976	1044	Gkumwpprp.exe	WerFault.exe
PID 1044 wrote to memory of 1976	1044	Gkumwpprp.exe	WerFault.exe
PID 1044 wrote to memory of 1976	1044	Gkumwpprp.exe	WerFault.exe
PID 1044 wrote to memory of 1976	1044	Gkumwpprp.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Gkumwpprp.exe
"C:\Users\Admin\AppData\Local\Temp\Gkumwpprp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 688
2⤵
- Program crash
PID:1976

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1044-62-0x0000000070820000-0x0000000070F5E000-memory.dmp

Filesize
7.2MB

Download
memory/1044-72-0x0000000072E70000-0x00000000741FF000-memory.dmp

Filesize
19.6MB

Download
memory/1044-54-0x0000000000110000-0x000000000018A000-memory.dmp

Filesize
488KB

Download
memory/1044-57-0x0000000072460000-0x0000000072E70000-memory.dmp

Filesize
10.1MB

Download
memory/1044-58-0x0000000074A20000-0x0000000074BB4000-memory.dmp

Filesize
1.6MB

Download
memory/1044-59-0x0000000071740000-0x000000007245D000-memory.dmp

Filesize
13.1MB

Download
memory/1044-60-0x0000000070F60000-0x0000000071740000-memory.dmp

Filesize
7.9MB

Download
memory/1044-61-0x0000000074920000-0x0000000074A1C000-memory.dmp

Filesize
1008KB

Download
memory/1044-56-0x0000000072E70000-0x00000000741FF000-memory.dmp

Filesize
19.6MB

Download
memory/1044-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1044-65-0x0000000000480000-0x00000000004AB000-memory.dmp

Filesize
172KB

Download
memory/1044-64-0x00000000020C0000-0x000000000210C000-memory.dmp

Filesize
304KB

Download
memory/1044-66-0x0000000072E70000-0x00000000741FF000-memory.dmp

Filesize
19.6MB

Download
memory/1044-67-0x0000000072460000-0x0000000072E70000-memory.dmp

Filesize
10.1MB

Download
memory/1044-68-0x0000000074A20000-0x0000000074BB4000-memory.dmp

Filesize
1.6MB

Download
memory/1044-69-0x0000000071740000-0x000000007245D000-memory.dmp

Filesize
13.1MB

Download
memory/1044-70-0x0000000070F60000-0x0000000071740000-memory.dmp

Filesize
7.9MB

Download
memory/1044-63-0x0000000000700000-0x0000000000768000-memory.dmp

Filesize
416KB

Download
memory/1976-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing