xloader | ddf31a344ff3e2e029d6744b609da539014db80c9a62b13d00d275bf25fa6d64

General

Target

985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
Size

837KB
MD5

328eaa1e53fdeba2a8d99f4a5f0385dd
SHA1

9da77711434bfe5eb4f26365513c7663da5e9885
SHA256

985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc
SHA512

475be1e25abb8697952b5014ebfa6d5e26eb3f0d312739771f4f0f91819f55b3620dbeb76c3bb47a7febf17f8588232d4cecb25cc130f7437d1d810dd8b0586d

Score

10^/10

xloader loader rat

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1708-63-0x0000000000400000-0x000000000042D000-memory.dmp	xloader
behavioral1/memory/1708-64-0x00000000004202C0-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe

description	pid	process	target process
PID 1380 set thread context of 1708	1380	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe

pid process

1708 985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe

pid	process
1708	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe

description	pid	process	target process
PID 1380 wrote to memory of 1708	1380	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
PID 1380 wrote to memory of 1708	1380	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
PID 1380 wrote to memory of 1708	1380	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
PID 1380 wrote to memory of 1708	1380	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
PID 1380 wrote to memory of 1708	1380	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
PID 1380 wrote to memory of 1708	1380	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
PID 1380 wrote to memory of 1708	1380	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe

C:\Users\Admin\AppData\Local\Temp\985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
"C:\Users\Admin\AppData\Local\Temp\985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1708

memory/1380-54-0x0000000000930000-0x0000000000A08000-memory.dmp

Filesize
864KB

Download
memory/1380-55-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/1380-56-0x0000000000620000-0x0000000000640000-memory.dmp

Filesize
128KB

Download
memory/1380-57-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/1380-58-0x0000000004F60000-0x0000000004FD6000-memory.dmp

Filesize
472KB

Download
memory/1380-59-0x0000000004D70000-0x0000000004DA2000-memory.dmp

Filesize
200KB

Download
memory/1708-60-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1708-61-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1708-63-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1708-64-0x00000000004202C0-mapping.dmp

Download
memory/1708-65-0x0000000000BA0000-0x0000000000EA3000-memory.dmp

Filesize
3.0MB

Download