xloader | ddf31a344ff3e2e029d6744b609da539014db80c9a62b13d00d275bf25fa6d64

General

Target

985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
Size

837KB
MD5

328eaa1e53fdeba2a8d99f4a5f0385dd
SHA1

9da77711434bfe5eb4f26365513c7663da5e9885
SHA256

985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc
SHA512

475be1e25abb8697952b5014ebfa6d5e26eb3f0d312739771f4f0f91819f55b3620dbeb76c3bb47a7febf17f8588232d4cecb25cc130f7437d1d810dd8b0586d

Score

10^/10

xloader loader rat

Malware Config

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5048-138-0x0000000000400000-0x000000000042D000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe

description	pid	process	target process
PID 4416 set thread context of 5048	4416	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe

pid	process
4416	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
4416	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
5048	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
5048	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe

description pid process

Token: SeDebugPrivilege 4416 985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe

description	pid	process
Token: SeDebugPrivilege	4416	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe

description	pid	process	target process
PID 4416 wrote to memory of 1340	4416	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
PID 4416 wrote to memory of 1340	4416	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
PID 4416 wrote to memory of 1340	4416	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
PID 4416 wrote to memory of 5048	4416	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
PID 4416 wrote to memory of 5048	4416	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
PID 4416 wrote to memory of 5048	4416	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
PID 4416 wrote to memory of 5048	4416	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
PID 4416 wrote to memory of 5048	4416	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
PID 4416 wrote to memory of 5048	4416	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe	985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe

C:\Users\Admin\AppData\Local\Temp\985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
"C:\Users\Admin\AppData\Local\Temp\985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416

C:\Users\Admin\AppData\Local\Temp\985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
"C:\Users\Admin\AppData\Local\Temp\985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe"
2⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe
"C:\Users\Admin\AppData\Local\Temp\985bff9f5d8470baf0a3c5520eae6e8bb87a9761bd6c7ce41855c5c8cc0a58bc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1340-136-0x0000000000000000-mapping.dmp

Download
memory/4416-130-0x00000000006E0000-0x00000000007B8000-memory.dmp

Filesize
864KB

Download
memory/4416-131-0x0000000005730000-0x0000000005CD4000-memory.dmp

Filesize
5.6MB

Download
memory/4416-132-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/4416-133-0x0000000002C00000-0x0000000002C0A000-memory.dmp

Filesize
40KB

Download
memory/4416-134-0x0000000008BC0000-0x0000000008C5C000-memory.dmp

Filesize
624KB

Download
memory/4416-135-0x0000000008C60000-0x0000000008CC6000-memory.dmp

Filesize
408KB

Download
memory/5048-137-0x0000000000000000-mapping.dmp

Download
memory/5048-138-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5048-139-0x0000000001190000-0x00000000014DA000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads