xloader | 9348d147d1f5ed420fed457cca4ccde6479c966788f948e67ce2031472186cc0

Analysis

max time kernel
41s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-05-2023 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe
Size

341KB
MD5

2a11ef715093c4429cd05dc3950c7f89
SHA1

3199e3c72fc349d9cce951c2c8830d88a8da4454
SHA256

50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158
SHA512

24f2d7a608d421258334144217e97dccdeb023d5e621774f213eda210a8937df0c7d12cfd02e8c96d5951011d6142a320ca3b40bedb8ac6ad5f95ccc6d3d2d0a
SSDEEP

6144:HqPwmYdAbc0C3LFDDOQmjUi0GL9jDAlPMKpPbd6j62AeI4KR0VoFtDFF7g:HqPwmYdAbc0CboQmjIGN6Pzd6j6/eWtU

Score

10^/10

xloader c6si loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

c6si

Decoy

tristateinc.construction

americanscaregroundstexas.com

kanimisoshiru.com

wihling.com

fishcheekstosa.com

parentsfuid.com

greenstandmarket.com

fc8fla8kzq.com

gametwist-83.club

jobsncvs.com

directrealtysells.com

avida2015.com

conceptasite.net

arkaneattire.com

indev-mobility.info

2160centurypark412.com

valefloor.com

septembership.com

stackflix.com

jimc0sales.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/704-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe

description	pid	process	target process
PID 920 set thread context of 704	920	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe

pid process

704 50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe

pid	process
704	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe

description	pid	process	target process
PID 920 wrote to memory of 704	920	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe
PID 920 wrote to memory of 704	920	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe
PID 920 wrote to memory of 704	920	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe
PID 920 wrote to memory of 704	920	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe
PID 920 wrote to memory of 704	920	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe
PID 920 wrote to memory of 704	920	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe
PID 920 wrote to memory of 704	920	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe	50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe

C:\Users\Admin\AppData\Local\Temp\50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe
"C:\Users\Admin\AppData\Local\Temp\50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\Temp\50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe
"C:\Users\Admin\AppData\Local\Temp\50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:704

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/704-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/704-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/704-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/704-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/704-63-0x00000000009F0000-0x0000000000CF3000-memory.dmp

Filesize
3.0MB

Download
memory/920-54-0x0000000000800000-0x000000000085C000-memory.dmp

Filesize
368KB

Download
memory/920-55-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/920-56-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/920-57-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/920-58-0x0000000004E90000-0x0000000004EEE000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads