xloader | e8bb9e81ed75437b45f90b1c65e3100c618090d66d7fa37f5208fedc6972f142

General

Target

1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe
Size

1.2MB
MD5

1dce0fc0bcc3ed4f7af74bdaeef37a5f
SHA1

44db74becdf78474e7b4418cd24274b88410c02f
SHA256

e8bb9e81ed75437b45f90b1c65e3100c618090d66d7fa37f5208fedc6972f142
SHA512

55770eaac58703a98bb05f8da7b7357cd09b747de3dbb89f41fae380d6fa50ad5302398c8b8fffa18257b234e5f3e7a7a315bd0470f379720d34fd8b1e317f46
SSDEEP

24576:cxOsBgo0q4wMMBmCmTOUd+L6kLXWGmHUdR6B8w5+lx/2:cIoHMUmCm6Ud+zLXbmHVB8Bx+

Score

10^/10

xloader wten loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

wten

Decoy

largshomebuyers.com

hqs.xyz

stormvalleysoapco.com

coolsoftware.xyz

creditfitbootcamp.com

mdroc.com

cooperseyewear.com

mrleyos.com

apipacking.com

mtdivas.com

bim3dstudio.com

ngdnwgtsf.club

arknmhsc.com

expowe.icu

surfacesupplierscanada.com

thinbluelion.com

vbetmalaysia.com

christcarriers.com

easternshoreautobody.com

healthyvibrantandbeautiful.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral1/memory/1876-3-0x0000000000660000-0x0000000000672000-memory.dmp	CustAttr

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1824-14-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1876 set thread context of 1824	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	33

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe
1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe
1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe
1824	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2440	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	30
PID 1876 wrote to memory of 2440	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	30
PID 1876 wrote to memory of 2440	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	30
PID 1876 wrote to memory of 2440	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	30
PID 1876 wrote to memory of 2264	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	31
PID 1876 wrote to memory of 2264	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	31
PID 1876 wrote to memory of 2264	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	31
PID 1876 wrote to memory of 2264	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	31
PID 1876 wrote to memory of 2748	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	32
PID 1876 wrote to memory of 2748	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	32
PID 1876 wrote to memory of 2748	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	32
PID 1876 wrote to memory of 2748	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	32
PID 1876 wrote to memory of 1824	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	33
PID 1876 wrote to memory of 1824	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	33
PID 1876 wrote to memory of 1824	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	33
PID 1876 wrote to memory of 1824	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	33
PID 1876 wrote to memory of 1824	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	33
PID 1876 wrote to memory of 1824	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	33
PID 1876 wrote to memory of 1824	1876	1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe	33

C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe
"C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe
  "C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"
  2⤵
  PID:2440
- C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe
  "C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"
  2⤵
  PID:2264
- C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe
  "C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"
  2⤵
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe
  "C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1824-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1824-16-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/1824-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1824-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1824-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1876-3-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/1876-6-0x00000000052D0000-0x000000000534C000-memory.dmp

Filesize
496KB

Download
memory/1876-7-0x0000000000700000-0x0000000000734000-memory.dmp

Filesize
208KB

Download
memory/1876-5-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1876-4-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/1876-1-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/1876-2-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1876-15-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/1876-0-0x0000000000110000-0x000000000024C000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing