xloader | 898e39ebe6bdfed0d216a54673ae93fe5349b1addd89e2891b969ff3745536f3

General

Target

d98f49c17101f5715e07e876585f6e6c.exe
Size

1.0MB
MD5

d98f49c17101f5715e07e876585f6e6c
SHA1

af67b2295f7cf496dd93be883bbd39b3e33a8360
SHA256

898e39ebe6bdfed0d216a54673ae93fe5349b1addd89e2891b969ff3745536f3
SHA512

84f45c4289fe27516ba6fbe00f66880625ff87ecdf641e57952181ea455beddaed98acae5710f0f9f47bd717fe66ae15d8b14ca230c029c90abc4a0d2d17850f
SSDEEP

12288:ZGAxqujfAPRyY983gp3KJsUAywxcB9BLbF6UKqhRXLWZrf97tXk0V+A:VqujfAPR3sA6J0yCC9hbXKabWZrTk

Score

10^/10

xloader bp39 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

bp39

Decoy

glembos.com

adjud.net

beautifyoils.com

chilewiki.com

duxingzi.com

happygromedia.com

restpostenboerse.com

vowsweddingofficiants.com

ladingjiwa.xyz

keepmakingefforts-001.com

yeniao.net

eyildirmaz.com

sayanghae.com

promoteboost.com

lzft.net

proudindiacompany.com

birchwoodmeridianlink.com

mesinionisasi.com

wwwrigalinks.com

wewearthepants.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2720-14-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

d98f49c17101f5715e07e876585f6e6c.exe

description pid process target process

PID 2836 set thread context of 2720 2836 d98f49c17101f5715e07e876585f6e6c.exe d98f49c17101f5715e07e876585f6e6c.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d98f49c17101f5715e07e876585f6e6c.exed98f49c17101f5715e07e876585f6e6c.exe

pid process

2836 d98f49c17101f5715e07e876585f6e6c.exe
2720 d98f49c17101f5715e07e876585f6e6c.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d98f49c17101f5715e07e876585f6e6c.exe

description pid process

Token: SeDebugPrivilege 2836 d98f49c17101f5715e07e876585f6e6c.exe

description	pid	process	target process
PID 2836 set thread context of 2720	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe

pid	process
2836	d98f49c17101f5715e07e876585f6e6c.exe
2720	d98f49c17101f5715e07e876585f6e6c.exe

description	pid	process
Token: SeDebugPrivilege	2836	d98f49c17101f5715e07e876585f6e6c.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

d98f49c17101f5715e07e876585f6e6c.exe

C:\Users\Admin\AppData\Local\Temp\d98f49c17101f5715e07e876585f6e6c.exe
"C:\Users\Admin\AppData\Local\Temp\d98f49c17101f5715e07e876585f6e6c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\d98f49c17101f5715e07e876585f6e6c.exe
"C:\Users\Admin\AppData\Local\Temp\d98f49c17101f5715e07e876585f6e6c.exe"
2⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\d98f49c17101f5715e07e876585f6e6c.exe
"C:\Users\Admin\AppData\Local\Temp\d98f49c17101f5715e07e876585f6e6c.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2720

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2720-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-16-0x0000000000C40000-0x0000000000F43000-memory.dmp

Filesize
3.0MB

Download
memory/2720-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2836-3-0x0000000000540000-0x000000000055E000-memory.dmp

Filesize
120KB

Download
memory/2836-6-0x00000000057C0000-0x000000000585E000-memory.dmp

Filesize
632KB

Download
memory/2836-7-0x0000000000750000-0x000000000077E000-memory.dmp

Filesize
184KB

Download
memory/2836-5-0x0000000000710000-0x0000000000750000-memory.dmp

Filesize
256KB

Download
memory/2836-4-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2836-1-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2836-2-0x0000000000710000-0x0000000000750000-memory.dmp

Filesize
256KB

Download
memory/2836-15-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2836-0-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download

description	pid	process	target process
PID 2836 wrote to memory of 2848	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe
PID 2836 wrote to memory of 2848	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe
PID 2836 wrote to memory of 2848	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe
PID 2836 wrote to memory of 2848	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe
PID 2836 wrote to memory of 2848	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe
PID 2836 wrote to memory of 2848	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe
PID 2836 wrote to memory of 2848	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe
PID 2836 wrote to memory of 2720	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe
PID 2836 wrote to memory of 2720	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe
PID 2836 wrote to memory of 2720	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe
PID 2836 wrote to memory of 2720	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe
PID 2836 wrote to memory of 2720	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe
PID 2836 wrote to memory of 2720	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe
PID 2836 wrote to memory of 2720	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe
PID 2836 wrote to memory of 2720	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe
PID 2836 wrote to memory of 2720	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe
PID 2836 wrote to memory of 2720	2836	d98f49c17101f5715e07e876585f6e6c.exe	d98f49c17101f5715e07e876585f6e6c.exe

Analysis

Sharing