xloader | da0e2504009a426b799d9135979188e2c4533f69c2e981650afc51d5e8e320c2

General

Target

$PLUGINSDIR/evpz.dll
Size

32KB
MD5

c820bfe346d35f1ed0d3017cadb8f16d
SHA1

a98131691df2b4445124304307130888050fe410
SHA256

439e5f590b4bea13a9bfb7c94bbd8fa99f45a310dc44c241db2375b4e8923cb3
SHA512

7d89e8677b46c3456559a0061f992be6169c63ec6a2a2eb7ec73ff36fe1fc28cbdbf3436c74fe528572b14f6865ec0f03e5480782243674ffc4423a00cefc66f
SSDEEP

384:uIbr7TBKwNuNjiVMauKBO1AhvxF756rLAK5GNrPAg9K8OtwBpYxjETl7:uIZfYNjCy1kxFsr5GNr195OccETp

Score

10^/10

xloader mxnu loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mxnu

Decoy

insightmyhome.com

gabriellamaxey.com

029atk.xyz

marshconstructions.com

technichoffghosts.com

blue-ivy-boutique-au.com

1sunsetgroup.com

elfkuhnispb.store

caoliudh.club

verifiedpaypal.net

jellyice-tr.com

gatescres.com

bloomberq.online

crystaltopagent.net

uggs-line.com

ecommerceplatform.xyz

historyofcambridge.com

sattaking-gaziabad.xyz

digisor.com

beachpawsmobilegrooming.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral4/memory/388-1-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral4/memory/388-5-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral4/memory/388-9-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral4/memory/3632-14-0x0000000000AF0000-0x0000000000B19000-memory.dmp	xloader
behavioral4/memory/3632-16-0x0000000000AF0000-0x0000000000B19000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

rundll32.exerundll32.execmmon32.exe

description	pid	process	target process
PID 3756 set thread context of 388	3756	rundll32.exe	rundll32.exe
PID 388 set thread context of 3392	388	rundll32.exe	Explorer.EXE
PID 388 set thread context of 3392	388	rundll32.exe	Explorer.EXE
PID 3632 set thread context of 3392	3632	cmmon32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

rundll32.execmmon32.exe

pid	process
388	rundll32.exe
388	rundll32.exe
388	rundll32.exe
388	rundll32.exe
388	rundll32.exe
388	rundll32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

rundll32.execmmon32.exe

pid process

388 rundll32.exe
388 rundll32.exe
388 rundll32.exe
388 rundll32.exe
3632 cmmon32.exe
3632 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.execmmon32.exe

description pid process

Token: SeDebugPrivilege 388 rundll32.exe
Token: SeDebugPrivilege 3632 cmmon32.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3392 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	388	rundll32.exe
Token: SeDebugPrivilege	3632	cmmon32.exe

pid	process
3392	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 3332 wrote to memory of 3756	3332	rundll32.exe	rundll32.exe
PID 3332 wrote to memory of 3756	3332	rundll32.exe	rundll32.exe
PID 3332 wrote to memory of 3756	3332	rundll32.exe	rundll32.exe
PID 3756 wrote to memory of 388	3756	rundll32.exe	rundll32.exe
PID 3756 wrote to memory of 388	3756	rundll32.exe	rundll32.exe
PID 3756 wrote to memory of 388	3756	rundll32.exe	rundll32.exe
PID 3756 wrote to memory of 388	3756	rundll32.exe	rundll32.exe
PID 3756 wrote to memory of 388	3756	rundll32.exe	rundll32.exe
PID 3756 wrote to memory of 388	3756	rundll32.exe	rundll32.exe
PID 3392 wrote to memory of 3632	3392	Explorer.EXE	cmmon32.exe
PID 3392 wrote to memory of 3632	3392	Explorer.EXE	cmmon32.exe
PID 3392 wrote to memory of 3632	3392	Explorer.EXE	cmmon32.exe
PID 3632 wrote to memory of 4616	3632	cmmon32.exe	cmd.exe
PID 3632 wrote to memory of 4616	3632	cmmon32.exe	cmd.exe
PID 3632 wrote to memory of 4616	3632	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\evpz.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\evpz.dll,#1
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\evpz.dll,#1
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\rundll32.exe"
3⤵
PID:4616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/388-3-0x0000000002990000-0x0000000002CDA000-memory.dmp

Filesize
3.3MB

Download
memory/388-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/388-6-0x0000000002920000-0x0000000002931000-memory.dmp

Filesize
68KB

Download
memory/388-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/388-10-0x0000000002960000-0x0000000002971000-memory.dmp

Filesize
68KB

Download
memory/3392-19-0x0000000008CC0000-0x0000000008E3F000-memory.dmp

Filesize
1.5MB

Download
memory/3392-26-0x0000000008E40000-0x0000000008FC0000-memory.dmp

Filesize
1.5MB

Download
memory/3392-7-0x0000000002700000-0x00000000027F0000-memory.dmp

Filesize
960KB

Download
memory/3392-11-0x0000000008CC0000-0x0000000008E3F000-memory.dmp

Filesize
1.5MB

Download
memory/3392-22-0x0000000008E40000-0x0000000008FC0000-memory.dmp

Filesize
1.5MB

Download
memory/3392-21-0x0000000008E40000-0x0000000008FC0000-memory.dmp

Filesize
1.5MB

Download
memory/3632-12-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download
memory/3632-15-0x0000000002B00000-0x0000000002E4A000-memory.dmp

Filesize
3.3MB

Download
memory/3632-16-0x0000000000AF0000-0x0000000000B19000-memory.dmp

Filesize
164KB

Download
memory/3632-17-0x0000000002830000-0x00000000028C0000-memory.dmp

Filesize
576KB

Download
memory/3632-14-0x0000000000AF0000-0x0000000000B19000-memory.dmp

Filesize
164KB

Download
memory/3632-13-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download
memory/3756-0-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/3756-2-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads