xloader | e6cde5c1b614549613d30761b34c899f4ff69d7e6e3147c21d68bedd64f8fe25

General

Target

$PLUGINSDIR/feczzkflxf.dll
Size

30KB
MD5

895a48f7b6d967eb813de8f96b0aca55
SHA1

821be080225a3415d6db2e6b269e841b0605ad93
SHA256

f00a637108b667cb6fc1c265c6e0fdcf650156d3100a6de084d430971ed03393
SHA512

5acd3940d4f55124c32a49325bdc8d59f2805882ea2c43b9b92db95861fb19ed3971a98f82cf3fffae42c2d243dbe2aaac05f50760adac4afd6a4065374dca60
SSDEEP

768:nYYsBQJDh7wN4Ce10NUW5gPO8P9MOVnF06ZTt07IKt:nIBQJDPGgPO8P9vnF06P07J

Score

10^/10

xloader ou3t loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ou3t

Decoy

toteitwithtara.com

scienbunny.com

stlukeumcaustin.com

hypnoticbeauty.net

artisanmakefurniture.com

usaonlinedrs.com

lifeshopdeluxe.com

paddlethepoosa.com

mobilismedlabs.net

iwumenssoccercamps.com

fjgsdgr.com

excelsiorhongkong.online

air.ink

grantopwincup.website

appi50dh.com

link-efootballpoin-konami.com

hukugiyho-life-no1.moe

azevedogroupdev.com

nichemedicalsupport.com

rastipponmkh.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral3/memory/1220-1-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral3/memory/1220-5-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral3/memory/1220-10-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral3/memory/2840-15-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

rundll32.exerundll32.execmd.exe

description	pid	process	target process
PID 2088 set thread context of 1220	2088	rundll32.exe	rundll32.exe
PID 1220 set thread context of 1188	1220	rundll32.exe	Explorer.EXE
PID 1220 set thread context of 1188	1220	rundll32.exe	Explorer.EXE
PID 2840 set thread context of 1188	2840	cmd.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

rundll32.execmd.exe

pid	process
1220	rundll32.exe
1220	rundll32.exe
1220	rundll32.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe
2840	cmd.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

rundll32.execmd.exe

pid process

1220 rundll32.exe
1220 rundll32.exe
1220 rundll32.exe
1220 rundll32.exe
2840 cmd.exe
2840 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.execmd.exe

description pid process

Token: SeDebugPrivilege 1220 rundll32.exe
Token: SeDebugPrivilege 2840 cmd.exe

description	pid	process
Token: SeDebugPrivilege	1220	rundll32.exe
Token: SeDebugPrivilege	2840	cmd.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

rundll32.exerundll32.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2628 wrote to memory of 2088	2628	rundll32.exe	rundll32.exe
PID 2628 wrote to memory of 2088	2628	rundll32.exe	rundll32.exe
PID 2628 wrote to memory of 2088	2628	rundll32.exe	rundll32.exe
PID 2628 wrote to memory of 2088	2628	rundll32.exe	rundll32.exe
PID 2628 wrote to memory of 2088	2628	rundll32.exe	rundll32.exe
PID 2628 wrote to memory of 2088	2628	rundll32.exe	rundll32.exe
PID 2628 wrote to memory of 2088	2628	rundll32.exe	rundll32.exe
PID 2088 wrote to memory of 1220	2088	rundll32.exe	rundll32.exe
PID 2088 wrote to memory of 1220	2088	rundll32.exe	rundll32.exe
PID 2088 wrote to memory of 1220	2088	rundll32.exe	rundll32.exe
PID 2088 wrote to memory of 1220	2088	rundll32.exe	rundll32.exe
PID 2088 wrote to memory of 1220	2088	rundll32.exe	rundll32.exe
PID 2088 wrote to memory of 1220	2088	rundll32.exe	rundll32.exe
PID 2088 wrote to memory of 1220	2088	rundll32.exe	rundll32.exe
PID 2088 wrote to memory of 1220	2088	rundll32.exe	rundll32.exe
PID 2088 wrote to memory of 1220	2088	rundll32.exe	rundll32.exe
PID 2088 wrote to memory of 1220	2088	rundll32.exe	rundll32.exe
PID 1188 wrote to memory of 2840	1188	Explorer.EXE	cmd.exe
PID 1188 wrote to memory of 2840	1188	Explorer.EXE	cmd.exe
PID 1188 wrote to memory of 2840	1188	Explorer.EXE	cmd.exe
PID 1188 wrote to memory of 2840	1188	Explorer.EXE	cmd.exe
PID 2840 wrote to memory of 2696	2840	cmd.exe	cmd.exe
PID 2840 wrote to memory of 2696	2840	cmd.exe	cmd.exe
PID 2840 wrote to memory of 2696	2840	cmd.exe	cmd.exe
PID 2840 wrote to memory of 2696	2840	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\feczzkflxf.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\feczzkflxf.dll,#1
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\feczzkflxf.dll,#1
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\rundll32.exe"
3⤵
PID:2696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1188-7-0x0000000004F40000-0x0000000005019000-memory.dmp

Filesize
868KB

Download
memory/1188-17-0x0000000005250000-0x0000000005373000-memory.dmp

Filesize
1.1MB

Download
memory/1188-12-0x0000000005250000-0x0000000005373000-memory.dmp

Filesize
1.1MB

Download
memory/1188-9-0x0000000004F40000-0x0000000005019000-memory.dmp

Filesize
868KB

Download
memory/1220-3-0x00000000020D0000-0x00000000023D3000-memory.dmp

Filesize
3.0MB

Download
memory/1220-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1220-6-0x00000000001E0000-0x00000000001F1000-memory.dmp

Filesize
68KB

Download
memory/1220-11-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/1220-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1220-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2088-0-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/2088-2-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/2840-14-0x000000004A3A0000-0x000000004A3EC000-memory.dmp

Filesize
304KB

Download
memory/2840-13-0x000000004A3A0000-0x000000004A3EC000-memory.dmp

Filesize
304KB

Download
memory/2840-15-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads