xloader | 795cbf921ad4645f3b16761091d40bba19bc65ea2edd1f35f1083c548ecdb41f

General

Target

Bank Details.exe
Size

1.1MB
MD5

bfb651eda6ae35c7faf71897ea5957fe
SHA1

53b0a31eda2c480b1c193a318a69a00a619ff071
SHA256

67ad3d12a1b7bbca0e3f0d809156aaf250cde5ea7e626d32787670e6358a9b85
SHA512

4d5e0ce641ba73eed1132a19726e3843f042effab62c912823c35ffd071cfc4f26c52c8023187c431c83989d1d278fa618a621088d8327b8ed952cc9d2ddace8

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.baseballisland.com/oop8/

Decoy

beidafu.net

negociosejogos.com

operation-eskimo.wtf

construccionesap.com

pitpi.net

indasc.com

kunleizz.com

dichvusocial.net

xn--80azfm8d.net

radfw.com

rahmatdigitalpro.online

osswestpoint.com

suelorefrigerante.com

cantevencandles.com

markdicas.com

thasaas.com

stclairneighbourrep.com

wzbtlm.com

clinicointegralbcn.info

lactpeel-konyu.club

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3396-126-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3396-127-0x000000000041D040-mapping.dmp	xloader
behavioral2/memory/1536-134-0x0000000000E10000-0x0000000000E38000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

Bank Details.exeBank Details.execolorcpl.exe

description	pid	process	target process
PID 996 set thread context of 3396	996	Bank Details.exe	Bank Details.exe
PID 3396 set thread context of 2180	3396	Bank Details.exe	Explorer.EXE
PID 1536 set thread context of 2180	1536	colorcpl.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

Bank Details.exeBank Details.execolorcpl.exe

pid	process
996	Bank Details.exe
996	Bank Details.exe
996	Bank Details.exe
3396	Bank Details.exe
3396	Bank Details.exe
3396	Bank Details.exe
3396	Bank Details.exe
1536	colorcpl.exe
1536	colorcpl.exe
1536	colorcpl.exe
1536	colorcpl.exe
1536	colorcpl.exe
1536	colorcpl.exe
1536	colorcpl.exe
1536	colorcpl.exe
1536	colorcpl.exe
1536	colorcpl.exe
1536	colorcpl.exe
1536	colorcpl.exe
1536	colorcpl.exe
1536	colorcpl.exe
1536	colorcpl.exe
1536	colorcpl.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Bank Details.execolorcpl.exe

pid process

3396 Bank Details.exe
3396 Bank Details.exe
3396 Bank Details.exe
1536 colorcpl.exe
1536 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Bank Details.exeBank Details.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 996 Bank Details.exe
Token: SeDebugPrivilege 3396 Bank Details.exe
Token: SeDebugPrivilege 1536 colorcpl.exe

pid	process
3396	Bank Details.exe
3396	Bank Details.exe
3396	Bank Details.exe
1536	colorcpl.exe
1536	colorcpl.exe

description	pid	process
Token: SeDebugPrivilege	996	Bank Details.exe
Token: SeDebugPrivilege	3396	Bank Details.exe
Token: SeDebugPrivilege	1536	colorcpl.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Bank Details.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 996 wrote to memory of 3396	996	Bank Details.exe	Bank Details.exe
PID 996 wrote to memory of 3396	996	Bank Details.exe	Bank Details.exe
PID 996 wrote to memory of 3396	996	Bank Details.exe	Bank Details.exe
PID 996 wrote to memory of 3396	996	Bank Details.exe	Bank Details.exe
PID 996 wrote to memory of 3396	996	Bank Details.exe	Bank Details.exe
PID 996 wrote to memory of 3396	996	Bank Details.exe	Bank Details.exe
PID 2180 wrote to memory of 1536	2180	Explorer.EXE	colorcpl.exe
PID 2180 wrote to memory of 1536	2180	Explorer.EXE	colorcpl.exe
PID 2180 wrote to memory of 1536	2180	Explorer.EXE	colorcpl.exe
PID 1536 wrote to memory of 1648	1536	colorcpl.exe	cmd.exe
PID 1536 wrote to memory of 1648	1536	colorcpl.exe	cmd.exe
PID 1536 wrote to memory of 1648	1536	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\Bank Details.exe
  "C:\Users\Admin\AppData\Local\Temp\Bank Details.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Users\Admin\AppData\Local\Temp\Bank Details.exe
    "C:\Users\Admin\AppData\Local\Temp\Bank Details.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3396
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Bank Details.exe"
    3⤵
    PID:1648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-125-0x0000000001620000-0x000000000165D000-memory.dmp

Filesize
244KB

Download
memory/996-124-0x0000000001590000-0x0000000001613000-memory.dmp

Filesize
524KB

Download
memory/996-114-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/996-118-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/996-119-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/996-120-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/996-121-0x00000000056E0000-0x0000000005BDE000-memory.dmp

Filesize
5.0MB

Download
memory/996-122-0x000000007F0E0000-0x000000007F0E1000-memory.dmp

Filesize
4KB

Download
memory/996-123-0x0000000006410000-0x0000000006419000-memory.dmp

Filesize
36KB

Download
memory/996-116-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/996-117-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/1536-132-0x0000000000000000-mapping.dmp

Download
memory/1536-133-0x0000000001240000-0x0000000001259000-memory.dmp

Filesize
100KB

Download
memory/1536-134-0x0000000000E10000-0x0000000000E38000-memory.dmp

Filesize
160KB

Download
memory/1536-136-0x0000000004E40000-0x0000000005160000-memory.dmp

Filesize
3.1MB

Download
memory/1536-137-0x0000000004D20000-0x0000000004DAF000-memory.dmp

Filesize
572KB

Download
memory/1648-135-0x0000000000000000-mapping.dmp

Download
memory/2180-138-0x0000000005770000-0x000000000589C000-memory.dmp

Filesize
1.2MB

Download
memory/2180-131-0x0000000005660000-0x000000000576C000-memory.dmp

Filesize
1.0MB

Download
memory/3396-129-0x0000000001820000-0x0000000001B40000-memory.dmp

Filesize
3.1MB

Download
memory/3396-130-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/3396-127-0x000000000041D040-mapping.dmp

Download
memory/3396-126-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads