xloader | c076e25acd902f35a52bdb12240494e39df85412b09111e451afdc584487b5df

General

Target

xvhostb.exe
Size

611KB
MD5

a1d6e3ac3ee1adbbc7a16e5f7d7cac1d
SHA1

c389f7fe73ba9c75d391c9f9c2bcff87c51556c7
SHA256

c076e25acd902f35a52bdb12240494e39df85412b09111e451afdc584487b5df
SHA512

d247593dcf889544745ff02599f8094811a83a159c9818c377b00ff39daa68be8125f799d23074b57e2ddfeb878b5d68615e3f258e646164aca98c19dba5807b

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.allindiatrust.com/sbjq/

Decoy

topbrandslook.xyz

kupilabs.com

cedrick.net

91mh.info

ajoph.net

finishtheverse.com

pondokquranaljariyah.com

happyhoopoe.com

lowcostfooddelivery.com

estudiosvacunacovid19-co.com

iestradanhhome.com

xn--caasymas-e3a.com

shopqls.com

wpnator.com

parentedagency.com

nundmshop.com

lodosmimarlik.com

ccidyy.xyz

bem-vestida.com

smartincomeafrica.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/820-66-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/820-67-0x000000000041D060-mapping.dmp	xloader
behavioral1/memory/1912-75-0x00000000000C0000-0x00000000000E9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1684 cmd.exe

pid	process
1684	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

xvhostb.exexvhostb.exeNETSTAT.EXE

description	pid	process	target process
PID 2040 set thread context of 820	2040	xvhostb.exe	xvhostb.exe
PID 820 set thread context of 1272	820	xvhostb.exe	Explorer.EXE
PID 1912 set thread context of 1272	1912	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1912 NETSTAT.EXE

pid	process
1912	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

xvhostb.exexvhostb.exeNETSTAT.EXE

pid	process
2040	xvhostb.exe
2040	xvhostb.exe
820	xvhostb.exe
820	xvhostb.exe
1912	NETSTAT.EXE
1912	NETSTAT.EXE
1912	NETSTAT.EXE
1912	NETSTAT.EXE
1912	NETSTAT.EXE
1912	NETSTAT.EXE
1912	NETSTAT.EXE
1912	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

xvhostb.exeNETSTAT.EXE

pid process

820 xvhostb.exe
820 xvhostb.exe
820 xvhostb.exe
1912 NETSTAT.EXE
1912 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

xvhostb.exexvhostb.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 2040 xvhostb.exe
Token: SeDebugPrivilege 820 xvhostb.exe
Token: SeDebugPrivilege 1912 NETSTAT.EXE

pid	process
820	xvhostb.exe
820	xvhostb.exe
820	xvhostb.exe
1912	NETSTAT.EXE
1912	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	2040	xvhostb.exe
Token: SeDebugPrivilege	820	xvhostb.exe
Token: SeDebugPrivilege	1912	NETSTAT.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

xvhostb.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 2040 wrote to memory of 820	2040	xvhostb.exe	xvhostb.exe
PID 2040 wrote to memory of 820	2040	xvhostb.exe	xvhostb.exe
PID 2040 wrote to memory of 820	2040	xvhostb.exe	xvhostb.exe
PID 2040 wrote to memory of 820	2040	xvhostb.exe	xvhostb.exe
PID 2040 wrote to memory of 820	2040	xvhostb.exe	xvhostb.exe
PID 2040 wrote to memory of 820	2040	xvhostb.exe	xvhostb.exe
PID 2040 wrote to memory of 820	2040	xvhostb.exe	xvhostb.exe
PID 1272 wrote to memory of 1912	1272	Explorer.EXE	NETSTAT.EXE
PID 1272 wrote to memory of 1912	1272	Explorer.EXE	NETSTAT.EXE
PID 1272 wrote to memory of 1912	1272	Explorer.EXE	NETSTAT.EXE
PID 1272 wrote to memory of 1912	1272	Explorer.EXE	NETSTAT.EXE
PID 1912 wrote to memory of 1684	1912	NETSTAT.EXE	cmd.exe
PID 1912 wrote to memory of 1684	1912	NETSTAT.EXE	cmd.exe
PID 1912 wrote to memory of 1684	1912	NETSTAT.EXE	cmd.exe
PID 1912 wrote to memory of 1684	1912	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\xvhostb.exe
"C:\Users\Admin\AppData\Local\Temp\xvhostb.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\xvhostb.exe
"C:\Users\Admin\AppData\Local\Temp\xvhostb.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\xvhostb.exe"
3⤵
- Deletes itself
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/820-66-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/820-70-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download
memory/820-69-0x0000000000D80000-0x0000000001083000-memory.dmp

Filesize
3.0MB

Download
memory/820-67-0x000000000041D060-mapping.dmp

Download
memory/1272-78-0x0000000006090000-0x00000000061C2000-memory.dmp

Filesize
1.2MB

Download
memory/1272-71-0x0000000004A90000-0x0000000004BE8000-memory.dmp

Filesize
1.3MB

Download
memory/1684-73-0x0000000000000000-mapping.dmp

Download
memory/1912-72-0x0000000000000000-mapping.dmp

Download
memory/1912-74-0x0000000000890000-0x0000000000899000-memory.dmp

Filesize
36KB

Download
memory/1912-76-0x0000000002200000-0x0000000002503000-memory.dmp

Filesize
3.0MB

Download
memory/1912-75-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/1912-77-0x0000000001FC0000-0x0000000002050000-memory.dmp

Filesize
576KB

Download
memory/2040-65-0x0000000000660000-0x000000000069D000-memory.dmp

Filesize
244KB

Download
memory/2040-64-0x0000000004F20000-0x0000000004FA2000-memory.dmp

Filesize
520KB

Download
memory/2040-63-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2040-62-0x0000000000630000-0x0000000000639000-memory.dmp

Filesize
36KB

Download
memory/2040-59-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/2040-61-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads