xloader | cc58e505c504c770a1031d30453615f7748b0618b872655ac79a059a072c194c

General

Target

QUOTE B1020363.PDF.exe
Size

598KB
MD5

ecc182f3b2feaedcd32a97c51f01f652
SHA1

2c5b57854e772c72f3410d3ee3a29e19b654af1d
SHA256

cc58e505c504c770a1031d30453615f7748b0618b872655ac79a059a072c194c
SHA512

a593ae7b7d81499589722f5b420d645a25b030c264b9ef490016cb7b9e6845cf674b0d25371670c8fef86b54b7716e3f34b70e44b7b084535d8963580e88050d

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.huamxvcyq.icu/aepn/

Decoy

noesos.com

partsus.xyz

manageordercentersupp.com

wickedwallart.com

hike4cash.com

theviragocircle.com

followthesharks.com

paradisevalleywines.com

unmetrolimpio.com

eurocarsnj.com

alvaroeliseo.com

bfc8.xyz

oldcourts.com

bkpef.info

mammately.com

agentcharles.com

wwwmichiganbulb.com

pensolid.info

hibiscushealthcare.com

mwanakbk.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1016-67-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1016-68-0x000000000041D070-mapping.dmp	xloader
behavioral1/memory/380-79-0x0000000000090000-0x00000000000B9000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

QUOTE B1020363.PDF.exeRegSvcs.exerundll32.exe

description	pid	process	target process
PID 1828 set thread context of 1016	1828	QUOTE B1020363.PDF.exe	RegSvcs.exe
PID 1016 set thread context of 1208	1016	RegSvcs.exe	Explorer.EXE
PID 1016 set thread context of 1208	1016	RegSvcs.exe	Explorer.EXE
PID 380 set thread context of 1208	380	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

QUOTE B1020363.PDF.exeRegSvcs.exerundll32.exe

pid	process
1828	QUOTE B1020363.PDF.exe
1828	QUOTE B1020363.PDF.exe
1016	RegSvcs.exe
1016	RegSvcs.exe
1016	RegSvcs.exe
380	rundll32.exe
380	rundll32.exe
380	rundll32.exe
380	rundll32.exe
380	rundll32.exe
380	rundll32.exe
380	rundll32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.exerundll32.exe

pid process

1016 RegSvcs.exe
1016 RegSvcs.exe
1016 RegSvcs.exe
1016 RegSvcs.exe
380 rundll32.exe
380 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

QUOTE B1020363.PDF.exeRegSvcs.exerundll32.exe

description pid process

Token: SeDebugPrivilege 1828 QUOTE B1020363.PDF.exe
Token: SeDebugPrivilege 1016 RegSvcs.exe
Token: SeDebugPrivilege 380 rundll32.exe

pid	process
1016	RegSvcs.exe
1016	RegSvcs.exe
1016	RegSvcs.exe
1016	RegSvcs.exe
380	rundll32.exe
380	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1828	QUOTE B1020363.PDF.exe
Token: SeDebugPrivilege	1016	RegSvcs.exe
Token: SeDebugPrivilege	380	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

QUOTE B1020363.PDF.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1828 wrote to memory of 1016	1828	QUOTE B1020363.PDF.exe	RegSvcs.exe
PID 1828 wrote to memory of 1016	1828	QUOTE B1020363.PDF.exe	RegSvcs.exe
PID 1828 wrote to memory of 1016	1828	QUOTE B1020363.PDF.exe	RegSvcs.exe
PID 1828 wrote to memory of 1016	1828	QUOTE B1020363.PDF.exe	RegSvcs.exe
PID 1828 wrote to memory of 1016	1828	QUOTE B1020363.PDF.exe	RegSvcs.exe
PID 1828 wrote to memory of 1016	1828	QUOTE B1020363.PDF.exe	RegSvcs.exe
PID 1828 wrote to memory of 1016	1828	QUOTE B1020363.PDF.exe	RegSvcs.exe
PID 1828 wrote to memory of 1016	1828	QUOTE B1020363.PDF.exe	RegSvcs.exe
PID 1828 wrote to memory of 1016	1828	QUOTE B1020363.PDF.exe	RegSvcs.exe
PID 1828 wrote to memory of 1016	1828	QUOTE B1020363.PDF.exe	RegSvcs.exe
PID 1208 wrote to memory of 380	1208	Explorer.EXE	rundll32.exe
PID 1208 wrote to memory of 380	1208	Explorer.EXE	rundll32.exe
PID 1208 wrote to memory of 380	1208	Explorer.EXE	rundll32.exe
PID 1208 wrote to memory of 380	1208	Explorer.EXE	rundll32.exe
PID 1208 wrote to memory of 380	1208	Explorer.EXE	rundll32.exe
PID 1208 wrote to memory of 380	1208	Explorer.EXE	rundll32.exe
PID 1208 wrote to memory of 380	1208	Explorer.EXE	rundll32.exe
PID 380 wrote to memory of 1652	380	rundll32.exe	cmd.exe
PID 380 wrote to memory of 1652	380	rundll32.exe	cmd.exe
PID 380 wrote to memory of 1652	380	rundll32.exe	cmd.exe
PID 380 wrote to memory of 1652	380	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\QUOTE B1020363.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTE B1020363.PDF.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/380-76-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/380-75-0x0000000000000000-mapping.dmp

Download
memory/380-81-0x0000000001E30000-0x0000000001EC0000-memory.dmp

Filesize
576KB

Download
memory/380-80-0x0000000001FC0000-0x00000000022C3000-memory.dmp

Filesize
3.0MB

Download
memory/380-79-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/380-78-0x0000000000160000-0x000000000016E000-memory.dmp

Filesize
56KB

Download
memory/1016-67-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1016-68-0x000000000041D070-mapping.dmp

Download
memory/1016-70-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/1016-71-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/1016-73-0x0000000000360000-0x0000000000371000-memory.dmp

Filesize
68KB

Download
memory/1208-72-0x0000000006150000-0x00000000062CF000-memory.dmp

Filesize
1.5MB

Download
memory/1208-74-0x00000000070E0000-0x0000000007287000-memory.dmp

Filesize
1.7MB

Download
memory/1208-82-0x0000000005FA0000-0x0000000006097000-memory.dmp

Filesize
988KB

Download
memory/1652-77-0x0000000000000000-mapping.dmp

Download
memory/1828-60-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1828-66-0x00000000045B0000-0x00000000045DE000-memory.dmp

Filesize
184KB

Download
memory/1828-65-0x00000000050C0000-0x0000000005133000-memory.dmp

Filesize
460KB

Download
memory/1828-64-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1828-63-0x0000000001E60000-0x0000000001E69000-memory.dmp

Filesize
36KB

Download
memory/1828-62-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads