xloader | 08a758993c43a321076d8bbc7d9352f1affee8ae44db80c1cf2ced2e6f2cfed2

General

Target

svch.exe
Size

579KB
MD5

a750b5c841200037a4e03a27ba5a6382
SHA1

d795e2443adfd4c9c1c10fbce9df60551a11c464
SHA256

08a758993c43a321076d8bbc7d9352f1affee8ae44db80c1cf2ced2e6f2cfed2
SHA512

0f1dc2653fe7349620057fd523a17dad0d84f46e8f3f15685dcfd8114b347e2d8515197a9838fd5114fa3f45c09952998b086698f630c90605ec4677f25809df

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.xiangnanxiang.com/nqs9/

Decoy

vescuderoabogados.com

reednorth.com

zoeyline.com

kittenclub.online

srichinstest2blog.com

wide-house.com

highandmightycornwhiskey.com

investmentbankersroundtable.com

godnomics.com

lynperformancetraining.com

alitafinance.com

cristinaandmore.com

sexyseniors.directory

p1monline.com

followingsharks.com

lurkwood.com

shopnayzierose.com

didsss.com

christophergagnon.com

bestpreschoolinorlando.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/324-67-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/324-68-0x000000000041D150-mapping.dmp	xloader
behavioral1/memory/1584-78-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

568 cmd.exe

pid	process
568	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

svch.exesvch.exehelp.exe

description	pid	process	target process
PID 784 set thread context of 324	784	svch.exe	svch.exe
PID 324 set thread context of 1268	324	svch.exe	Explorer.EXE
PID 324 set thread context of 1268	324	svch.exe	Explorer.EXE
PID 1584 set thread context of 1268	1584	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

svch.exesvch.exehelp.exe

pid process

784 svch.exe
784 svch.exe
324 svch.exe
324 svch.exe
324 svch.exe
1584 help.exe
1584 help.exe
1584 help.exe
1584 help.exe
1584 help.exe
1584 help.exe
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

svch.exehelp.exe

pid process

324 svch.exe
324 svch.exe
324 svch.exe
324 svch.exe
1584 help.exe
1584 help.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

svch.exesvch.exehelp.exe

description pid process

Token: SeDebugPrivilege 784 svch.exe
Token: SeDebugPrivilege 324 svch.exe
Token: SeDebugPrivilege 1584 help.exe

pid	process
784	svch.exe
784	svch.exe
324	svch.exe
324	svch.exe
324	svch.exe
1584	help.exe
1584	help.exe
1584	help.exe
1584	help.exe
1584	help.exe
1584	help.exe

pid	process
324	svch.exe
324	svch.exe
324	svch.exe
324	svch.exe
1584	help.exe
1584	help.exe

description	pid	process
Token: SeDebugPrivilege	784	svch.exe
Token: SeDebugPrivilege	324	svch.exe
Token: SeDebugPrivilege	1584	help.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

svch.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 784 wrote to memory of 324	784	svch.exe	svch.exe
PID 784 wrote to memory of 324	784	svch.exe	svch.exe
PID 784 wrote to memory of 324	784	svch.exe	svch.exe
PID 784 wrote to memory of 324	784	svch.exe	svch.exe
PID 784 wrote to memory of 324	784	svch.exe	svch.exe
PID 784 wrote to memory of 324	784	svch.exe	svch.exe
PID 784 wrote to memory of 324	784	svch.exe	svch.exe
PID 1268 wrote to memory of 1584	1268	Explorer.EXE	help.exe
PID 1268 wrote to memory of 1584	1268	Explorer.EXE	help.exe
PID 1268 wrote to memory of 1584	1268	Explorer.EXE	help.exe
PID 1268 wrote to memory of 1584	1268	Explorer.EXE	help.exe
PID 1584 wrote to memory of 568	1584	help.exe	cmd.exe
PID 1584 wrote to memory of 568	1584	help.exe	cmd.exe
PID 1584 wrote to memory of 568	1584	help.exe	cmd.exe
PID 1584 wrote to memory of 568	1584	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\svch.exe
"C:\Users\Admin\AppData\Local\Temp\svch.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\svch.exe
"C:\Users\Admin\AppData\Local\Temp\svch.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\svch.exe"
3⤵
- Deletes itself
PID:568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/324-67-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/324-68-0x000000000041D150-mapping.dmp

Download
memory/324-71-0x0000000000130000-0x0000000000140000-memory.dmp

Filesize
64KB

Download
memory/324-70-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/324-73-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/568-76-0x0000000000000000-mapping.dmp

Download
memory/784-62-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/784-63-0x0000000000510000-0x0000000000519000-memory.dmp

Filesize
36KB

Download
memory/784-64-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/784-65-0x0000000002390000-0x0000000002400000-memory.dmp

Filesize
448KB

Download
memory/784-66-0x0000000000C40000-0x0000000000C6E000-memory.dmp

Filesize
184KB

Download
memory/784-60-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1268-72-0x0000000006C20000-0x0000000006D5C000-memory.dmp

Filesize
1.2MB

Download
memory/1268-74-0x00000000074F0000-0x0000000007651000-memory.dmp

Filesize
1.4MB

Download
memory/1268-81-0x0000000004A20000-0x0000000004AB4000-memory.dmp

Filesize
592KB

Download
memory/1584-75-0x0000000000000000-mapping.dmp

Download
memory/1584-77-0x0000000000F90000-0x0000000000F96000-memory.dmp

Filesize
24KB

Download
memory/1584-78-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1584-79-0x00000000007F0000-0x0000000000AF3000-memory.dmp

Filesize
3.0MB

Download
memory/1584-80-0x0000000000660000-0x00000000006EF000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads