xloader | 08a758993c43a321076d8bbc7d9352f1affee8ae44db80c1cf2ced2e6f2cfed2

General

Target

svch.exe
Size

579KB
MD5

a750b5c841200037a4e03a27ba5a6382
SHA1

d795e2443adfd4c9c1c10fbce9df60551a11c464
SHA256

08a758993c43a321076d8bbc7d9352f1affee8ae44db80c1cf2ced2e6f2cfed2
SHA512

0f1dc2653fe7349620057fd523a17dad0d84f46e8f3f15685dcfd8114b347e2d8515197a9838fd5114fa3f45c09952998b086698f630c90605ec4677f25809df

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.xiangnanxiang.com/nqs9/

Decoy

vescuderoabogados.com

reednorth.com

zoeyline.com

kittenclub.online

srichinstest2blog.com

wide-house.com

highandmightycornwhiskey.com

investmentbankersroundtable.com

godnomics.com

lynperformancetraining.com

alitafinance.com

cristinaandmore.com

sexyseniors.directory

p1monline.com

followingsharks.com

lurkwood.com

shopnayzierose.com

didsss.com

christophergagnon.com

bestpreschoolinorlando.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1112-125-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1112-126-0x000000000041D150-mapping.dmp	xloader
behavioral2/memory/2244-134-0x0000000000850000-0x0000000000879000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

svch.exesvch.exesvchost.exe

description	pid	process	target process
PID 3540 set thread context of 1112	3540	svch.exe	svch.exe
PID 1112 set thread context of 2756	1112	svch.exe	Explorer.EXE
PID 2244 set thread context of 2756	2244	svchost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

svch.exesvch.exesvchost.exe

pid	process
3540	svch.exe
3540	svch.exe
3540	svch.exe
3540	svch.exe
3540	svch.exe
1112	svch.exe
1112	svch.exe
1112	svch.exe
1112	svch.exe
2244	svchost.exe
2244	svchost.exe
2244	svchost.exe
2244	svchost.exe
2244	svchost.exe
2244	svchost.exe
2244	svchost.exe
2244	svchost.exe
2244	svchost.exe
2244	svchost.exe
2244	svchost.exe
2244	svchost.exe
2244	svchost.exe
2244	svchost.exe
2244	svchost.exe
2244	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

svch.exesvchost.exe

pid process

1112 svch.exe
1112 svch.exe
1112 svch.exe
2244 svchost.exe
2244 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

svch.exesvch.exesvchost.exe

description pid process

Token: SeDebugPrivilege 3540 svch.exe
Token: SeDebugPrivilege 1112 svch.exe
Token: SeDebugPrivilege 2244 svchost.exe

pid	process
1112	svch.exe
1112	svch.exe
1112	svch.exe
2244	svchost.exe
2244	svchost.exe

description	pid	process
Token: SeDebugPrivilege	3540	svch.exe
Token: SeDebugPrivilege	1112	svch.exe
Token: SeDebugPrivilege	2244	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

svch.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 3540 wrote to memory of 1940	3540	svch.exe	svch.exe
PID 3540 wrote to memory of 1940	3540	svch.exe	svch.exe
PID 3540 wrote to memory of 1940	3540	svch.exe	svch.exe
PID 3540 wrote to memory of 1112	3540	svch.exe	svch.exe
PID 3540 wrote to memory of 1112	3540	svch.exe	svch.exe
PID 3540 wrote to memory of 1112	3540	svch.exe	svch.exe
PID 3540 wrote to memory of 1112	3540	svch.exe	svch.exe
PID 3540 wrote to memory of 1112	3540	svch.exe	svch.exe
PID 3540 wrote to memory of 1112	3540	svch.exe	svch.exe
PID 2756 wrote to memory of 2244	2756	Explorer.EXE	svchost.exe
PID 2756 wrote to memory of 2244	2756	Explorer.EXE	svchost.exe
PID 2756 wrote to memory of 2244	2756	Explorer.EXE	svchost.exe
PID 2244 wrote to memory of 3848	2244	svchost.exe	cmd.exe
PID 2244 wrote to memory of 3848	2244	svchost.exe	cmd.exe
PID 2244 wrote to memory of 3848	2244	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\svch.exe
"C:\Users\Admin\AppData\Local\Temp\svch.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\Temp\svch.exe
"C:\Users\Admin\AppData\Local\Temp\svch.exe"
3⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\svch.exe
"C:\Users\Admin\AppData\Local\Temp\svch.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:3260

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\svch.exe"
3⤵
PID:3848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-125-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1112-128-0x00000000011E0000-0x0000000001500000-memory.dmp

Filesize
3.1MB

Download
memory/1112-129-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/1112-126-0x000000000041D150-mapping.dmp

Download
memory/2244-131-0x0000000000000000-mapping.dmp

Download
memory/2244-134-0x0000000000850000-0x0000000000879000-memory.dmp

Filesize
164KB

Download
memory/2244-136-0x0000000002E60000-0x0000000002EEF000-memory.dmp

Filesize
572KB

Download
memory/2244-135-0x0000000003290000-0x00000000035B0000-memory.dmp

Filesize
3.1MB

Download
memory/2244-133-0x0000000000DC0000-0x0000000000DCC000-memory.dmp

Filesize
48KB

Download
memory/2756-130-0x0000000006150000-0x0000000006290000-memory.dmp

Filesize
1.2MB

Download
memory/2756-137-0x0000000002750000-0x00000000027FB000-memory.dmp

Filesize
684KB

Download
memory/3540-119-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/3540-118-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/3540-117-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/3540-120-0x00000000058A0000-0x0000000005D9E000-memory.dmp

Filesize
5.0MB

Download
memory/3540-116-0x0000000005DA0000-0x0000000005DA1000-memory.dmp

Filesize
4KB

Download
memory/3540-114-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/3540-124-0x00000000016B0000-0x00000000016DE000-memory.dmp

Filesize
184KB

Download
memory/3540-123-0x00000000018B0000-0x0000000001920000-memory.dmp

Filesize
448KB

Download
memory/3540-122-0x000000007F750000-0x000000007F751000-memory.dmp

Filesize
4KB

Download
memory/3540-121-0x0000000006520000-0x0000000006529000-memory.dmp

Filesize
36KB

Download
memory/3848-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads