xloader | 3f359e1a20563017c2f66a4e01136fbd73a9293ca1ce3df2dd880a94b9eee23e

General

Target

a3aa510e_by_Libranalysis.exe
Size

531KB
MD5

a3aa510eb6f74e8dfc7a8c3bcd0fedf6
SHA1

286e81ec896f6746a1ca48e59dc6735c25249a37
SHA256

3f359e1a20563017c2f66a4e01136fbd73a9293ca1ce3df2dd880a94b9eee23e
SHA512

28c5048dda26762d5859488ef46cc222de632174e35d62e07b05ede307ec35309fd5636b53ba454e26386fb7033a8ae60f3cfe920b075cc1373589b14dfee2aa

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.jqjdgw.com/ued5/

Decoy

italiancosmeticbeauty.com

zhima7.com

phresheffect.com

comp-savvy.net

xjhtcaum.com

copperbrassgermkey.com

smero.financial

opticsoptimum.com

pisanosportpraxis.com

pediatricfeedrates.com

binsogleam.com

sarahseatter.com

wywatershed.com

smellyhomeshop.com

naviorchidlife.com

cunerier.com

thecornercomputers.com

brightwoodcollection.com

taxprep-repsolutions.net

phukien4u.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3344-126-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3344-127-0x000000000041D070-mapping.dmp	xloader
behavioral2/memory/4052-134-0x00000000007C0000-0x00000000007E9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

a3aa510e_by_Libranalysis.exea3aa510e_by_Libranalysis.exesystray.exe

description	pid	process	target process
PID 3924 set thread context of 3344	3924	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 3344 set thread context of 3052	3344	a3aa510e_by_Libranalysis.exe	Explorer.EXE
PID 4052 set thread context of 3052	4052	systray.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

a3aa510e_by_Libranalysis.exea3aa510e_by_Libranalysis.exesystray.exe

pid	process
3924	a3aa510e_by_Libranalysis.exe
3924	a3aa510e_by_Libranalysis.exe
3344	a3aa510e_by_Libranalysis.exe
3344	a3aa510e_by_Libranalysis.exe
3344	a3aa510e_by_Libranalysis.exe
3344	a3aa510e_by_Libranalysis.exe
4052	systray.exe
4052	systray.exe
4052	systray.exe
4052	systray.exe
4052	systray.exe
4052	systray.exe
4052	systray.exe
4052	systray.exe
4052	systray.exe
4052	systray.exe
4052	systray.exe
4052	systray.exe
4052	systray.exe
4052	systray.exe
4052	systray.exe
4052	systray.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

a3aa510e_by_Libranalysis.exesystray.exe

pid process

3344 a3aa510e_by_Libranalysis.exe
3344 a3aa510e_by_Libranalysis.exe
3344 a3aa510e_by_Libranalysis.exe
4052 systray.exe
4052 systray.exe

pid	process
3344	a3aa510e_by_Libranalysis.exe
3344	a3aa510e_by_Libranalysis.exe
3344	a3aa510e_by_Libranalysis.exe
4052	systray.exe
4052	systray.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a3aa510e_by_Libranalysis.exea3aa510e_by_Libranalysis.exesystray.exe

description	pid	process
Token: SeDebugPrivilege	3924	a3aa510e_by_Libranalysis.exe
Token: SeDebugPrivilege	3344	a3aa510e_by_Libranalysis.exe
Token: SeDebugPrivilege	4052	systray.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a3aa510e_by_Libranalysis.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 3924 wrote to memory of 3580	3924	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 3924 wrote to memory of 3580	3924	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 3924 wrote to memory of 3580	3924	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 3924 wrote to memory of 3344	3924	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 3924 wrote to memory of 3344	3924	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 3924 wrote to memory of 3344	3924	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 3924 wrote to memory of 3344	3924	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 3924 wrote to memory of 3344	3924	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 3924 wrote to memory of 3344	3924	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 3052 wrote to memory of 4052	3052	Explorer.EXE	systray.exe
PID 3052 wrote to memory of 4052	3052	Explorer.EXE	systray.exe
PID 3052 wrote to memory of 4052	3052	Explorer.EXE	systray.exe
PID 4052 wrote to memory of 1200	4052	systray.exe	cmd.exe
PID 4052 wrote to memory of 1200	4052	systray.exe	cmd.exe
PID 4052 wrote to memory of 1200	4052	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924

C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe"
3⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe"
3⤵
PID:1200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1200-135-0x0000000000000000-mapping.dmp

Download
memory/3052-138-0x0000000002E80000-0x0000000002F6B000-memory.dmp

Filesize
940KB

Download
memory/3052-131-0x0000000008B80000-0x0000000008D0C000-memory.dmp

Filesize
1.5MB

Download
memory/3344-126-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3344-130-0x0000000000F30000-0x0000000000F41000-memory.dmp

Filesize
68KB

Download
memory/3344-129-0x0000000001100000-0x0000000001420000-memory.dmp

Filesize
3.1MB

Download
memory/3344-127-0x000000000041D070-mapping.dmp

Download
memory/3924-120-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/3924-119-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/3924-124-0x0000000000D10000-0x0000000000D88000-memory.dmp

Filesize
480KB

Download
memory/3924-125-0x0000000008010000-0x0000000008041000-memory.dmp

Filesize
196KB

Download
memory/3924-123-0x000000007F9A0000-0x000000007F9A1000-memory.dmp

Filesize
4KB

Download
memory/3924-121-0x0000000004F70000-0x0000000004F7D000-memory.dmp

Filesize
52KB

Download
memory/3924-114-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/3924-122-0x0000000004CD0000-0x00000000051CE000-memory.dmp

Filesize
5.0MB

Download
memory/3924-118-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/3924-116-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3924-117-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/4052-133-0x0000000000FB0000-0x0000000000FB6000-memory.dmp

Filesize
24KB

Download
memory/4052-134-0x00000000007C0000-0x00000000007E9000-memory.dmp

Filesize
164KB

Download
memory/4052-136-0x0000000004980000-0x0000000004CA0000-memory.dmp

Filesize
3.1MB

Download
memory/4052-137-0x00000000047E0000-0x0000000004870000-memory.dmp

Filesize
576KB

Download
memory/4052-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads