xloader | 3f359e1a20563017c2f66a4e01136fbd73a9293ca1ce3df2dd880a94b9eee23e

General

Target

a3aa510e_by_Libranalysis.exe
Size

531KB
MD5

a3aa510eb6f74e8dfc7a8c3bcd0fedf6
SHA1

286e81ec896f6746a1ca48e59dc6735c25249a37
SHA256

3f359e1a20563017c2f66a4e01136fbd73a9293ca1ce3df2dd880a94b9eee23e
SHA512

28c5048dda26762d5859488ef46cc222de632174e35d62e07b05ede307ec35309fd5636b53ba454e26386fb7033a8ae60f3cfe920b075cc1373589b14dfee2aa

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.jqjdgw.com/ued5/

Decoy

italiancosmeticbeauty.com

zhima7.com

phresheffect.com

comp-savvy.net

xjhtcaum.com

copperbrassgermkey.com

smero.financial

opticsoptimum.com

pisanosportpraxis.com

pediatricfeedrates.com

binsogleam.com

sarahseatter.com

wywatershed.com

smellyhomeshop.com

naviorchidlife.com

cunerier.com

thecornercomputers.com

brightwoodcollection.com

taxprep-repsolutions.net

phukien4u.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1776-66-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1776-67-0x000000000041D070-mapping.dmp	xloader
behavioral1/memory/552-75-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

744 cmd.exe

pid	process
744	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

a3aa510e_by_Libranalysis.exea3aa510e_by_Libranalysis.exewininit.exe

description	pid	process	target process
PID 1116 set thread context of 1776	1116	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 1776 set thread context of 1292	1776	a3aa510e_by_Libranalysis.exe	Explorer.EXE
PID 552 set thread context of 1292	552	wininit.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

a3aa510e_by_Libranalysis.exewininit.exe

pid	process
1776	a3aa510e_by_Libranalysis.exe
1776	a3aa510e_by_Libranalysis.exe
552	wininit.exe
552	wininit.exe
552	wininit.exe
552	wininit.exe
552	wininit.exe
552	wininit.exe
552	wininit.exe
552	wininit.exe
552	wininit.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

a3aa510e_by_Libranalysis.exewininit.exe

pid process

1776 a3aa510e_by_Libranalysis.exe
1776 a3aa510e_by_Libranalysis.exe
1776 a3aa510e_by_Libranalysis.exe
552 wininit.exe
552 wininit.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a3aa510e_by_Libranalysis.exewininit.exe

description pid process

Token: SeDebugPrivilege 1776 a3aa510e_by_Libranalysis.exe
Token: SeDebugPrivilege 552 wininit.exe

description	pid	process
Token: SeDebugPrivilege	1776	a3aa510e_by_Libranalysis.exe
Token: SeDebugPrivilege	552	wininit.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a3aa510e_by_Libranalysis.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 1116 wrote to memory of 1776	1116	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 1116 wrote to memory of 1776	1116	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 1116 wrote to memory of 1776	1116	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 1116 wrote to memory of 1776	1116	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 1116 wrote to memory of 1776	1116	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 1116 wrote to memory of 1776	1116	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 1116 wrote to memory of 1776	1116	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 1292 wrote to memory of 552	1292	Explorer.EXE	wininit.exe
PID 1292 wrote to memory of 552	1292	Explorer.EXE	wininit.exe
PID 1292 wrote to memory of 552	1292	Explorer.EXE	wininit.exe
PID 1292 wrote to memory of 552	1292	Explorer.EXE	wininit.exe
PID 552 wrote to memory of 744	552	wininit.exe	cmd.exe
PID 552 wrote to memory of 744	552	wininit.exe	cmd.exe
PID 552 wrote to memory of 744	552	wininit.exe	cmd.exe
PID 552 wrote to memory of 744	552	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe"
3⤵
- Deletes itself
PID:744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/552-72-0x0000000000000000-mapping.dmp

Download
memory/552-77-0x0000000000980000-0x0000000000A10000-memory.dmp

Filesize
576KB

Download
memory/552-76-0x0000000000A80000-0x0000000000D83000-memory.dmp

Filesize
3.0MB

Download
memory/552-75-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/552-74-0x0000000000DE0000-0x0000000000DFA000-memory.dmp

Filesize
104KB

Download
memory/744-73-0x0000000000000000-mapping.dmp

Download
memory/1116-64-0x0000000004EE0000-0x0000000004F58000-memory.dmp

Filesize
480KB

Download
memory/1116-65-0x0000000000FF0000-0x0000000001021000-memory.dmp

Filesize
196KB

Download
memory/1116-59-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/1116-63-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1116-62-0x00000000009E0000-0x00000000009ED000-memory.dmp

Filesize
52KB

Download
memory/1116-61-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/1292-71-0x0000000006CA0000-0x0000000006DA8000-memory.dmp

Filesize
1.0MB

Download
memory/1292-78-0x0000000008E60000-0x0000000008FC6000-memory.dmp

Filesize
1.4MB

Download
memory/1776-67-0x000000000041D070-mapping.dmp

Download
memory/1776-69-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1776-70-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/1776-66-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads