xloader | 3f359e1a20563017c2f66a4e01136fbd73a9293ca1ce3df2dd880a94b9eee23e

General

Target

a3aa510e_by_Libranalysis.exe
Size

531KB
MD5

a3aa510eb6f74e8dfc7a8c3bcd0fedf6
SHA1

286e81ec896f6746a1ca48e59dc6735c25249a37
SHA256

3f359e1a20563017c2f66a4e01136fbd73a9293ca1ce3df2dd880a94b9eee23e
SHA512

28c5048dda26762d5859488ef46cc222de632174e35d62e07b05ede307ec35309fd5636b53ba454e26386fb7033a8ae60f3cfe920b075cc1373589b14dfee2aa

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.jqjdgw.com/ued5/

Decoy

italiancosmeticbeauty.com

zhima7.com

phresheffect.com

comp-savvy.net

xjhtcaum.com

copperbrassgermkey.com

smero.financial

opticsoptimum.com

pisanosportpraxis.com

pediatricfeedrates.com

binsogleam.com

sarahseatter.com

wywatershed.com

smellyhomeshop.com

naviorchidlife.com

cunerier.com

thecornercomputers.com

brightwoodcollection.com

taxprep-repsolutions.net

phukien4u.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2284-127-0x000000000041D070-mapping.dmp	xloader
behavioral2/memory/2284-126-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1268-134-0x0000000000F80000-0x0000000000FA9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

a3aa510e_by_Libranalysis.exea3aa510e_by_Libranalysis.exenetsh.exe

description	pid	process	target process
PID 804 set thread context of 2284	804	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 2284 set thread context of 3056	2284	a3aa510e_by_Libranalysis.exe	Explorer.EXE
PID 1268 set thread context of 3056	1268	netsh.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

a3aa510e_by_Libranalysis.exenetsh.exe

pid	process
2284	a3aa510e_by_Libranalysis.exe
2284	a3aa510e_by_Libranalysis.exe
2284	a3aa510e_by_Libranalysis.exe
2284	a3aa510e_by_Libranalysis.exe
1268	netsh.exe
1268	netsh.exe
1268	netsh.exe
1268	netsh.exe
1268	netsh.exe
1268	netsh.exe
1268	netsh.exe
1268	netsh.exe
1268	netsh.exe
1268	netsh.exe
1268	netsh.exe
1268	netsh.exe
1268	netsh.exe
1268	netsh.exe
1268	netsh.exe
1268	netsh.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

a3aa510e_by_Libranalysis.exenetsh.exe

pid process

2284 a3aa510e_by_Libranalysis.exe
2284 a3aa510e_by_Libranalysis.exe
2284 a3aa510e_by_Libranalysis.exe
1268 netsh.exe
1268 netsh.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a3aa510e_by_Libranalysis.exenetsh.exe

description pid process

Token: SeDebugPrivilege 2284 a3aa510e_by_Libranalysis.exe
Token: SeDebugPrivilege 1268 netsh.exe

description	pid	process
Token: SeDebugPrivilege	2284	a3aa510e_by_Libranalysis.exe
Token: SeDebugPrivilege	1268	netsh.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a3aa510e_by_Libranalysis.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 804 wrote to memory of 2284	804	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 804 wrote to memory of 2284	804	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 804 wrote to memory of 2284	804	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 804 wrote to memory of 2284	804	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 804 wrote to memory of 2284	804	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 804 wrote to memory of 2284	804	a3aa510e_by_Libranalysis.exe	a3aa510e_by_Libranalysis.exe
PID 3056 wrote to memory of 1268	3056	Explorer.EXE	netsh.exe
PID 3056 wrote to memory of 1268	3056	Explorer.EXE	netsh.exe
PID 3056 wrote to memory of 1268	3056	Explorer.EXE	netsh.exe
PID 1268 wrote to memory of 3116	1268	netsh.exe	cmd.exe
PID 1268 wrote to memory of 3116	1268	netsh.exe	cmd.exe
PID 1268 wrote to memory of 3116	1268	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\a3aa510e_by_Libranalysis.exe"
3⤵
PID:3116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-125-0x0000000008570000-0x00000000085A1000-memory.dmp

Filesize
196KB

Download
memory/804-124-0x00000000011A0000-0x0000000001218000-memory.dmp

Filesize
480KB

Download
memory/804-114-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/804-118-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/804-119-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/804-120-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/804-121-0x0000000005340000-0x000000000583E000-memory.dmp

Filesize
5.0MB

Download
memory/804-122-0x00000000057B0000-0x00000000057BD000-memory.dmp

Filesize
52KB

Download
memory/804-123-0x000000007E900000-0x000000007E901000-memory.dmp

Filesize
4KB

Download
memory/804-116-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/804-117-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/1268-132-0x0000000000000000-mapping.dmp

Download
memory/1268-134-0x0000000000F80000-0x0000000000FA9000-memory.dmp

Filesize
164KB

Download
memory/1268-135-0x0000000001250000-0x0000000001570000-memory.dmp

Filesize
3.1MB

Download
memory/1268-133-0x0000000001680000-0x000000000169E000-memory.dmp

Filesize
120KB

Download
memory/1268-137-0x00000000036A0000-0x0000000003730000-memory.dmp

Filesize
576KB

Download
memory/2284-130-0x0000000001D90000-0x0000000001DA1000-memory.dmp

Filesize
68KB

Download
memory/2284-129-0x0000000001A70000-0x0000000001D90000-memory.dmp

Filesize
3.1MB

Download
memory/2284-126-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2284-127-0x000000000041D070-mapping.dmp

Download
memory/3056-138-0x0000000006A40000-0x0000000006AF4000-memory.dmp

Filesize
720KB

Download
memory/3056-131-0x0000000003290000-0x0000000003344000-memory.dmp

Filesize
720KB

Download
memory/3116-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads