xloader | 59afbfdaae8dac4d2c4b5e94d05ce217171cc0a0e14568590d70a2291cc9f0c0

General

Target

qt-64647euro.exe
Size

376KB
MD5

c7869904df7369ecb0e07caa879bb981
SHA1

f35f9af1d4cb23da445e03a9763663790aeec6f1
SHA256

078e4b00d3b4cf59fcdb2ec643fa91edb000419950a3e5ac973b0ed0c648d87a
SHA512

0453ceb6e22b5a0449af4a17a0ea41bb107328a436810339061f9b3a74b5b30cb427c61671199248683db145fed7fe8ded88e836191b27f6ae3db07e1bbe3122

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.wwwnptpool.com/cea0/

Decoy

answerwith.com

bingji5.com

choicesrecoverytrainings.com

goodyearpromotions.com

projectguruji.com

outofsandbox.com

chicagosingersforhire.com

goprosquad.com

askmohsin.com

avangardinmobiliaria.com

ultimabritannia.com

alimentafricain.com

recruit-marilyn.com

massu-blog.com

commandsilicon.icu

clearchannel.sucks

greenatlasng.com

spatialdesignoxford.com

nurzia.net

technocratbusiness.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1820-114-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1820-115-0x000000000041D0B0-mapping.dmp	xloader
behavioral2/memory/1820-118-0x0000000000530000-0x000000000067A000-memory.dmp	xloader
behavioral2/memory/2500-123-0x0000000000EE0000-0x0000000000F09000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

qt-64647euro.exeqt-64647euro.exewlanext.exe

description	pid	process	target process
PID 3560 set thread context of 1820	3560	qt-64647euro.exe	qt-64647euro.exe
PID 1820 set thread context of 2984	1820	qt-64647euro.exe	Explorer.EXE
PID 2500 set thread context of 2984	2500	wlanext.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

qt-64647euro.exewlanext.exe

pid	process
1820	qt-64647euro.exe
1820	qt-64647euro.exe
1820	qt-64647euro.exe
1820	qt-64647euro.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe
2500	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2984 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

qt-64647euro.exewlanext.exe

pid process

1820 qt-64647euro.exe
1820 qt-64647euro.exe
1820 qt-64647euro.exe
2500 wlanext.exe
2500 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

qt-64647euro.exewlanext.exe

description pid process

Token: SeDebugPrivilege 1820 qt-64647euro.exe
Token: SeDebugPrivilege 2500 wlanext.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2984 Explorer.EXE

pid	process
2984	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1820	qt-64647euro.exe
Token: SeDebugPrivilege	2500	wlanext.exe

pid	process
2984	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

qt-64647euro.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 3560 wrote to memory of 1820	3560	qt-64647euro.exe	qt-64647euro.exe
PID 3560 wrote to memory of 1820	3560	qt-64647euro.exe	qt-64647euro.exe
PID 3560 wrote to memory of 1820	3560	qt-64647euro.exe	qt-64647euro.exe
PID 3560 wrote to memory of 1820	3560	qt-64647euro.exe	qt-64647euro.exe
PID 3560 wrote to memory of 1820	3560	qt-64647euro.exe	qt-64647euro.exe
PID 3560 wrote to memory of 1820	3560	qt-64647euro.exe	qt-64647euro.exe
PID 2984 wrote to memory of 2500	2984	Explorer.EXE	wlanext.exe
PID 2984 wrote to memory of 2500	2984	Explorer.EXE	wlanext.exe
PID 2984 wrote to memory of 2500	2984	Explorer.EXE	wlanext.exe
PID 2500 wrote to memory of 3976	2500	wlanext.exe	cmd.exe
PID 2500 wrote to memory of 3976	2500	wlanext.exe	cmd.exe
PID 2500 wrote to memory of 3976	2500	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\AppData\Local\Temp\qt-64647euro.exe
"C:\Users\Admin\AppData\Local\Temp\qt-64647euro.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3560

C:\Users\Admin\AppData\Local\Temp\qt-64647euro.exe
"C:\Users\Admin\AppData\Local\Temp\qt-64647euro.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\qt-64647euro.exe"
3⤵
PID:3976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1820-118-0x0000000000530000-0x000000000067A000-memory.dmp

Filesize
1.3MB

Download
memory/1820-115-0x000000000041D0B0-mapping.dmp

Download
memory/1820-114-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1820-119-0x0000000000AD0000-0x0000000000DF0000-memory.dmp

Filesize
3.1MB

Download
memory/2500-121-0x0000000000000000-mapping.dmp

Download
memory/2500-122-0x0000000001300000-0x0000000001317000-memory.dmp

Filesize
92KB

Download
memory/2500-123-0x0000000000EE0000-0x0000000000F09000-memory.dmp

Filesize
164KB

Download
memory/2500-125-0x0000000003670000-0x0000000003990000-memory.dmp

Filesize
3.1MB

Download
memory/2500-126-0x0000000003420000-0x00000000034AF000-memory.dmp

Filesize
572KB

Download
memory/2984-120-0x00000000057C0000-0x00000000058B6000-memory.dmp

Filesize
984KB

Download
memory/2984-127-0x0000000003050000-0x00000000030E4000-memory.dmp

Filesize
592KB

Download
memory/3560-116-0x0000000000990000-0x0000000000ADA000-memory.dmp

Filesize
1.3MB

Download
memory/3976-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads