xloader | eb8c5fa3da30f5d972e7d30767099990aadce5af9e046a2765b0c64222eab118

General

Target

e9777bb4_by_Libranalysis.exe
Size

920KB
MD5

e9777bb4745f38009a1d806392a437e5
SHA1

76ffc32ba98dd84e396af77ad4311d99b3a1bbb0
SHA256

eb8c5fa3da30f5d972e7d30767099990aadce5af9e046a2765b0c64222eab118
SHA512

794f80a25ae343075421e2d6a030d3a30ef0f2790649fad1c7fc80b31b4ce9d755dfe10634e0d28a684f39d2cffec0c8e7c17d18547df88335ef2d5c2de29f0f

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.asconstructionin.com/m3rc/

Decoy

manonkelley.com

prosperouspromises.com

biglebowlski.com

zhenyash.com

wayinfinite.com

vaginalmedicine.com

garnogroup.com

6-8-8-8-8.website

universtal.com

gillet.pro

hwrfxkna.com

unapersonaestabien.com

organicdiehards.com

santini7.com

salt9pepper.com

ericasorganiclife.com

vipgifts.online

mariozumbo.com

genetikfatura.com

heypapabear.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/268-66-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/268-67-0x000000000041D030-mapping.dmp	xloader
behavioral1/memory/1732-74-0x0000000000110000-0x0000000000138000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

620 cmd.exe

pid	process
620	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

e9777bb4_by_Libranalysis.exee9777bb4_by_Libranalysis.exeNAPSTAT.EXE

description	pid	process	target process
PID 108 set thread context of 268	108	e9777bb4_by_Libranalysis.exe	e9777bb4_by_Libranalysis.exe
PID 268 set thread context of 1212	268	e9777bb4_by_Libranalysis.exe	Explorer.EXE
PID 1732 set thread context of 1212	1732	NAPSTAT.EXE	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

e9777bb4_by_Libranalysis.exee9777bb4_by_Libranalysis.exeNAPSTAT.EXE

pid	process
108	e9777bb4_by_Libranalysis.exe
108	e9777bb4_by_Libranalysis.exe
108	e9777bb4_by_Libranalysis.exe
268	e9777bb4_by_Libranalysis.exe
268	e9777bb4_by_Libranalysis.exe
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

e9777bb4_by_Libranalysis.exeNAPSTAT.EXE

pid process

268 e9777bb4_by_Libranalysis.exe
268 e9777bb4_by_Libranalysis.exe
268 e9777bb4_by_Libranalysis.exe
1732 NAPSTAT.EXE
1732 NAPSTAT.EXE

pid	process
268	e9777bb4_by_Libranalysis.exe
268	e9777bb4_by_Libranalysis.exe
268	e9777bb4_by_Libranalysis.exe
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e9777bb4_by_Libranalysis.exee9777bb4_by_Libranalysis.exeNAPSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	108	e9777bb4_by_Libranalysis.exe
Token: SeDebugPrivilege	268	e9777bb4_by_Libranalysis.exe
Token: SeDebugPrivilege	1732	NAPSTAT.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

e9777bb4_by_Libranalysis.exeExplorer.EXENAPSTAT.EXE

description	pid	process	target process
PID 108 wrote to memory of 268	108	e9777bb4_by_Libranalysis.exe	e9777bb4_by_Libranalysis.exe
PID 108 wrote to memory of 268	108	e9777bb4_by_Libranalysis.exe	e9777bb4_by_Libranalysis.exe
PID 108 wrote to memory of 268	108	e9777bb4_by_Libranalysis.exe	e9777bb4_by_Libranalysis.exe
PID 108 wrote to memory of 268	108	e9777bb4_by_Libranalysis.exe	e9777bb4_by_Libranalysis.exe
PID 108 wrote to memory of 268	108	e9777bb4_by_Libranalysis.exe	e9777bb4_by_Libranalysis.exe
PID 108 wrote to memory of 268	108	e9777bb4_by_Libranalysis.exe	e9777bb4_by_Libranalysis.exe
PID 108 wrote to memory of 268	108	e9777bb4_by_Libranalysis.exe	e9777bb4_by_Libranalysis.exe
PID 1212 wrote to memory of 1732	1212	Explorer.EXE	NAPSTAT.EXE
PID 1212 wrote to memory of 1732	1212	Explorer.EXE	NAPSTAT.EXE
PID 1212 wrote to memory of 1732	1212	Explorer.EXE	NAPSTAT.EXE
PID 1212 wrote to memory of 1732	1212	Explorer.EXE	NAPSTAT.EXE
PID 1732 wrote to memory of 620	1732	NAPSTAT.EXE	cmd.exe
PID 1732 wrote to memory of 620	1732	NAPSTAT.EXE	cmd.exe
PID 1732 wrote to memory of 620	1732	NAPSTAT.EXE	cmd.exe
PID 1732 wrote to memory of 620	1732	NAPSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\e9777bb4_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\e9777bb4_by_Libranalysis.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:108

C:\Users\Admin\AppData\Local\Temp\e9777bb4_by_Libranalysis.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\e9777bb4_by_Libranalysis.exe"
3⤵
- Deletes itself
PID:620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/108-60-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/108-62-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download
memory/108-63-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download
memory/108-64-0x0000000004DC0000-0x0000000004E50000-memory.dmp

Filesize
576KB

Download
memory/108-65-0x00000000010A0000-0x00000000010E1000-memory.dmp

Filesize
260KB

Download
memory/268-70-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/268-67-0x000000000041D030-mapping.dmp

Download
memory/268-69-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/268-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/620-75-0x0000000000000000-mapping.dmp

Download
memory/1212-71-0x0000000004470000-0x000000000455F000-memory.dmp

Filesize
956KB

Download
memory/1212-78-0x0000000004FE0000-0x00000000050DE000-memory.dmp

Filesize
1016KB

Download
memory/1732-72-0x0000000000000000-mapping.dmp

Download
memory/1732-73-0x0000000000060000-0x00000000000A6000-memory.dmp

Filesize
280KB

Download
memory/1732-74-0x0000000000110000-0x0000000000138000-memory.dmp

Filesize
160KB

Download
memory/1732-76-0x0000000002090000-0x0000000002393000-memory.dmp

Filesize
3.0MB

Download
memory/1732-77-0x0000000000660000-0x00000000006EF000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads