xloader | df22601db1675ce639bc8efe21534f7371050ae9637f6cdf38bc23ae6c18efdf

General

Target

da.exe
Size

875KB
MD5

9fdf605ce0358540d48502367e637b0a
SHA1

1416ebf9b0382a8794bb89f5ee947ec668ce7fdb
SHA256

df22601db1675ce639bc8efe21534f7371050ae9637f6cdf38bc23ae6c18efdf
SHA512

a194aba3f8c20669ff741ccb59ce7b7023123e1e7984d6d6306a9099d78775ba7bdb92691c26b39522ede6f799f34e96d6b14db1e66429bea26077b95e805bf7

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.cats16.com/8u3b/

Decoy

pipienta.com

wisdomfest.net

jenniferreich.com

bigcanoehomesforless.com

kayandbernard.com

offerbuildingsecrets.com

benleefoto.com

contactlesssoftware.tech

statenislandplumbing.info

lifestylemedicineservices.com

blazerplanning.com

fnatic-skins.club

effectivemarketinginc.com

babyshopit.com

2000deal.com

k12paymentcemter.com

spwakd.com

lesreponses.com

abundando.com

hawkspremierfhc.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3012-126-0x000000000041D0A0-mapping.dmp	xloader
behavioral2/memory/3012-125-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1940-133-0x0000000000150000-0x0000000000179000-memory.dmp	xloader

Suspicious use of SetThreadContext 2 IoCs

Processes:

da.exeda.exe

description pid process target process

PID 3952 set thread context of 3012 3952 da.exe da.exe
PID 3012 set thread context of 2756 3012 da.exe Explorer.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

da.exesvchost.exe

pid process

3012 da.exe
3012 da.exe
3012 da.exe
3012 da.exe
1940 svchost.exe
1940 svchost.exe
1940 svchost.exe
1940 svchost.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

da.exesvchost.exe

pid process

3012 da.exe
3012 da.exe
3012 da.exe
1940 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

da.exesvchost.exe

description pid process

Token: SeDebugPrivilege 3012 da.exe
Token: SeDebugPrivilege 1940 svchost.exe

description	pid	process	target process
PID 3952 set thread context of 3012	3952	da.exe	da.exe
PID 3012 set thread context of 2756	3012	da.exe	Explorer.EXE

pid	process
3012	da.exe
3012	da.exe
3012	da.exe
3012	da.exe
1940	svchost.exe
1940	svchost.exe
1940	svchost.exe
1940	svchost.exe

pid	process
3012	da.exe
3012	da.exe
3012	da.exe
1940	svchost.exe

description	pid	process
Token: SeDebugPrivilege	3012	da.exe
Token: SeDebugPrivilege	1940	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

da.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 3952 wrote to memory of 3012	3952	da.exe	da.exe
PID 3952 wrote to memory of 3012	3952	da.exe	da.exe
PID 3952 wrote to memory of 3012	3952	da.exe	da.exe
PID 3952 wrote to memory of 3012	3952	da.exe	da.exe
PID 3952 wrote to memory of 3012	3952	da.exe	da.exe
PID 3952 wrote to memory of 3012	3952	da.exe	da.exe
PID 2756 wrote to memory of 1940	2756	Explorer.EXE	svchost.exe
PID 2756 wrote to memory of 1940	2756	Explorer.EXE	svchost.exe
PID 2756 wrote to memory of 1940	2756	Explorer.EXE	svchost.exe
PID 1940 wrote to memory of 2820	1940	svchost.exe	cmd.exe
PID 1940 wrote to memory of 2820	1940	svchost.exe	cmd.exe
PID 1940 wrote to memory of 2820	1940	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\da.exe
"C:\Users\Admin\AppData\Local\Temp\da.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\AppData\Local\Temp\da.exe
"C:\Users\Admin\AppData\Local\Temp\da.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\da.exe"
3⤵
PID:2820

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1940-135-0x0000000002E20000-0x0000000003140000-memory.dmp

Filesize
3.1MB

Download
memory/1940-133-0x0000000000150000-0x0000000000179000-memory.dmp

Filesize
164KB

Download
memory/1940-132-0x00000000008E0000-0x00000000008EC000-memory.dmp

Filesize
48KB

Download
memory/1940-131-0x0000000000000000-mapping.dmp

Download
memory/2756-130-0x0000000006150000-0x00000000062C3000-memory.dmp

Filesize
1.4MB

Download
memory/2820-134-0x0000000000000000-mapping.dmp

Download
memory/3012-126-0x000000000041D0A0-mapping.dmp

Download
memory/3012-125-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3012-129-0x0000000001490000-0x00000000014A1000-memory.dmp

Filesize
68KB

Download
memory/3012-128-0x0000000000FB0000-0x00000000012D0000-memory.dmp

Filesize
3.1MB

Download
memory/3952-114-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3952-122-0x0000000004EC0000-0x0000000004EC4000-memory.dmp

Filesize
16KB

Download
memory/3952-124-0x0000000007E20000-0x0000000007EA1000-memory.dmp

Filesize
516KB

Download
memory/3952-123-0x0000000005890000-0x0000000005954000-memory.dmp

Filesize
784KB

Download
memory/3952-121-0x0000000004910000-0x00000000049AC000-memory.dmp

Filesize
624KB

Download
memory/3952-120-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3952-119-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/3952-118-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/3952-117-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3952-116-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing