xloader | 306197e367d32ebeb65e18cd9607f58268f6e4751de77ae1cf8f5270e660c1f6

General

Target

.wininit.exe
Size

904KB
MD5

6c15b3de8c54e5e3339a446af50fc48a
SHA1

1133619a11f7410cf2ee2ca0e42324898e524154
SHA256

306197e367d32ebeb65e18cd9607f58268f6e4751de77ae1cf8f5270e660c1f6
SHA512

6bd0a44da885f085bafa277169c79fcb4411c928b850e16cea3b3119ad81b23a3497c211150ba8cb386a649ef7ed9f89ab026e570844dab2b83762b4dce36a6a

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.tjbc-bearing.com/u6bi/

Decoy

5588aiai.com

sint-ecommerce.com

epreyn.com

unexpectedbrewing.com

pomiandpam.com

viverdebatatas.com

dirham.world

accademiadelfuturo.net

mengyaheng.com

ilocalrealtor.com

glomiotel.website

metal1sa.com

kslife.net

maxfitnesslakeoconee.com

hoteldeleauvive.com

sidingzhou.com

getvocall.com

basicryptomining.com

indiasofannapolis.com

tresorbrut.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3136-128-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3136-129-0x000000000041D040-mapping.dmp	xloader
behavioral2/memory/3772-135-0x0000000000600000-0x0000000000628000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

.wininit.exe.wininit.execmmon32.exe

description	pid	process	target process
PID 2192 set thread context of 3136	2192	.wininit.exe	.wininit.exe
PID 3136 set thread context of 3016	3136	.wininit.exe	Explorer.EXE
PID 3772 set thread context of 3016	3772	cmmon32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

.wininit.execmmon32.exe

pid	process
3136	.wininit.exe
3136	.wininit.exe
3136	.wininit.exe
3136	.wininit.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe
3772	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

.wininit.execmmon32.exe

pid process

3136 .wininit.exe
3136 .wininit.exe
3136 .wininit.exe
3772 cmmon32.exe
3772 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

.wininit.execmmon32.exe

description pid process

Token: SeDebugPrivilege 3136 .wininit.exe
Token: SeDebugPrivilege 3772 cmmon32.exe

pid	process
3016	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3136	.wininit.exe
Token: SeDebugPrivilege	3772	cmmon32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

.wininit.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 2192 wrote to memory of 3136	2192	.wininit.exe	.wininit.exe
PID 2192 wrote to memory of 3136	2192	.wininit.exe	.wininit.exe
PID 2192 wrote to memory of 3136	2192	.wininit.exe	.wininit.exe
PID 2192 wrote to memory of 3136	2192	.wininit.exe	.wininit.exe
PID 2192 wrote to memory of 3136	2192	.wininit.exe	.wininit.exe
PID 2192 wrote to memory of 3136	2192	.wininit.exe	.wininit.exe
PID 3016 wrote to memory of 3772	3016	Explorer.EXE	cmmon32.exe
PID 3016 wrote to memory of 3772	3016	Explorer.EXE	cmmon32.exe
PID 3016 wrote to memory of 3772	3016	Explorer.EXE	cmmon32.exe
PID 3772 wrote to memory of 744	3772	cmmon32.exe	cmd.exe
PID 3772 wrote to memory of 744	3772	cmmon32.exe	cmd.exe
PID 3772 wrote to memory of 744	3772	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\.wininit.exe
  "C:\Users\Admin\AppData\Local\Temp\.wininit.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Users\Admin\AppData\Local\Temp\.wininit.exe
    "C:\Users\Admin\AppData\Local\Temp\.wininit.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\.wininit.exe"
    3⤵
    PID:744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-137-0x0000000000000000-mapping.dmp

Download
memory/2192-127-0x0000000008710000-0x000000000873B000-memory.dmp

Filesize
172KB

Download
memory/2192-116-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/2192-118-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/2192-119-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/2192-120-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/2192-121-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/2192-122-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/2192-123-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/2192-124-0x0000000004CA0000-0x000000000519E000-memory.dmp

Filesize
5.0MB

Download
memory/2192-125-0x0000000006B70000-0x0000000006B8B000-memory.dmp

Filesize
108KB

Download
memory/2192-126-0x0000000008670000-0x00000000086DF000-memory.dmp

Filesize
444KB

Download
memory/2192-117-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/2192-114-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/3016-132-0x0000000003220000-0x00000000032D6000-memory.dmp

Filesize
728KB

Download
memory/3016-139-0x00000000067E0000-0x000000000689C000-memory.dmp

Filesize
752KB

Download
memory/3136-129-0x000000000041D040-mapping.dmp

Download
memory/3136-128-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3136-130-0x00000000017F0000-0x0000000001B10000-memory.dmp

Filesize
3.1MB

Download
memory/3136-131-0x00000000017E0000-0x00000000017F0000-memory.dmp

Filesize
64KB

Download
memory/3772-133-0x0000000000000000-mapping.dmp

Download
memory/3772-134-0x0000000001030000-0x000000000103C000-memory.dmp

Filesize
48KB

Download
memory/3772-135-0x0000000000600000-0x0000000000628000-memory.dmp

Filesize
160KB

Download
memory/3772-136-0x0000000004440000-0x0000000004760000-memory.dmp

Filesize
3.1MB

Download
memory/3772-138-0x0000000000DD0000-0x0000000000E5F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads