xloader | 3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61

General

Target

csrss.exe
Size

767KB
MD5

0ddeb0b17f45b044ca999164550dd25c
SHA1

98c59b8743624e0354d47e51ccbc52d37c2260ec
SHA256

3be492c34e92a83547b0d1656e21f2d8aed8f7448fcb9f720b401c9daa26fc61
SHA512

83e87605ba0e523d9f1c215e2695f95d5a5f886e0151412212ec7c9abd0acebca5a2f2fd42df4fc292fc8ba72991cb38b8426179d4f103c1389ba6b44e8fe917

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.partypacktv.net/a3ea/

Decoy

yvsgge.com

shooter2.com

ugcfashion.com

deltaefficiencies.com

raidertomb.com

atiempoconguadalupe.com

whmmhh.com

hangar360aircraft.com

toughcookiemasks.store

blindowlch.com

yipo.info

mindsomamove.com

theresalobstahlike.com

nova-select.com

socetegen.com

platinaman.com

datsu-nihon.com

jumpstartinggenius.com

slxplay.com

rightwaysdecor.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1116-68-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1116-69-0x000000000041D030-mapping.dmp	xloader
behavioral1/memory/1648-77-0x0000000000090000-0x00000000000B8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1912 cmd.exe

pid	process
1912	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

csrss.execsrss.exemsiexec.exe

description	pid	process	target process
PID 1668 set thread context of 1116	1668	csrss.exe	csrss.exe
PID 1116 set thread context of 1264	1116	csrss.exe	Explorer.EXE
PID 1648 set thread context of 1264	1648	msiexec.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

csrss.execsrss.exemsiexec.exe

pid	process
1668	csrss.exe
1668	csrss.exe
1116	csrss.exe
1116	csrss.exe
1648	msiexec.exe
1648	msiexec.exe
1648	msiexec.exe
1648	msiexec.exe
1648	msiexec.exe
1648	msiexec.exe
1648	msiexec.exe
1648	msiexec.exe
1648	msiexec.exe
1648	msiexec.exe
1648	msiexec.exe
1648	msiexec.exe
1648	msiexec.exe
1648	msiexec.exe
1648	msiexec.exe
1648	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

csrss.exemsiexec.exe

pid process

1116 csrss.exe
1116 csrss.exe
1116 csrss.exe
1648 msiexec.exe
1648 msiexec.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

csrss.execsrss.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 1668 csrss.exe
Token: SeDebugPrivilege 1116 csrss.exe
Token: SeDebugPrivilege 1648 msiexec.exe

pid	process
1116	csrss.exe
1116	csrss.exe
1116	csrss.exe
1648	msiexec.exe
1648	msiexec.exe

description	pid	process
Token: SeDebugPrivilege	1668	csrss.exe
Token: SeDebugPrivilege	1116	csrss.exe
Token: SeDebugPrivilege	1648	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

csrss.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 1668 wrote to memory of 1116	1668	csrss.exe	csrss.exe
PID 1668 wrote to memory of 1116	1668	csrss.exe	csrss.exe
PID 1668 wrote to memory of 1116	1668	csrss.exe	csrss.exe
PID 1668 wrote to memory of 1116	1668	csrss.exe	csrss.exe
PID 1668 wrote to memory of 1116	1668	csrss.exe	csrss.exe
PID 1668 wrote to memory of 1116	1668	csrss.exe	csrss.exe
PID 1668 wrote to memory of 1116	1668	csrss.exe	csrss.exe
PID 1264 wrote to memory of 1648	1264	Explorer.EXE	msiexec.exe
PID 1264 wrote to memory of 1648	1264	Explorer.EXE	msiexec.exe
PID 1264 wrote to memory of 1648	1264	Explorer.EXE	msiexec.exe
PID 1264 wrote to memory of 1648	1264	Explorer.EXE	msiexec.exe
PID 1264 wrote to memory of 1648	1264	Explorer.EXE	msiexec.exe
PID 1264 wrote to memory of 1648	1264	Explorer.EXE	msiexec.exe
PID 1264 wrote to memory of 1648	1264	Explorer.EXE	msiexec.exe
PID 1648 wrote to memory of 1912	1648	msiexec.exe	cmd.exe
PID 1648 wrote to memory of 1912	1648	msiexec.exe	cmd.exe
PID 1648 wrote to memory of 1912	1648	msiexec.exe	cmd.exe
PID 1648 wrote to memory of 1912	1648	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\csrss.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\csrss.exe
C:\Users\Admin\AppData\Local\Temp\csrss.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\csrss.exe"
3⤵
- Deletes itself
PID:1912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-68-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1116-70-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/1116-71-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1116-69-0x000000000041D030-mapping.dmp

Download
memory/1264-72-0x0000000006EE0000-0x0000000007036000-memory.dmp

Filesize
1.3MB

Download
memory/1264-80-0x00000000029C0000-0x0000000002A52000-memory.dmp

Filesize
584KB

Download
memory/1648-73-0x0000000000000000-mapping.dmp

Download
memory/1648-74-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1648-78-0x0000000002140000-0x0000000002443000-memory.dmp

Filesize
3.0MB

Download
memory/1648-77-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1648-76-0x0000000000950000-0x0000000000964000-memory.dmp

Filesize
80KB

Download
memory/1648-79-0x0000000002020000-0x00000000020AF000-memory.dmp

Filesize
572KB

Download
memory/1668-67-0x0000000005130000-0x00000000051A8000-memory.dmp

Filesize
480KB

Download
memory/1668-62-0x0000000000720000-0x0000000000781000-memory.dmp

Filesize
388KB

Download
memory/1668-61-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/1668-59-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1912-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads