xloader | 2e4cf88a434d484057fcc090cb7de5deb6d30c8e00da339c886f2482f6a7ebe1

General

Target

NQBNpLezqZKv1P4.exe
Size

697KB
MD5

f03bf8d3ecc2ae4b40f836c59ac09bdf
SHA1

58f48a5a960eac4ee1f33ea16075cfd44f37b3a3
SHA256

2e4cf88a434d484057fcc090cb7de5deb6d30c8e00da339c886f2482f6a7ebe1
SHA512

9d174091b1bfb2e38da7cfb521bd5c6e471edb348e8e1c5cddd3b0784be6cd167617277c099d28927f97a24ee6a4e74d62e659dea23264d3c4ec738e6cee0255

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.extraclass.xyz/4nn8/

Decoy

chamtowon.com

yaaquu.com

thepettybox.com

zrcezzfdfkyjlir.com

finalcutgrowshop.com

856381151.xyz

fbgroupsmadesimple.com

thinktank-texas.com

shoppingsys.com

natezubal.com

skyhighbud.com

toddlely.net

bachelor-boys.com

blogdepr.com

chuanyigou.com

photocouture-show.com

spacetasks.com

kureitall.com

qmcp00033.com

visiodaya.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/540-66-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/540-67-0x000000000041CFF0-mapping.dmp	xloader
behavioral1/memory/1156-73-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

344 cmd.exe

pid	process
344	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

NQBNpLezqZKv1P4.exeNQBNpLezqZKv1P4.exeNAPSTAT.EXE

description	pid	process	target process
PID 1796 set thread context of 540	1796	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 540 set thread context of 1212	540	NQBNpLezqZKv1P4.exe	Explorer.EXE
PID 1156 set thread context of 1212	1156	NAPSTAT.EXE	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

NQBNpLezqZKv1P4.exeNQBNpLezqZKv1P4.exeNAPSTAT.EXE

pid	process
1796	NQBNpLezqZKv1P4.exe
1796	NQBNpLezqZKv1P4.exe
540	NQBNpLezqZKv1P4.exe
540	NQBNpLezqZKv1P4.exe
1156	NAPSTAT.EXE
1156	NAPSTAT.EXE
1156	NAPSTAT.EXE
1156	NAPSTAT.EXE
1156	NAPSTAT.EXE
1156	NAPSTAT.EXE
1156	NAPSTAT.EXE
1156	NAPSTAT.EXE
1156	NAPSTAT.EXE
1156	NAPSTAT.EXE
1156	NAPSTAT.EXE
1156	NAPSTAT.EXE
1156	NAPSTAT.EXE
1156	NAPSTAT.EXE
1156	NAPSTAT.EXE
1156	NAPSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

NQBNpLezqZKv1P4.exeNAPSTAT.EXE

pid process

540 NQBNpLezqZKv1P4.exe
540 NQBNpLezqZKv1P4.exe
540 NQBNpLezqZKv1P4.exe
1156 NAPSTAT.EXE
1156 NAPSTAT.EXE

pid	process
540	NQBNpLezqZKv1P4.exe
540	NQBNpLezqZKv1P4.exe
540	NQBNpLezqZKv1P4.exe
1156	NAPSTAT.EXE
1156	NAPSTAT.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

NQBNpLezqZKv1P4.exeNQBNpLezqZKv1P4.exeNAPSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1796	NQBNpLezqZKv1P4.exe
Token: SeDebugPrivilege	540	NQBNpLezqZKv1P4.exe
Token: SeDebugPrivilege	1156	NAPSTAT.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

NQBNpLezqZKv1P4.exeExplorer.EXENAPSTAT.EXE

description	pid	process	target process
PID 1796 wrote to memory of 328	1796	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 1796 wrote to memory of 328	1796	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 1796 wrote to memory of 328	1796	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 1796 wrote to memory of 328	1796	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 1796 wrote to memory of 764	1796	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 1796 wrote to memory of 764	1796	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 1796 wrote to memory of 764	1796	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 1796 wrote to memory of 764	1796	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 1796 wrote to memory of 540	1796	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 1796 wrote to memory of 540	1796	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 1796 wrote to memory of 540	1796	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 1796 wrote to memory of 540	1796	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 1796 wrote to memory of 540	1796	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 1796 wrote to memory of 540	1796	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 1796 wrote to memory of 540	1796	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 1212 wrote to memory of 1156	1212	Explorer.EXE	NAPSTAT.EXE
PID 1212 wrote to memory of 1156	1212	Explorer.EXE	NAPSTAT.EXE
PID 1212 wrote to memory of 1156	1212	Explorer.EXE	NAPSTAT.EXE
PID 1212 wrote to memory of 1156	1212	Explorer.EXE	NAPSTAT.EXE
PID 1156 wrote to memory of 344	1156	NAPSTAT.EXE	cmd.exe
PID 1156 wrote to memory of 344	1156	NAPSTAT.EXE	cmd.exe
PID 1156 wrote to memory of 344	1156	NAPSTAT.EXE	cmd.exe
PID 1156 wrote to memory of 344	1156	NAPSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\NQBNpLezqZKv1P4.exe
"C:\Users\Admin\AppData\Local\Temp\NQBNpLezqZKv1P4.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\NQBNpLezqZKv1P4.exe
"C:\Users\Admin\AppData\Local\Temp\NQBNpLezqZKv1P4.exe"
3⤵
PID:328

C:\Users\Admin\AppData\Local\Temp\NQBNpLezqZKv1P4.exe
"C:\Users\Admin\AppData\Local\Temp\NQBNpLezqZKv1P4.exe"
3⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\NQBNpLezqZKv1P4.exe
"C:\Users\Admin\AppData\Local\Temp\NQBNpLezqZKv1P4.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\NQBNpLezqZKv1P4.exe"
3⤵
- Deletes itself
PID:344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/344-75-0x0000000000000000-mapping.dmp

Download
memory/540-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/540-68-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download
memory/540-69-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download
memory/540-67-0x000000000041CFF0-mapping.dmp

Download
memory/1156-72-0x0000000000940000-0x0000000000986000-memory.dmp

Filesize
280KB

Download
memory/1156-71-0x0000000000000000-mapping.dmp

Download
memory/1156-73-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1156-74-0x0000000001F20000-0x0000000002223000-memory.dmp

Filesize
3.0MB

Download
memory/1156-76-0x0000000001E10000-0x0000000001E9F000-memory.dmp

Filesize
572KB

Download
memory/1212-70-0x0000000004C60000-0x0000000004D9C000-memory.dmp

Filesize
1.2MB

Download
memory/1212-77-0x0000000004DA0000-0x0000000004EDB000-memory.dmp

Filesize
1.2MB

Download
memory/1796-65-0x0000000000620000-0x0000000000650000-memory.dmp

Filesize
192KB

Download
memory/1796-64-0x0000000005C60000-0x0000000005CD5000-memory.dmp

Filesize
468KB

Download
memory/1796-63-0x0000000000490000-0x00000000004AB000-memory.dmp

Filesize
108KB

Download
memory/1796-60-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/1796-62-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads