xloader | 2e4cf88a434d484057fcc090cb7de5deb6d30c8e00da339c886f2482f6a7ebe1

General

Target

NQBNpLezqZKv1P4.exe
Size

697KB
MD5

f03bf8d3ecc2ae4b40f836c59ac09bdf
SHA1

58f48a5a960eac4ee1f33ea16075cfd44f37b3a3
SHA256

2e4cf88a434d484057fcc090cb7de5deb6d30c8e00da339c886f2482f6a7ebe1
SHA512

9d174091b1bfb2e38da7cfb521bd5c6e471edb348e8e1c5cddd3b0784be6cd167617277c099d28927f97a24ee6a4e74d62e659dea23264d3c4ec738e6cee0255

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.extraclass.xyz/4nn8/

Decoy

chamtowon.com

yaaquu.com

thepettybox.com

zrcezzfdfkyjlir.com

finalcutgrowshop.com

856381151.xyz

fbgroupsmadesimple.com

thinktank-texas.com

shoppingsys.com

natezubal.com

skyhighbud.com

toddlely.net

bachelor-boys.com

blogdepr.com

chuanyigou.com

photocouture-show.com

spacetasks.com

kureitall.com

qmcp00033.com

visiodaya.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3744-125-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3744-126-0x000000000041CFF0-mapping.dmp	xloader
behavioral2/memory/2040-134-0x0000000002540000-0x0000000002568000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

NQBNpLezqZKv1P4.exeNQBNpLezqZKv1P4.exemstsc.exe

description	pid	process	target process
PID 2192 set thread context of 3744	2192	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 3744 set thread context of 3016	3744	NQBNpLezqZKv1P4.exe	Explorer.EXE
PID 3744 set thread context of 3016	3744	NQBNpLezqZKv1P4.exe	Explorer.EXE
PID 2040 set thread context of 3016	2040	mstsc.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

NQBNpLezqZKv1P4.exemstsc.exe

pid	process
3744	NQBNpLezqZKv1P4.exe
3744	NQBNpLezqZKv1P4.exe
3744	NQBNpLezqZKv1P4.exe
3744	NQBNpLezqZKv1P4.exe
3744	NQBNpLezqZKv1P4.exe
3744	NQBNpLezqZKv1P4.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe
2040	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

NQBNpLezqZKv1P4.exemstsc.exe

pid process

3744 NQBNpLezqZKv1P4.exe
3744 NQBNpLezqZKv1P4.exe
3744 NQBNpLezqZKv1P4.exe
3744 NQBNpLezqZKv1P4.exe
2040 mstsc.exe
2040 mstsc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

NQBNpLezqZKv1P4.exemstsc.exe

description pid process

Token: SeDebugPrivilege 3744 NQBNpLezqZKv1P4.exe
Token: SeDebugPrivilege 2040 mstsc.exe

pid	process
3016	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3744	NQBNpLezqZKv1P4.exe
Token: SeDebugPrivilege	2040	mstsc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

NQBNpLezqZKv1P4.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 2192 wrote to memory of 3744	2192	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 2192 wrote to memory of 3744	2192	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 2192 wrote to memory of 3744	2192	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 2192 wrote to memory of 3744	2192	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 2192 wrote to memory of 3744	2192	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 2192 wrote to memory of 3744	2192	NQBNpLezqZKv1P4.exe	NQBNpLezqZKv1P4.exe
PID 3016 wrote to memory of 2040	3016	Explorer.EXE	mstsc.exe
PID 3016 wrote to memory of 2040	3016	Explorer.EXE	mstsc.exe
PID 3016 wrote to memory of 2040	3016	Explorer.EXE	mstsc.exe
PID 2040 wrote to memory of 3684	2040	mstsc.exe	cmd.exe
PID 2040 wrote to memory of 3684	2040	mstsc.exe	cmd.exe
PID 2040 wrote to memory of 3684	2040	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\NQBNpLezqZKv1P4.exe
"C:\Users\Admin\AppData\Local\Temp\NQBNpLezqZKv1P4.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Local\Temp\NQBNpLezqZKv1P4.exe
"C:\Users\Admin\AppData\Local\Temp\NQBNpLezqZKv1P4.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\NQBNpLezqZKv1P4.exe"
3⤵
PID:3684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-132-0x0000000000000000-mapping.dmp

Download
memory/2040-137-0x0000000004490000-0x000000000451F000-memory.dmp

Filesize
572KB

Download
memory/2040-135-0x0000000004680000-0x00000000049A0000-memory.dmp

Filesize
3.1MB

Download
memory/2040-133-0x0000000000140000-0x000000000043C000-memory.dmp

Filesize
3.0MB

Download
memory/2040-134-0x0000000002540000-0x0000000002568000-memory.dmp

Filesize
160KB

Download
memory/2192-121-0x0000000004C80000-0x000000000517E000-memory.dmp

Filesize
5.0MB

Download
memory/2192-120-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/2192-122-0x0000000006810000-0x000000000682B000-memory.dmp

Filesize
108KB

Download
memory/2192-123-0x0000000000BC0000-0x0000000000C35000-memory.dmp

Filesize
468KB

Download
memory/2192-124-0x0000000000B30000-0x0000000000B60000-memory.dmp

Filesize
192KB

Download
memory/2192-116-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/2192-117-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/2192-118-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/2192-119-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/2192-114-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/3016-129-0x0000000003220000-0x0000000003308000-memory.dmp

Filesize
928KB

Download
memory/3016-131-0x00000000069E0000-0x0000000006B33000-memory.dmp

Filesize
1.3MB

Download
memory/3016-138-0x0000000006DE0000-0x0000000006F58000-memory.dmp

Filesize
1.5MB

Download
memory/3684-136-0x0000000000000000-mapping.dmp

Download
memory/3744-130-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/3744-127-0x0000000001070000-0x0000000001390000-memory.dmp

Filesize
3.1MB

Download
memory/3744-128-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/3744-126-0x000000000041CFF0-mapping.dmp

Download
memory/3744-125-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads