xloader | a6169937c872aefc3f1e5c13e40f05d9cb0cbba3a16490f134b810b47027b035

General

Target

uiza7XkNGQPRQvb.exe
Size

693KB
MD5

9d9f2d5ba71372d4bbd85a9088ba7bc7
SHA1

353192974e4f523bdcb472478e5a652e194c6481
SHA256

a6169937c872aefc3f1e5c13e40f05d9cb0cbba3a16490f134b810b47027b035
SHA512

7ea510bdc7057f5442055b8c36b329e8e0c68cdc2c0f93a693e69979307369d2eb662093ecc53ee6b03b2667598fa28b9d01ed15679f98fce2eec911e5c564a8

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.lapashawhite.com/p596/

Decoy

ushistorical.com

lovepropertylondon.com

acupress-the-point.com

3772548.com

ambientabuse.com

primaveracm.com

themidwestmomblog.com

havasavunma.com

rockyroadbrand.com

zzphys.com

masque-inclusif.com

myeonyeokplus.com

linkernet.pro

zezirma.com

mysiniar.com

andreamall.com

mattesonauto.com

wandopowerinc.com

casaurgence.com

salishseaquilts.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/796-66-0x000000000041D060-mapping.dmp	xloader
behavioral1/memory/796-65-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1156-72-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1832 cmd.exe

pid	process
1832	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

uiza7XkNGQPRQvb.exeuiza7XkNGQPRQvb.exewininit.exe

description	pid	process	target process
PID 1060 set thread context of 796	1060	uiza7XkNGQPRQvb.exe	uiza7XkNGQPRQvb.exe
PID 796 set thread context of 1216	796	uiza7XkNGQPRQvb.exe	Explorer.EXE
PID 1156 set thread context of 1216	1156	wininit.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

uiza7XkNGQPRQvb.exeuiza7XkNGQPRQvb.exewininit.exe

pid	process
1060	uiza7XkNGQPRQvb.exe
796	uiza7XkNGQPRQvb.exe
796	uiza7XkNGQPRQvb.exe
1156	wininit.exe
1156	wininit.exe
1156	wininit.exe
1156	wininit.exe
1156	wininit.exe
1156	wininit.exe
1156	wininit.exe
1156	wininit.exe
1156	wininit.exe
1156	wininit.exe
1156	wininit.exe
1156	wininit.exe
1156	wininit.exe
1156	wininit.exe
1156	wininit.exe
1156	wininit.exe
1156	wininit.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

uiza7XkNGQPRQvb.exewininit.exe

pid process

796 uiza7XkNGQPRQvb.exe
796 uiza7XkNGQPRQvb.exe
796 uiza7XkNGQPRQvb.exe
1156 wininit.exe
1156 wininit.exe

pid	process
796	uiza7XkNGQPRQvb.exe
796	uiza7XkNGQPRQvb.exe
796	uiza7XkNGQPRQvb.exe
1156	wininit.exe
1156	wininit.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

uiza7XkNGQPRQvb.exeuiza7XkNGQPRQvb.exewininit.exe

description	pid	process
Token: SeDebugPrivilege	1060	uiza7XkNGQPRQvb.exe
Token: SeDebugPrivilege	796	uiza7XkNGQPRQvb.exe
Token: SeDebugPrivilege	1156	wininit.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

uiza7XkNGQPRQvb.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 1060 wrote to memory of 796	1060	uiza7XkNGQPRQvb.exe	uiza7XkNGQPRQvb.exe
PID 1060 wrote to memory of 796	1060	uiza7XkNGQPRQvb.exe	uiza7XkNGQPRQvb.exe
PID 1060 wrote to memory of 796	1060	uiza7XkNGQPRQvb.exe	uiza7XkNGQPRQvb.exe
PID 1060 wrote to memory of 796	1060	uiza7XkNGQPRQvb.exe	uiza7XkNGQPRQvb.exe
PID 1060 wrote to memory of 796	1060	uiza7XkNGQPRQvb.exe	uiza7XkNGQPRQvb.exe
PID 1060 wrote to memory of 796	1060	uiza7XkNGQPRQvb.exe	uiza7XkNGQPRQvb.exe
PID 1060 wrote to memory of 796	1060	uiza7XkNGQPRQvb.exe	uiza7XkNGQPRQvb.exe
PID 1216 wrote to memory of 1156	1216	Explorer.EXE	wininit.exe
PID 1216 wrote to memory of 1156	1216	Explorer.EXE	wininit.exe
PID 1216 wrote to memory of 1156	1216	Explorer.EXE	wininit.exe
PID 1216 wrote to memory of 1156	1216	Explorer.EXE	wininit.exe
PID 1156 wrote to memory of 1832	1156	wininit.exe	cmd.exe
PID 1156 wrote to memory of 1832	1156	wininit.exe	cmd.exe
PID 1156 wrote to memory of 1832	1156	wininit.exe	cmd.exe
PID 1156 wrote to memory of 1832	1156	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\uiza7XkNGQPRQvb.exe
"C:\Users\Admin\AppData\Local\Temp\uiza7XkNGQPRQvb.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\uiza7XkNGQPRQvb.exe
"C:\Users\Admin\AppData\Local\Temp\uiza7XkNGQPRQvb.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\uiza7XkNGQPRQvb.exe"
3⤵
- Deletes itself
PID:1832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/796-66-0x000000000041D060-mapping.dmp

Download
memory/796-68-0x0000000000330000-0x0000000000341000-memory.dmp

Filesize
68KB

Download
memory/796-67-0x0000000000AF0000-0x0000000000DF3000-memory.dmp

Filesize
3.0MB

Download
memory/796-65-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1060-64-0x00000000020D0000-0x00000000020FF000-memory.dmp

Filesize
188KB

Download
memory/1060-59-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1060-63-0x0000000005060000-0x00000000050D2000-memory.dmp

Filesize
456KB

Download
memory/1060-62-0x00000000004B0000-0x00000000004CB000-memory.dmp

Filesize
108KB

Download
memory/1060-61-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/1156-70-0x0000000000000000-mapping.dmp

Download
memory/1156-71-0x00000000002A0000-0x00000000002BA000-memory.dmp

Filesize
104KB

Download
memory/1156-72-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1156-73-0x0000000001FC0000-0x00000000022C3000-memory.dmp

Filesize
3.0MB

Download
memory/1156-75-0x0000000001D80000-0x0000000001E10000-memory.dmp

Filesize
576KB

Download
memory/1216-69-0x0000000004DB0000-0x0000000004EA6000-memory.dmp

Filesize
984KB

Download
memory/1216-76-0x00000000049E0000-0x0000000004AA6000-memory.dmp

Filesize
792KB

Download
memory/1832-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads