xloader | b1556816a1b2f1adfa7bfb10794d9e757d34f920b415aa0152c5ab70158a270c

General

Target

lono.exe
Size

960KB
MD5

3dd87d18a1e0e5d97de8b77458d18f74
SHA1

ab1538aa18a14156ac7e20bba7329bac26216745
SHA256

d050c9c41083b76f378f09e9c5394cfef4a18d7de11a87720b2e5e3cf704330b
SHA512

d0dd1b6e6acded09d8783389a5fab9e503cd37ac4759fd3b1f714ff1d103ee858d43dc558503545b6e5a2545383ba47ed91b44953207107b616a79ae30d2fcd2

Score

10^/10

xloader loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.jantesetaccessoires.com/p6f2/

Decoy

redsnews.com

vr859.com

postmasterstudios.com

hampsteadorganizer.com

hangshop.net

maheshwaramlawcollege.com

5156087.com

gtaaddict.com

faj.xyz

drivechicagoillinois.com

neerutech.com

b2brahmas.com

freshlookks.com

propertyparallel.tech

tlwbyads.com

sellektorkids.com

dexs.fyi

kileybrock.com

nervstudio.com

tosg-ltd.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1976-65-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1976-66-0x000000000041D050-mapping.dmp	xloader
behavioral1/memory/524-73-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1208 cmd.exe

pid	process
1208	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

lono.exelono.exeNETSTAT.EXE

description	pid	process	target process
PID 1832 set thread context of 1976	1832	lono.exe	lono.exe
PID 1976 set thread context of 1212	1976	lono.exe	Explorer.EXE
PID 524 set thread context of 1212	524	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

524 NETSTAT.EXE

pid	process
524	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

lono.exeNETSTAT.EXE

pid	process
1976	lono.exe
1976	lono.exe
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE
524	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

lono.exeNETSTAT.EXE

pid process

1976 lono.exe
1976 lono.exe
1976 lono.exe
524 NETSTAT.EXE
524 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

lono.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 1976 lono.exe
Token: SeDebugPrivilege 524 NETSTAT.EXE
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1976	lono.exe
Token: SeDebugPrivilege	524	NETSTAT.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

lono.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1832 wrote to memory of 1976	1832	lono.exe	lono.exe
PID 1832 wrote to memory of 1976	1832	lono.exe	lono.exe
PID 1832 wrote to memory of 1976	1832	lono.exe	lono.exe
PID 1832 wrote to memory of 1976	1832	lono.exe	lono.exe
PID 1832 wrote to memory of 1976	1832	lono.exe	lono.exe
PID 1832 wrote to memory of 1976	1832	lono.exe	lono.exe
PID 1832 wrote to memory of 1976	1832	lono.exe	lono.exe
PID 1212 wrote to memory of 524	1212	Explorer.EXE	NETSTAT.EXE
PID 1212 wrote to memory of 524	1212	Explorer.EXE	NETSTAT.EXE
PID 1212 wrote to memory of 524	1212	Explorer.EXE	NETSTAT.EXE
PID 1212 wrote to memory of 524	1212	Explorer.EXE	NETSTAT.EXE
PID 524 wrote to memory of 1208	524	NETSTAT.EXE	cmd.exe
PID 524 wrote to memory of 1208	524	NETSTAT.EXE	cmd.exe
PID 524 wrote to memory of 1208	524	NETSTAT.EXE	cmd.exe
PID 524 wrote to memory of 1208	524	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\lono.exe
"C:\Users\Admin\AppData\Local\Temp\lono.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\lono.exe
"C:\Users\Admin\AppData\Local\Temp\lono.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\lono.exe"
3⤵
- Deletes itself
PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-70-0x0000000000000000-mapping.dmp

Download
memory/524-75-0x0000000000B80000-0x0000000000C0F000-memory.dmp

Filesize
572KB

Download
memory/524-74-0x0000000002190000-0x0000000002493000-memory.dmp

Filesize
3.0MB

Download
memory/524-73-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/524-72-0x0000000000D80000-0x0000000000D89000-memory.dmp

Filesize
36KB

Download
memory/1208-71-0x0000000000000000-mapping.dmp

Download
memory/1212-69-0x0000000004F90000-0x00000000050BB000-memory.dmp

Filesize
1.2MB

Download
memory/1212-76-0x0000000003E20000-0x0000000003EEC000-memory.dmp

Filesize
816KB

Download
memory/1832-60-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1832-64-0x00000000008A0000-0x00000000008AF000-memory.dmp

Filesize
60KB

Download
memory/1832-63-0x0000000000820000-0x000000000089B000-memory.dmp

Filesize
492KB

Download
memory/1832-62-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/1976-68-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1976-67-0x0000000000B40000-0x0000000000E43000-memory.dmp

Filesize
3.0MB

Download
memory/1976-66-0x000000000041D050-mapping.dmp

Download
memory/1976-65-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads