xloader | 6db6324fe282260a224e77fff9bdad3240a63d48ac587f2a701785ea69c317a5

General

Target

Order_15078.exe
Size

685KB
MD5

c50b491461d89171d660abcc9c654171
SHA1

e1cc6e9512546b2a8eefd3741f52c30121be3dea
SHA256

6db6324fe282260a224e77fff9bdad3240a63d48ac587f2a701785ea69c317a5
SHA512

7589ece7798fa6affec99655d301cb23acd8a25654c0411ad6e871247a24b31653ea8b6249b6440124acb5fad5f390f73e8cbb7ee76be1970ee12f4ad27e52e0

Score

10^/10

xloader loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.steveblexrud.com/rqe8/

Decoy

bjft.net

abrosnm3.com

badlistens.com

signal-japan.com

schaka.com

kingdompersonalbranding.com

sewmenship.com

lzproperty.com

mojoimpacthosting.com

carinsurancecoverage.care

corporatemercadona.com

mobileswash.com

forevercelebration2026.com

co-het.com

bellesherlou.com

commentsoldgolf.com

onlytwod.group

utesco.info

martstrip.com

onszdgu.icu

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/1848-63-0x00000000001D0000-0x00000000001DB000-memory.dmp	CustAttr

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1692-67-0x000000000041CFE0-mapping.dmp	xloader
behavioral1/memory/1692-66-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/440-75-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

348 cmd.exe

pid	process
348	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Order_15078.exeOrder_15078.exewlanext.exe

description	pid	process	target process
PID 1848 set thread context of 1692	1848	Order_15078.exe	Order_15078.exe
PID 1692 set thread context of 1200	1692	Order_15078.exe	Explorer.EXE
PID 1692 set thread context of 1200	1692	Order_15078.exe	Explorer.EXE
PID 440 set thread context of 1200	440	wlanext.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Order_15078.exewlanext.exe

pid	process
1692	Order_15078.exe
1692	Order_15078.exe
1692	Order_15078.exe
440	wlanext.exe
440	wlanext.exe
440	wlanext.exe
440	wlanext.exe
440	wlanext.exe
440	wlanext.exe
440	wlanext.exe
440	wlanext.exe
440	wlanext.exe
440	wlanext.exe
440	wlanext.exe
440	wlanext.exe
440	wlanext.exe
440	wlanext.exe
440	wlanext.exe
440	wlanext.exe
440	wlanext.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Order_15078.exewlanext.exe

pid process

1692 Order_15078.exe
1692 Order_15078.exe
1692 Order_15078.exe
1692 Order_15078.exe
440 wlanext.exe
440 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Order_15078.exewlanext.exe

description pid process

Token: SeDebugPrivilege 1692 Order_15078.exe
Token: SeDebugPrivilege 440 wlanext.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1692	Order_15078.exe
Token: SeDebugPrivilege	440	wlanext.exe

pid	process
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE

pid	process
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Order_15078.exeOrder_15078.exewlanext.exe

description	pid	process	target process
PID 1848 wrote to memory of 1692	1848	Order_15078.exe	Order_15078.exe
PID 1848 wrote to memory of 1692	1848	Order_15078.exe	Order_15078.exe
PID 1848 wrote to memory of 1692	1848	Order_15078.exe	Order_15078.exe
PID 1848 wrote to memory of 1692	1848	Order_15078.exe	Order_15078.exe
PID 1848 wrote to memory of 1692	1848	Order_15078.exe	Order_15078.exe
PID 1848 wrote to memory of 1692	1848	Order_15078.exe	Order_15078.exe
PID 1848 wrote to memory of 1692	1848	Order_15078.exe	Order_15078.exe
PID 1692 wrote to memory of 440	1692	Order_15078.exe	wlanext.exe
PID 1692 wrote to memory of 440	1692	Order_15078.exe	wlanext.exe
PID 1692 wrote to memory of 440	1692	Order_15078.exe	wlanext.exe
PID 1692 wrote to memory of 440	1692	Order_15078.exe	wlanext.exe
PID 440 wrote to memory of 348	440	wlanext.exe	cmd.exe
PID 440 wrote to memory of 348	440	wlanext.exe	cmd.exe
PID 440 wrote to memory of 348	440	wlanext.exe	cmd.exe
PID 440 wrote to memory of 348	440	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1200

C:\Users\Admin\AppData\Local\Temp\Order_15078.exe
"C:\Users\Admin\AppData\Local\Temp\Order_15078.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Local\Temp\Order_15078.exe
"C:\Users\Admin\AppData\Local\Temp\Order_15078.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Order_15078.exe"
5⤵
- Deletes itself
PID:348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/348-77-0x0000000000000000-mapping.dmp

Download
memory/440-78-0x0000000001D40000-0x0000000001DCF000-memory.dmp

Filesize
572KB

Download
memory/440-76-0x0000000001F80000-0x0000000002283000-memory.dmp

Filesize
3.0MB

Download
memory/440-74-0x00000000000F0000-0x0000000000106000-memory.dmp

Filesize
88KB

Download
memory/440-75-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/440-73-0x0000000000000000-mapping.dmp

Download
memory/1200-70-0x0000000004AF0000-0x0000000004C10000-memory.dmp

Filesize
1.1MB

Download
memory/1200-79-0x0000000009190000-0x0000000009308000-memory.dmp

Filesize
1.5MB

Download
memory/1200-72-0x00000000044E0000-0x0000000004598000-memory.dmp

Filesize
736KB

Download
memory/1692-69-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/1692-71-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/1692-68-0x0000000000B90000-0x0000000000E93000-memory.dmp

Filesize
3.0MB

Download
memory/1692-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1692-67-0x000000000041CFE0-mapping.dmp

Download
memory/1848-60-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1848-65-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/1848-64-0x0000000008000000-0x0000000008072000-memory.dmp

Filesize
456KB

Download
memory/1848-63-0x00000000001D0000-0x00000000001DB000-memory.dmp

Filesize
44KB

Download
memory/1848-62-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads