xloader | 6db6324fe282260a224e77fff9bdad3240a63d48ac587f2a701785ea69c317a5

General

Target

Order_15078.exe
Size

685KB
MD5

c50b491461d89171d660abcc9c654171
SHA1

e1cc6e9512546b2a8eefd3741f52c30121be3dea
SHA256

6db6324fe282260a224e77fff9bdad3240a63d48ac587f2a701785ea69c317a5
SHA512

7589ece7798fa6affec99655d301cb23acd8a25654c0411ad6e871247a24b31653ea8b6249b6440124acb5fad5f390f73e8cbb7ee76be1970ee12f4ad27e52e0

Score

10^/10

xloader loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.steveblexrud.com/rqe8/

Decoy

bjft.net

abrosnm3.com

badlistens.com

signal-japan.com

schaka.com

kingdompersonalbranding.com

sewmenship.com

lzproperty.com

mojoimpacthosting.com

carinsurancecoverage.care

corporatemercadona.com

mobileswash.com

forevercelebration2026.com

co-het.com

bellesherlou.com

commentsoldgolf.com

onlytwod.group

utesco.info

martstrip.com

onszdgu.icu

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/3916-121-0x0000000007370000-0x000000000737B000-memory.dmp	CustAttr

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2036-124-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/2036-125-0x000000000041CFE0-mapping.dmp	xloader
behavioral2/memory/1344-131-0x0000000000A50000-0x0000000000A78000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

Order_15078.exeOrder_15078.exewlanext.exe

description	pid	process	target process
PID 3916 set thread context of 2036	3916	Order_15078.exe	Order_15078.exe
PID 2036 set thread context of 3052	2036	Order_15078.exe	Explorer.EXE
PID 1344 set thread context of 3052	1344	wlanext.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

Order_15078.exewlanext.exe

pid	process
2036	Order_15078.exe
2036	Order_15078.exe
2036	Order_15078.exe
2036	Order_15078.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe
1344	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Order_15078.exewlanext.exe

pid process

2036 Order_15078.exe
2036 Order_15078.exe
2036 Order_15078.exe
1344 wlanext.exe
1344 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Order_15078.exewlanext.exe

description pid process

Token: SeDebugPrivilege 2036 Order_15078.exe
Token: SeDebugPrivilege 1344 wlanext.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE

pid	process
3052	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2036	Order_15078.exe
Token: SeDebugPrivilege	1344	wlanext.exe

pid	process
3052	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Order_15078.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 3916 wrote to memory of 2036	3916	Order_15078.exe	Order_15078.exe
PID 3916 wrote to memory of 2036	3916	Order_15078.exe	Order_15078.exe
PID 3916 wrote to memory of 2036	3916	Order_15078.exe	Order_15078.exe
PID 3916 wrote to memory of 2036	3916	Order_15078.exe	Order_15078.exe
PID 3916 wrote to memory of 2036	3916	Order_15078.exe	Order_15078.exe
PID 3916 wrote to memory of 2036	3916	Order_15078.exe	Order_15078.exe
PID 3052 wrote to memory of 1344	3052	Explorer.EXE	wlanext.exe
PID 3052 wrote to memory of 1344	3052	Explorer.EXE	wlanext.exe
PID 3052 wrote to memory of 1344	3052	Explorer.EXE	wlanext.exe
PID 1344 wrote to memory of 3584	1344	wlanext.exe	cmd.exe
PID 1344 wrote to memory of 3584	1344	wlanext.exe	cmd.exe
PID 1344 wrote to memory of 3584	1344	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\Order_15078.exe
"C:\Users\Admin\AppData\Local\Temp\Order_15078.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3916

C:\Users\Admin\AppData\Local\Temp\Order_15078.exe
"C:\Users\Admin\AppData\Local\Temp\Order_15078.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Order_15078.exe"
3⤵
PID:3584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1344-129-0x0000000000000000-mapping.dmp

Download
memory/1344-134-0x0000000003400000-0x000000000348F000-memory.dmp

Filesize
572KB

Download
memory/1344-133-0x00000000030E0000-0x0000000003400000-memory.dmp

Filesize
3.1MB

Download
memory/1344-131-0x0000000000A50000-0x0000000000A78000-memory.dmp

Filesize
160KB

Download
memory/1344-130-0x0000000000F20000-0x0000000000F37000-memory.dmp

Filesize
92KB

Download
memory/2036-125-0x000000000041CFE0-mapping.dmp

Download
memory/2036-126-0x0000000001760000-0x0000000001A80000-memory.dmp

Filesize
3.1MB

Download
memory/2036-127-0x0000000001170000-0x0000000001180000-memory.dmp

Filesize
64KB

Download
memory/2036-124-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3052-128-0x0000000008B80000-0x0000000008D13000-memory.dmp

Filesize
1.6MB

Download
memory/3052-135-0x0000000006800000-0x0000000006920000-memory.dmp

Filesize
1.1MB

Download
memory/3584-132-0x0000000000000000-mapping.dmp

Download
memory/3916-123-0x0000000007650000-0x000000000767F000-memory.dmp

Filesize
188KB

Download
memory/3916-114-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/3916-122-0x0000000008CD0000-0x0000000008D42000-memory.dmp

Filesize
456KB

Download
memory/3916-121-0x0000000007370000-0x000000000737B000-memory.dmp

Filesize
44KB

Download
memory/3916-120-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/3916-119-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/3916-118-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/3916-117-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/3916-116-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads