xloader | 72f524700194c68a6f78f7d0d984e579b736d328ef5900d34f26773855f25d42

General

Target

PO#2005042020.exe
Size

1011KB
MD5

a6be00db2846375bca4609defecd7bf5
SHA1

b942941deafa2af11fd59731a4bb84808601ef29
SHA256

72f524700194c68a6f78f7d0d984e579b736d328ef5900d34f26773855f25d42
SHA512

deab5d2aeffd5b7f022bcafe686844845a191f39bb9157d4a6d053e9e4de134dc3cd479badc3f3a0ab3526711429f9b4353f066adccc1cbe6992d900e8294a2a

Score

10^/10

xloader loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.ameri.loans/dt9v/

Decoy

scandinavianview.com

120x600businessskyscraper.fail

livebigrace.com

fussygang.net

afiyetmarket.com

shopcerygensan.com

iregentos.info

anidonia.com

vtnywvebm.club

envcons.com

blackpharaohbeards.com

shortsnsuits.com

digitalvv.com

czechagents.com

texasadvancedsurgery.com

erhob.com

fastypro.com

singlemomsurvival.com

mohitiitr.com

airsoftoutlet.store

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1652-67-0x000000000041D020-mapping.dmp	xloader
behavioral1/memory/1652-66-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/756-76-0x00000000000C0000-0x00000000000E8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

576 cmd.exe

pid	process
576	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

PO#2005042020.exePO#2005042020.exeipconfig.exe

description	pid	process	target process
PID 1808 set thread context of 1652	1808	PO#2005042020.exe	PO#2005042020.exe
PID 1652 set thread context of 1220	1652	PO#2005042020.exe	Explorer.EXE
PID 1652 set thread context of 1220	1652	PO#2005042020.exe	Explorer.EXE
PID 756 set thread context of 1220	756	ipconfig.exe	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

756 ipconfig.exe

pid	process
756	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

PO#2005042020.exeipconfig.exe

pid	process
1652	PO#2005042020.exe
1652	PO#2005042020.exe
1652	PO#2005042020.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe
756	ipconfig.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

PO#2005042020.exeipconfig.exe

pid process

1652 PO#2005042020.exe
1652 PO#2005042020.exe
1652 PO#2005042020.exe
1652 PO#2005042020.exe
756 ipconfig.exe
756 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO#2005042020.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 1652 PO#2005042020.exe
Token: SeDebugPrivilege 756 ipconfig.exe

description	pid	process
Token: SeDebugPrivilege	1652	PO#2005042020.exe
Token: SeDebugPrivilege	756	ipconfig.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

PO#2005042020.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 1808 wrote to memory of 1652	1808	PO#2005042020.exe	PO#2005042020.exe
PID 1808 wrote to memory of 1652	1808	PO#2005042020.exe	PO#2005042020.exe
PID 1808 wrote to memory of 1652	1808	PO#2005042020.exe	PO#2005042020.exe
PID 1808 wrote to memory of 1652	1808	PO#2005042020.exe	PO#2005042020.exe
PID 1808 wrote to memory of 1652	1808	PO#2005042020.exe	PO#2005042020.exe
PID 1808 wrote to memory of 1652	1808	PO#2005042020.exe	PO#2005042020.exe
PID 1808 wrote to memory of 1652	1808	PO#2005042020.exe	PO#2005042020.exe
PID 1220 wrote to memory of 756	1220	Explorer.EXE	ipconfig.exe
PID 1220 wrote to memory of 756	1220	Explorer.EXE	ipconfig.exe
PID 1220 wrote to memory of 756	1220	Explorer.EXE	ipconfig.exe
PID 1220 wrote to memory of 756	1220	Explorer.EXE	ipconfig.exe
PID 756 wrote to memory of 576	756	ipconfig.exe	cmd.exe
PID 756 wrote to memory of 576	756	ipconfig.exe	cmd.exe
PID 756 wrote to memory of 576	756	ipconfig.exe	cmd.exe
PID 756 wrote to memory of 576	756	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\PO#2005042020.exe
"C:\Users\Admin\AppData\Local\Temp\PO#2005042020.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Local\Temp\PO#2005042020.exe
"C:\Users\Admin\AppData\Local\Temp\PO#2005042020.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO#2005042020.exe"
3⤵
- Deletes itself
PID:576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-77-0x0000000000000000-mapping.dmp

Download
memory/756-79-0x0000000001F00000-0x0000000001F8F000-memory.dmp

Filesize
572KB

Download
memory/756-78-0x0000000002090000-0x0000000002393000-memory.dmp

Filesize
3.0MB

Download
memory/756-76-0x00000000000C0000-0x00000000000E8000-memory.dmp

Filesize
160KB

Download
memory/756-75-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/756-74-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/756-73-0x0000000000000000-mapping.dmp

Download
memory/1220-72-0x0000000006E40000-0x0000000006FD7000-memory.dmp

Filesize
1.6MB

Download
memory/1220-80-0x00000000070A0000-0x00000000071D3000-memory.dmp

Filesize
1.2MB

Download
memory/1220-70-0x0000000004B10000-0x0000000004C72000-memory.dmp

Filesize
1.4MB

Download
memory/1652-67-0x000000000041D020-mapping.dmp

Download
memory/1652-71-0x00000000001A0000-0x00000000001B0000-memory.dmp

Filesize
64KB

Download
memory/1652-68-0x0000000000C80000-0x0000000000F83000-memory.dmp

Filesize
3.0MB

Download
memory/1652-69-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/1652-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1808-60-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/1808-65-0x0000000004960000-0x000000000498B000-memory.dmp

Filesize
172KB

Download
memory/1808-64-0x0000000005080000-0x00000000050EE000-memory.dmp

Filesize
440KB

Download
memory/1808-63-0x0000000000590000-0x00000000005AB000-memory.dmp

Filesize
108KB

Download
memory/1808-62-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads