xloader | 72f524700194c68a6f78f7d0d984e579b736d328ef5900d34f26773855f25d42

General

Target

PO#2005042020.exe
Size

1011KB
MD5

a6be00db2846375bca4609defecd7bf5
SHA1

b942941deafa2af11fd59731a4bb84808601ef29
SHA256

72f524700194c68a6f78f7d0d984e579b736d328ef5900d34f26773855f25d42
SHA512

deab5d2aeffd5b7f022bcafe686844845a191f39bb9157d4a6d053e9e4de134dc3cd479badc3f3a0ab3526711429f9b4353f066adccc1cbe6992d900e8294a2a

Score

10^/10

xloader loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.ameri.loans/dt9v/

Decoy

scandinavianview.com

120x600businessskyscraper.fail

livebigrace.com

fussygang.net

afiyetmarket.com

shopcerygensan.com

iregentos.info

anidonia.com

vtnywvebm.club

envcons.com

blackpharaohbeards.com

shortsnsuits.com

digitalvv.com

czechagents.com

texasadvancedsurgery.com

erhob.com

fastypro.com

singlemomsurvival.com

mohitiitr.com

airsoftoutlet.store

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/920-125-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/920-126-0x000000000041D020-mapping.dmp	xloader
behavioral2/memory/4004-133-0x0000000000140000-0x0000000000168000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO#2005042020.exePO#2005042020.exenetsh.exe

description	pid	process	target process
PID 568 set thread context of 920	568	PO#2005042020.exe	PO#2005042020.exe
PID 920 set thread context of 2988	920	PO#2005042020.exe	Explorer.EXE
PID 4004 set thread context of 2988	4004	netsh.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

PO#2005042020.exePO#2005042020.exenetsh.exe

pid	process
568	PO#2005042020.exe
568	PO#2005042020.exe
920	PO#2005042020.exe
920	PO#2005042020.exe
920	PO#2005042020.exe
920	PO#2005042020.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2988 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PO#2005042020.exenetsh.exe

pid process

920 PO#2005042020.exe
920 PO#2005042020.exe
920 PO#2005042020.exe
4004 netsh.exe
4004 netsh.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO#2005042020.exePO#2005042020.exenetsh.exe

description pid process

Token: SeDebugPrivilege 568 PO#2005042020.exe
Token: SeDebugPrivilege 920 PO#2005042020.exe
Token: SeDebugPrivilege 4004 netsh.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2988 Explorer.EXE

pid	process
2988	Explorer.EXE

pid	process
920	PO#2005042020.exe
920	PO#2005042020.exe
920	PO#2005042020.exe
4004	netsh.exe
4004	netsh.exe

description	pid	process
Token: SeDebugPrivilege	568	PO#2005042020.exe
Token: SeDebugPrivilege	920	PO#2005042020.exe
Token: SeDebugPrivilege	4004	netsh.exe

pid	process
2988	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

PO#2005042020.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 568 wrote to memory of 1964	568	PO#2005042020.exe	PO#2005042020.exe
PID 568 wrote to memory of 1964	568	PO#2005042020.exe	PO#2005042020.exe
PID 568 wrote to memory of 1964	568	PO#2005042020.exe	PO#2005042020.exe
PID 568 wrote to memory of 920	568	PO#2005042020.exe	PO#2005042020.exe
PID 568 wrote to memory of 920	568	PO#2005042020.exe	PO#2005042020.exe
PID 568 wrote to memory of 920	568	PO#2005042020.exe	PO#2005042020.exe
PID 568 wrote to memory of 920	568	PO#2005042020.exe	PO#2005042020.exe
PID 568 wrote to memory of 920	568	PO#2005042020.exe	PO#2005042020.exe
PID 568 wrote to memory of 920	568	PO#2005042020.exe	PO#2005042020.exe
PID 2988 wrote to memory of 4004	2988	Explorer.EXE	netsh.exe
PID 2988 wrote to memory of 4004	2988	Explorer.EXE	netsh.exe
PID 2988 wrote to memory of 4004	2988	Explorer.EXE	netsh.exe
PID 4004 wrote to memory of 1256	4004	netsh.exe	cmd.exe
PID 4004 wrote to memory of 1256	4004	netsh.exe	cmd.exe
PID 4004 wrote to memory of 1256	4004	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\PO#2005042020.exe
"C:\Users\Admin\AppData\Local\Temp\PO#2005042020.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\PO#2005042020.exe
"C:\Users\Admin\AppData\Local\Temp\PO#2005042020.exe"
3⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\PO#2005042020.exe
"C:\Users\Admin\AppData\Local\Temp\PO#2005042020.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO#2005042020.exe"
3⤵
PID:1256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/568-114-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/568-116-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/568-117-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/568-118-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/568-119-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/568-120-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/568-121-0x00000000050C0000-0x00000000055BE000-memory.dmp

Filesize
5.0MB

Download
memory/568-122-0x0000000008880000-0x000000000889B000-memory.dmp

Filesize
108KB

Download
memory/568-123-0x00000000088F0000-0x000000000895E000-memory.dmp

Filesize
440KB

Download
memory/568-124-0x0000000008960000-0x000000000898B000-memory.dmp

Filesize
172KB

Download
memory/920-125-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/920-126-0x000000000041D020-mapping.dmp

Download
memory/920-128-0x0000000000DF0000-0x0000000000E00000-memory.dmp

Filesize
64KB

Download
memory/920-127-0x0000000001630000-0x0000000001950000-memory.dmp

Filesize
3.1MB

Download
memory/1256-131-0x0000000000000000-mapping.dmp

Download
memory/2988-129-0x0000000002A20000-0x0000000002AD9000-memory.dmp

Filesize
740KB

Download
memory/2988-136-0x0000000002DB0000-0x0000000002E63000-memory.dmp

Filesize
716KB

Download
memory/4004-130-0x0000000000000000-mapping.dmp

Download
memory/4004-133-0x0000000000140000-0x0000000000168000-memory.dmp

Filesize
160KB

Download
memory/4004-134-0x0000000002E40000-0x0000000003160000-memory.dmp

Filesize
3.1MB

Download
memory/4004-132-0x0000000000C80000-0x0000000000C9E000-memory.dmp

Filesize
120KB

Download
memory/4004-135-0x0000000002CA0000-0x0000000002D2F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads