xloader | 7a34064785bd677a927fa90988d9001aed285762f230d0fe08db7b2ca89ce987

General

Target

Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
Size

252KB
MD5

f02f2961032796a25c7e090bb4f70566
SHA1

8c530a1533800db7d8dea165ea93421e2c996dad
SHA256

7a34064785bd677a927fa90988d9001aed285762f230d0fe08db7b2ca89ce987
SHA512

92df5ef56be6a6f5eeaeeb9b11559ca0a2960de9e7e0ba3a24308d603fa7be3375e41f7a618b6d02a4d7739b3ac75ba91203bf2ecfe963689539bc05dcdb0507

Score

10^/10

xloader loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.skelligsseasafari.com/dzqd/

Decoy

weekendsday.com

kansasfriedchiken.com

bestselfdrive.com

timeleveragechallenge.com

theunboxiblenation.net

adriaeurope-group.com

acrylicphotobloc.com

theincentivized.com

histreetbutler.com

kumamkt.com

cutepuppyspot.store

crisp-ui.com

easyecotour.com

longshotloungeenglewood.com

esotericclothingco.com

henglai58.com

handmadecircles.com

k9itsrk940aeq6.xyz

service-it-net.com

rt-p-c-14h9-1elk-jpzs.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1296-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2476-124-0x0000000000670000-0x0000000000699000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

Order-CNS Amura Precision Co., Ltd 9A210118KR.exeOrder-CNS Amura Precision Co., Ltd 9A210118KR.exemsiexec.exe

description	pid	process	target process
PID 3540 set thread context of 1296	3540	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
PID 1296 set thread context of 2756	1296	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe	Explorer.EXE
PID 2476 set thread context of 2756	2476	msiexec.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

Order-CNS Amura Precision Co., Ltd 9A210118KR.exemsiexec.exe

pid	process
1296	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
1296	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
1296	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
1296	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe
2476	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2756 Explorer.EXE

pid	process
2756	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Order-CNS Amura Precision Co., Ltd 9A210118KR.exeOrder-CNS Amura Precision Co., Ltd 9A210118KR.exemsiexec.exe

pid	process
3540	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
1296	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
1296	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
1296	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
2476	msiexec.exe
2476	msiexec.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Order-CNS Amura Precision Co., Ltd 9A210118KR.exeExplorer.EXEmsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1296	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
Token: SeShutdownPrivilege	2756	Explorer.EXE
Token: SeCreatePagefilePrivilege	2756	Explorer.EXE
Token: SeShutdownPrivilege	2756	Explorer.EXE
Token: SeCreatePagefilePrivilege	2756	Explorer.EXE
Token: SeDebugPrivilege	2476	msiexec.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2756 Explorer.EXE

pid	process
2756	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Order-CNS Amura Precision Co., Ltd 9A210118KR.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 3540 wrote to memory of 1296	3540	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
PID 3540 wrote to memory of 1296	3540	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
PID 3540 wrote to memory of 1296	3540	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
PID 3540 wrote to memory of 1296	3540	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
PID 2756 wrote to memory of 2476	2756	Explorer.EXE	msiexec.exe
PID 2756 wrote to memory of 2476	2756	Explorer.EXE	msiexec.exe
PID 2756 wrote to memory of 2476	2756	Explorer.EXE	msiexec.exe
PID 2476 wrote to memory of 1236	2476	msiexec.exe	cmd.exe
PID 2476 wrote to memory of 1236	2476	msiexec.exe	cmd.exe
PID 2476 wrote to memory of 1236	2476	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
"C:\Users\Admin\AppData\Local\Temp\Order-CNS Amura Precision Co., Ltd 9A210118KR.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\Temp\Order-CNS Amura Precision Co., Ltd 9A210118KR.exe
"C:\Users\Admin\AppData\Local\Temp\Order-CNS Amura Precision Co., Ltd 9A210118KR.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Order-CNS Amura Precision Co., Ltd 9A210118KR.exe"
3⤵
PID:1236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1236-125-0x0000000000000000-mapping.dmp

Download
memory/1296-117-0x0000000000A60000-0x0000000000D80000-memory.dmp

Filesize
3.1MB

Download
memory/1296-114-0x000000000041D100-mapping.dmp

Download
memory/1296-118-0x0000000000510000-0x000000000065A000-memory.dmp

Filesize
1.3MB

Download
memory/1296-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2476-120-0x0000000000000000-mapping.dmp

Download
memory/2476-123-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/2476-124-0x0000000000670000-0x0000000000699000-memory.dmp

Filesize
164KB

Download
memory/2476-126-0x0000000004560000-0x0000000004880000-memory.dmp

Filesize
3.1MB

Download
memory/2476-127-0x0000000004330000-0x00000000043BF000-memory.dmp

Filesize
572KB

Download
memory/2756-119-0x0000000004C50000-0x0000000004D6F000-memory.dmp

Filesize
1.1MB

Download
memory/2756-128-0x0000000004D70000-0x0000000004E33000-memory.dmp

Filesize
780KB

Download
memory/3540-115-0x00000000004F0000-0x00000000004F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads