xloader | 08893f139b09f2dc17635f17baf1f34d2fdf730ea44a41ba54b914ffc024f0c9

General

Target

Payment_invoice.exe
Size

638KB
MD5

29645cb14447ff578aaa9dc4243f11e6
SHA1

cae1f1cfae48a35897e6c64b4f5b3de807af9aa4
SHA256

08893f139b09f2dc17635f17baf1f34d2fdf730ea44a41ba54b914ffc024f0c9
SHA512

36bbcc580af0e2b33bfd351fa4693ed40ee9485d099767612e8d45c6e0643f28f3b39915a56f98529c9ad8a4e16dd6888144e6ba9e6ccd7e3a765c27294e01cf

Score

10^/10

xloader loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.illoftapartments.com/uecu/

Decoy

ishtarhotel.com

woodstrends.icu

jalenowens.com

manno.expert

ssg1asia.com

telepathylaw.com

quickoprintnv.com

abrosnm3.com

lumberjackcatering.com

beachujamaica.com

thomasjeffersonbyrd.com

starryfinds.com

shelavish2.com

royalglamempirellc.com

deixandomeuemprego.com

alexgoestech.xyz

opticamn.com

fermanchevybrandon.com

milbodegas.info

adunarsrl.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/268-65-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/268-66-0x000000000041D020-mapping.dmp	xloader
behavioral1/memory/888-72-0x00000000000D0000-0x00000000000F8000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

Payment_invoice.exeRegSvcs.exehelp.exe

description	pid	process	target process
PID 1076 set thread context of 268	1076	Payment_invoice.exe	RegSvcs.exe
PID 268 set thread context of 1264	268	RegSvcs.exe	Explorer.EXE
PID 888 set thread context of 1264	888	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

Payment_invoice.exeRegSvcs.exehelp.exe

pid	process
1076	Payment_invoice.exe
268	RegSvcs.exe
268	RegSvcs.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe
888	help.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exehelp.exe

pid process

268 RegSvcs.exe
268 RegSvcs.exe
268 RegSvcs.exe
888 help.exe
888 help.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Payment_invoice.exeRegSvcs.exehelp.exe

description pid process

Token: SeDebugPrivilege 1076 Payment_invoice.exe
Token: SeDebugPrivilege 268 RegSvcs.exe
Token: SeDebugPrivilege 888 help.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE

pid	process
268	RegSvcs.exe
268	RegSvcs.exe
268	RegSvcs.exe
888	help.exe
888	help.exe

description	pid	process
Token: SeDebugPrivilege	1076	Payment_invoice.exe
Token: SeDebugPrivilege	268	RegSvcs.exe
Token: SeDebugPrivilege	888	help.exe

pid	process
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Payment_invoice.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 1076 wrote to memory of 268	1076	Payment_invoice.exe	RegSvcs.exe
PID 1076 wrote to memory of 268	1076	Payment_invoice.exe	RegSvcs.exe
PID 1076 wrote to memory of 268	1076	Payment_invoice.exe	RegSvcs.exe
PID 1076 wrote to memory of 268	1076	Payment_invoice.exe	RegSvcs.exe
PID 1076 wrote to memory of 268	1076	Payment_invoice.exe	RegSvcs.exe
PID 1076 wrote to memory of 268	1076	Payment_invoice.exe	RegSvcs.exe
PID 1076 wrote to memory of 268	1076	Payment_invoice.exe	RegSvcs.exe
PID 1076 wrote to memory of 268	1076	Payment_invoice.exe	RegSvcs.exe
PID 1076 wrote to memory of 268	1076	Payment_invoice.exe	RegSvcs.exe
PID 1076 wrote to memory of 268	1076	Payment_invoice.exe	RegSvcs.exe
PID 1264 wrote to memory of 888	1264	Explorer.EXE	help.exe
PID 1264 wrote to memory of 888	1264	Explorer.EXE	help.exe
PID 1264 wrote to memory of 888	1264	Explorer.EXE	help.exe
PID 1264 wrote to memory of 888	1264	Explorer.EXE	help.exe
PID 888 wrote to memory of 712	888	help.exe	cmd.exe
PID 888 wrote to memory of 712	888	help.exe	cmd.exe
PID 888 wrote to memory of 712	888	help.exe	cmd.exe
PID 888 wrote to memory of 712	888	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\Payment_invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Payment_invoice.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-65-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/268-68-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download
memory/268-67-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/268-66-0x000000000041D020-mapping.dmp

Download
memory/712-73-0x0000000000000000-mapping.dmp

Download
memory/888-72-0x00000000000D0000-0x00000000000F8000-memory.dmp

Filesize
160KB

Download
memory/888-70-0x0000000000000000-mapping.dmp

Download
memory/888-71-0x0000000000150000-0x0000000000156000-memory.dmp

Filesize
24KB

Download
memory/888-74-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/888-75-0x0000000000510000-0x000000000059F000-memory.dmp

Filesize
572KB

Download
memory/888-77-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1076-64-0x0000000000FB0000-0x0000000000FE1000-memory.dmp

Filesize
196KB

Download
memory/1076-63-0x0000000005F70000-0x0000000005FF2000-memory.dmp

Filesize
520KB

Download
memory/1076-62-0x0000000000590000-0x0000000000592000-memory.dmp

Filesize
8KB

Download
memory/1076-59-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/1076-61-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/1264-69-0x0000000006EE0000-0x0000000007038000-memory.dmp

Filesize
1.3MB

Download
memory/1264-76-0x00000000066F0000-0x00000000067C5000-memory.dmp

Filesize
852KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads