xloader | fbeb9b62ff737a87fe38709d075f3fee34502b01262480cf5a014efaab4f7075

General

Target

0ictba3ik3lrJnW.exe
Size

859KB
MD5

6e77fe0eb26c4834a5411e66a78a3e69
SHA1

5c9768be8ed60c6190e68deeebc5f3c1cdbf531a
SHA256

fbeb9b62ff737a87fe38709d075f3fee34502b01262480cf5a014efaab4f7075
SHA512

dc466d692eee548dbcc161904527a27b2a80ebc0ae4a366a8d08a21ec627fd6ef127db3aaf0b1ec567e7ac0a5aae71374a285d1aba5cb5bb59d24d3d65a51eef

Score

10^/10

xloader loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.hokutiki.com/cogt/

Decoy

britechsoft.com

vitortedeschi.com

nittwittridge.net

nblianger.com

fs133.net

theprairiesky.com

mylexinova.com

loveiscomingbook.com

thehouseoflightning.com

gulbahorfoodblogger.online

exploringanddiscovering.com

edyscleaning.com

jihalbroskorea.com

sammys-cafe.com

smallbluer.com

voglioincontri.com

aaareplicamall.com

empireofglam.com

4hu5555.com

cookiescalofornia.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/520-66-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/520-67-0x000000000041CFF0-mapping.dmp	xloader
behavioral1/memory/1632-76-0x0000000000090000-0x00000000000B8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1652 cmd.exe

pid	process
1652	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

0ictba3ik3lrJnW.exe0ictba3ik3lrJnW.execmstp.exe

description	pid	process	target process
PID 1100 set thread context of 520	1100	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 520 set thread context of 1196	520	0ictba3ik3lrJnW.exe	Explorer.EXE
PID 520 set thread context of 1196	520	0ictba3ik3lrJnW.exe	Explorer.EXE
PID 1632 set thread context of 1196	1632	cmstp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

0ictba3ik3lrJnW.execmstp.exe

pid	process
520	0ictba3ik3lrJnW.exe
520	0ictba3ik3lrJnW.exe
520	0ictba3ik3lrJnW.exe
1632	cmstp.exe
1632	cmstp.exe
1632	cmstp.exe
1632	cmstp.exe
1632	cmstp.exe
1632	cmstp.exe
1632	cmstp.exe
1632	cmstp.exe
1632	cmstp.exe
1632	cmstp.exe
1632	cmstp.exe
1632	cmstp.exe
1632	cmstp.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

0ictba3ik3lrJnW.execmstp.exe

pid process

520 0ictba3ik3lrJnW.exe
520 0ictba3ik3lrJnW.exe
520 0ictba3ik3lrJnW.exe
520 0ictba3ik3lrJnW.exe
1632 cmstp.exe
1632 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0ictba3ik3lrJnW.execmstp.exe

description pid process

Token: SeDebugPrivilege 520 0ictba3ik3lrJnW.exe
Token: SeDebugPrivilege 1632 cmstp.exe

description	pid	process
Token: SeDebugPrivilege	520	0ictba3ik3lrJnW.exe
Token: SeDebugPrivilege	1632	cmstp.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

0ictba3ik3lrJnW.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1100 wrote to memory of 520	1100	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 1100 wrote to memory of 520	1100	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 1100 wrote to memory of 520	1100	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 1100 wrote to memory of 520	1100	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 1100 wrote to memory of 520	1100	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 1100 wrote to memory of 520	1100	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 1100 wrote to memory of 520	1100	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 1196 wrote to memory of 1632	1196	Explorer.EXE	cmstp.exe
PID 1196 wrote to memory of 1632	1196	Explorer.EXE	cmstp.exe
PID 1196 wrote to memory of 1632	1196	Explorer.EXE	cmstp.exe
PID 1196 wrote to memory of 1632	1196	Explorer.EXE	cmstp.exe
PID 1196 wrote to memory of 1632	1196	Explorer.EXE	cmstp.exe
PID 1196 wrote to memory of 1632	1196	Explorer.EXE	cmstp.exe
PID 1196 wrote to memory of 1632	1196	Explorer.EXE	cmstp.exe
PID 1632 wrote to memory of 1652	1632	cmstp.exe	cmd.exe
PID 1632 wrote to memory of 1652	1632	cmstp.exe	cmd.exe
PID 1632 wrote to memory of 1652	1632	cmstp.exe	cmd.exe
PID 1632 wrote to memory of 1652	1632	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\0ictba3ik3lrJnW.exe
"C:\Users\Admin\AppData\Local\Temp\0ictba3ik3lrJnW.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\0ictba3ik3lrJnW.exe
"C:\Users\Admin\AppData\Local\Temp\0ictba3ik3lrJnW.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\0ictba3ik3lrJnW.exe"
3⤵
- Deletes itself
PID:1652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/520-67-0x000000000041CFF0-mapping.dmp

Download
memory/520-69-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/520-68-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

Filesize
3.0MB

Download
memory/520-71-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1100-60-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1100-62-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/1100-63-0x00000000004C0000-0x00000000004DB000-memory.dmp

Filesize
108KB

Download
memory/1100-64-0x0000000002220000-0x0000000002290000-memory.dmp

Filesize
448KB

Download
memory/1100-65-0x00000000022D0000-0x00000000022FE000-memory.dmp

Filesize
184KB

Download
memory/1196-72-0x0000000006A40000-0x0000000006BB5000-memory.dmp

Filesize
1.5MB

Download
memory/1196-70-0x0000000004910000-0x00000000049DA000-memory.dmp

Filesize
808KB

Download
memory/1196-80-0x00000000091F0000-0x000000000932D000-memory.dmp

Filesize
1.2MB

Download
memory/1632-73-0x0000000000000000-mapping.dmp

Download
memory/1632-74-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1632-75-0x00000000004D0000-0x00000000004E8000-memory.dmp

Filesize
96KB

Download
memory/1632-76-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1632-78-0x0000000002160000-0x0000000002463000-memory.dmp

Filesize
3.0MB

Download
memory/1632-79-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1652-77-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads