xloader | fbeb9b62ff737a87fe38709d075f3fee34502b01262480cf5a014efaab4f7075

General

Target

0ictba3ik3lrJnW.exe
Size

859KB
MD5

6e77fe0eb26c4834a5411e66a78a3e69
SHA1

5c9768be8ed60c6190e68deeebc5f3c1cdbf531a
SHA256

fbeb9b62ff737a87fe38709d075f3fee34502b01262480cf5a014efaab4f7075
SHA512

dc466d692eee548dbcc161904527a27b2a80ebc0ae4a366a8d08a21ec627fd6ef127db3aaf0b1ec567e7ac0a5aae71374a285d1aba5cb5bb59d24d3d65a51eef

Score

10^/10

xloader loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.hokutiki.com/cogt/

Decoy

britechsoft.com

vitortedeschi.com

nittwittridge.net

nblianger.com

fs133.net

theprairiesky.com

mylexinova.com

loveiscomingbook.com

thehouseoflightning.com

gulbahorfoodblogger.online

exploringanddiscovering.com

edyscleaning.com

jihalbroskorea.com

sammys-cafe.com

smallbluer.com

voglioincontri.com

aaareplicamall.com

empireofglam.com

4hu5555.com

cookiescalofornia.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3292-124-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3292-125-0x000000000041CFF0-mapping.dmp	xloader
behavioral2/memory/3396-132-0x0000000002E80000-0x0000000002EA8000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

0ictba3ik3lrJnW.exe0ictba3ik3lrJnW.exemstsc.exe

description	pid	process	target process
PID 2388 set thread context of 3292	2388	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 3292 set thread context of 3020	3292	0ictba3ik3lrJnW.exe	Explorer.EXE
PID 3396 set thread context of 3020	3396	mstsc.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

0ictba3ik3lrJnW.exe0ictba3ik3lrJnW.exemstsc.exe

pid	process
2388	0ictba3ik3lrJnW.exe
2388	0ictba3ik3lrJnW.exe
2388	0ictba3ik3lrJnW.exe
2388	0ictba3ik3lrJnW.exe
3292	0ictba3ik3lrJnW.exe
3292	0ictba3ik3lrJnW.exe
3292	0ictba3ik3lrJnW.exe
3292	0ictba3ik3lrJnW.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe
3396	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

0ictba3ik3lrJnW.exemstsc.exe

pid process

3292 0ictba3ik3lrJnW.exe
3292 0ictba3ik3lrJnW.exe
3292 0ictba3ik3lrJnW.exe
3396 mstsc.exe
3396 mstsc.exe

pid	process
3020	Explorer.EXE

pid	process
3292	0ictba3ik3lrJnW.exe
3292	0ictba3ik3lrJnW.exe
3292	0ictba3ik3lrJnW.exe
3396	mstsc.exe
3396	mstsc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

0ictba3ik3lrJnW.exe0ictba3ik3lrJnW.exemstsc.exe

description	pid	process
Token: SeDebugPrivilege	2388	0ictba3ik3lrJnW.exe
Token: SeDebugPrivilege	3292	0ictba3ik3lrJnW.exe
Token: SeDebugPrivilege	3396	mstsc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

0ictba3ik3lrJnW.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 2388 wrote to memory of 3288	2388	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 2388 wrote to memory of 3288	2388	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 2388 wrote to memory of 3288	2388	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 2388 wrote to memory of 3464	2388	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 2388 wrote to memory of 3464	2388	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 2388 wrote to memory of 3464	2388	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 2388 wrote to memory of 3292	2388	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 2388 wrote to memory of 3292	2388	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 2388 wrote to memory of 3292	2388	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 2388 wrote to memory of 3292	2388	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 2388 wrote to memory of 3292	2388	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 2388 wrote to memory of 3292	2388	0ictba3ik3lrJnW.exe	0ictba3ik3lrJnW.exe
PID 3020 wrote to memory of 3396	3020	Explorer.EXE	mstsc.exe
PID 3020 wrote to memory of 3396	3020	Explorer.EXE	mstsc.exe
PID 3020 wrote to memory of 3396	3020	Explorer.EXE	mstsc.exe
PID 3396 wrote to memory of 2152	3396	mstsc.exe	cmd.exe
PID 3396 wrote to memory of 2152	3396	mstsc.exe	cmd.exe
PID 3396 wrote to memory of 2152	3396	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\0ictba3ik3lrJnW.exe
"C:\Users\Admin\AppData\Local\Temp\0ictba3ik3lrJnW.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\0ictba3ik3lrJnW.exe
"C:\Users\Admin\AppData\Local\Temp\0ictba3ik3lrJnW.exe"
3⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\0ictba3ik3lrJnW.exe
"C:\Users\Admin\AppData\Local\Temp\0ictba3ik3lrJnW.exe"
3⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\0ictba3ik3lrJnW.exe
"C:\Users\Admin\AppData\Local\Temp\0ictba3ik3lrJnW.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\0ictba3ik3lrJnW.exe"
3⤵
PID:2152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2152-130-0x0000000000000000-mapping.dmp

Download
memory/2388-120-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/2388-123-0x00000000069C0000-0x00000000069EE000-memory.dmp

Filesize
184KB

Download
memory/2388-118-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/2388-119-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/2388-114-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2388-121-0x00000000066F0000-0x000000000670B000-memory.dmp

Filesize
108KB

Download
memory/2388-122-0x0000000008120000-0x0000000008190000-memory.dmp

Filesize
448KB

Download
memory/2388-116-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/2388-117-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/3020-135-0x0000000005810000-0x0000000005941000-memory.dmp

Filesize
1.2MB

Download
memory/3020-128-0x0000000003000000-0x000000000316E000-memory.dmp

Filesize
1.4MB

Download
memory/3292-124-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3292-125-0x000000000041CFF0-mapping.dmp

Download
memory/3292-126-0x00000000018F0000-0x0000000001C10000-memory.dmp

Filesize
3.1MB

Download
memory/3292-127-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/3396-133-0x00000000046F0000-0x0000000004A10000-memory.dmp

Filesize
3.1MB

Download
memory/3396-131-0x00000000003A0000-0x000000000069C000-memory.dmp

Filesize
3.0MB

Download
memory/3396-132-0x0000000002E80000-0x0000000002EA8000-memory.dmp

Filesize
160KB

Download
memory/3396-129-0x0000000000000000-mapping.dmp

Download
memory/3396-134-0x0000000004530000-0x00000000045BF000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads