xloader | aeda7a96e228c8f05a1f0a09d6bb369be8affba7107fd65a558b9b1cb1701e62

General

Target

RFQ order for 180kg.exe
Size

1.3MB
MD5

50010c0aaa0feb41e0889b806e46ed87
SHA1

9ea766edbc1fbc50268787a124522b0b935de721
SHA256

bd6455c559a9308054622aa9a30388d0ac83dd09af4ce4d1e9a715e2f1baeb53
SHA512

2d88aeedd2792e12baf1e90f550082e7cc0b01ae1add8226af5710c586ae79f2b46420a23d5f75c438ec9c88e9eb561db26169b72732a8bedf0121f46d04545f

Score

10^/10

xloader loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.jiltedowl.com/um8e/

Decoy

theypretend.com

hopeschildren.com

kuly.cloud

maniflexx.net

bedtimesocietyblog.com

spenglerwetlandpreserve.com

unity-play.net

bonap56.com

consciencevc.com

deluxeluxe.com

officialjuliep.com

cttrade.club

quietflyt.com

mcabspl.com

lippocaritahotel.com

tolanfilms.xyz

momenaagro.com

slingshotart.com

thefoundershuddle.com

mobilbaris.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/752-65-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/752-66-0x000000000041CFD0-mapping.dmp	xloader
behavioral1/memory/928-74-0x0000000000090000-0x00000000000B8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1644 cmd.exe

pid	process
1644	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ order for 180kg.exeRFQ order for 180kg.execmstp.exe

description	pid	process	target process
PID 1096 set thread context of 752	1096	RFQ order for 180kg.exe	RFQ order for 180kg.exe
PID 752 set thread context of 1228	752	RFQ order for 180kg.exe	Explorer.EXE
PID 928 set thread context of 1228	928	cmstp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

RFQ order for 180kg.exeRFQ order for 180kg.execmstp.exe

pid	process
1096	RFQ order for 180kg.exe
752	RFQ order for 180kg.exe
752	RFQ order for 180kg.exe
928	cmstp.exe
928	cmstp.exe
928	cmstp.exe
928	cmstp.exe
928	cmstp.exe
928	cmstp.exe
928	cmstp.exe
928	cmstp.exe
928	cmstp.exe
928	cmstp.exe
928	cmstp.exe
928	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RFQ order for 180kg.execmstp.exe

pid process

752 RFQ order for 180kg.exe
752 RFQ order for 180kg.exe
752 RFQ order for 180kg.exe
928 cmstp.exe
928 cmstp.exe

pid	process
752	RFQ order for 180kg.exe
752	RFQ order for 180kg.exe
752	RFQ order for 180kg.exe
928	cmstp.exe
928	cmstp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RFQ order for 180kg.exeRFQ order for 180kg.execmstp.exe

description	pid	process
Token: SeDebugPrivilege	1096	RFQ order for 180kg.exe
Token: SeDebugPrivilege	752	RFQ order for 180kg.exe
Token: SeDebugPrivilege	928	cmstp.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

RFQ order for 180kg.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1096 wrote to memory of 752	1096	RFQ order for 180kg.exe	RFQ order for 180kg.exe
PID 1096 wrote to memory of 752	1096	RFQ order for 180kg.exe	RFQ order for 180kg.exe
PID 1096 wrote to memory of 752	1096	RFQ order for 180kg.exe	RFQ order for 180kg.exe
PID 1096 wrote to memory of 752	1096	RFQ order for 180kg.exe	RFQ order for 180kg.exe
PID 1096 wrote to memory of 752	1096	RFQ order for 180kg.exe	RFQ order for 180kg.exe
PID 1096 wrote to memory of 752	1096	RFQ order for 180kg.exe	RFQ order for 180kg.exe
PID 1096 wrote to memory of 752	1096	RFQ order for 180kg.exe	RFQ order for 180kg.exe
PID 1228 wrote to memory of 928	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 928	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 928	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 928	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 928	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 928	1228	Explorer.EXE	cmstp.exe
PID 1228 wrote to memory of 928	1228	Explorer.EXE	cmstp.exe
PID 928 wrote to memory of 1644	928	cmstp.exe	cmd.exe
PID 928 wrote to memory of 1644	928	cmstp.exe	cmd.exe
PID 928 wrote to memory of 1644	928	cmstp.exe	cmd.exe
PID 928 wrote to memory of 1644	928	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\RFQ order for 180kg.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ order for 180kg.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\RFQ order for 180kg.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ order for 180kg.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1512

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1524

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1852

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1892

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:784

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:384

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:432

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:592

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1196

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1064

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1380

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1640

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:932

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1820

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:964

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:812

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:736

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1872

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ order for 180kg.exe"
3⤵
- Deletes itself
PID:1644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/752-65-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/752-66-0x000000000041CFD0-mapping.dmp

Download
memory/752-67-0x0000000000950000-0x0000000000C53000-memory.dmp

Filesize
3.0MB

Download
memory/752-68-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/928-70-0x0000000000000000-mapping.dmp

Download
memory/928-76-0x00000000003E0000-0x000000000046F000-memory.dmp

Filesize
572KB

Download
memory/928-74-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/928-75-0x0000000002000000-0x0000000002303000-memory.dmp

Filesize
3.0MB

Download
memory/928-73-0x00000000003C0000-0x00000000003D8000-memory.dmp

Filesize
96KB

Download
memory/928-71-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1096-64-0x00000000007A0000-0x00000000007CB000-memory.dmp

Filesize
172KB

Download
memory/1096-59-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/1096-63-0x0000000005210000-0x0000000005280000-memory.dmp

Filesize
448KB

Download
memory/1096-62-0x0000000000530000-0x000000000055D000-memory.dmp

Filesize
180KB

Download
memory/1096-61-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/1228-69-0x0000000004B80000-0x0000000004C6B000-memory.dmp

Filesize
940KB

Download
memory/1228-77-0x0000000003D20000-0x0000000003DD9000-memory.dmp

Filesize
740KB

Download
memory/1644-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads