xloader | 6db6324fe282260a224e77fff9bdad3240a63d48ac587f2a701785ea69c317a5

General

Target

Order_15078.exe
Size

685KB
MD5

c50b491461d89171d660abcc9c654171
SHA1

e1cc6e9512546b2a8eefd3741f52c30121be3dea
SHA256

6db6324fe282260a224e77fff9bdad3240a63d48ac587f2a701785ea69c317a5
SHA512

7589ece7798fa6affec99655d301cb23acd8a25654c0411ad6e871247a24b31653ea8b6249b6440124acb5fad5f390f73e8cbb7ee76be1970ee12f4ad27e52e0

Score

10^/10

xloader loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.steveblexrud.com/rqe8/

Decoy

bjft.net

abrosnm3.com

badlistens.com

signal-japan.com

schaka.com

kingdompersonalbranding.com

sewmenship.com

lzproperty.com

mojoimpacthosting.com

carinsurancecoverage.care

corporatemercadona.com

mobileswash.com

forevercelebration2026.com

co-het.com

bellesherlou.com

commentsoldgolf.com

onlytwod.group

utesco.info

martstrip.com

onszdgu.icu

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/1208-62-0x0000000000880000-0x000000000088B000-memory.dmp	CustAttr

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/784-65-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/784-66-0x000000000041CFE0-mapping.dmp	xloader
behavioral1/memory/1008-73-0x0000000000090000-0x00000000000B8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

944 cmd.exe

pid	process
944	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Order_15078.exeOrder_15078.exehelp.exe

description	pid	process	target process
PID 1208 set thread context of 784	1208	Order_15078.exe	Order_15078.exe
PID 784 set thread context of 1256	784	Order_15078.exe	Explorer.EXE
PID 1008 set thread context of 1256	1008	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Order_15078.exehelp.exe

pid	process
784	Order_15078.exe
784	Order_15078.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe
1008	help.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Order_15078.exehelp.exe

pid process

784 Order_15078.exe
784 Order_15078.exe
784 Order_15078.exe
1008 help.exe
1008 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Order_15078.exehelp.exe

description pid process

Token: SeDebugPrivilege 784 Order_15078.exe
Token: SeDebugPrivilege 1008 help.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	784	Order_15078.exe
Token: SeDebugPrivilege	1008	help.exe

pid	process
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Order_15078.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 1208 wrote to memory of 784	1208	Order_15078.exe	Order_15078.exe
PID 1208 wrote to memory of 784	1208	Order_15078.exe	Order_15078.exe
PID 1208 wrote to memory of 784	1208	Order_15078.exe	Order_15078.exe
PID 1208 wrote to memory of 784	1208	Order_15078.exe	Order_15078.exe
PID 1208 wrote to memory of 784	1208	Order_15078.exe	Order_15078.exe
PID 1208 wrote to memory of 784	1208	Order_15078.exe	Order_15078.exe
PID 1208 wrote to memory of 784	1208	Order_15078.exe	Order_15078.exe
PID 1256 wrote to memory of 1008	1256	Explorer.EXE	help.exe
PID 1256 wrote to memory of 1008	1256	Explorer.EXE	help.exe
PID 1256 wrote to memory of 1008	1256	Explorer.EXE	help.exe
PID 1256 wrote to memory of 1008	1256	Explorer.EXE	help.exe
PID 1008 wrote to memory of 944	1008	help.exe	cmd.exe
PID 1008 wrote to memory of 944	1008	help.exe	cmd.exe
PID 1008 wrote to memory of 944	1008	help.exe	cmd.exe
PID 1008 wrote to memory of 944	1008	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\Order_15078.exe
"C:\Users\Admin\AppData\Local\Temp\Order_15078.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\Order_15078.exe
"C:\Users\Admin\AppData\Local\Temp\Order_15078.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Order_15078.exe"
3⤵
- Deletes itself
PID:944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-65-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/784-67-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download
memory/784-68-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/784-66-0x000000000041CFE0-mapping.dmp

Download
memory/944-71-0x0000000000000000-mapping.dmp

Download
memory/1008-72-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1008-70-0x0000000000000000-mapping.dmp

Download
memory/1008-73-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1008-74-0x0000000000740000-0x0000000000A43000-memory.dmp

Filesize
3.0MB

Download
memory/1008-75-0x0000000000490000-0x000000000051F000-memory.dmp

Filesize
572KB

Download
memory/1008-77-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1208-64-0x0000000000A30000-0x0000000000A5F000-memory.dmp

Filesize
188KB

Download
memory/1208-63-0x0000000005AA0000-0x0000000005B12000-memory.dmp

Filesize
456KB

Download
memory/1208-62-0x0000000000880000-0x000000000088B000-memory.dmp

Filesize
44KB

Download
memory/1208-61-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1208-59-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/1256-69-0x0000000006150000-0x000000000629D000-memory.dmp

Filesize
1.3MB

Download
memory/1256-76-0x00000000090E0000-0x0000000009267000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads