xloader | 8da806444010084307c77bf3a69f66ca36c15920bd7b9f60fdcf35fccd460701

General

Target

Sales Order.exe
Size

1014KB
MD5

fd84eb337a51966294ba08722170bf46
SHA1

1f529d60e2dc50deaac59af322708039da33c3be
SHA256

8da806444010084307c77bf3a69f66ca36c15920bd7b9f60fdcf35fccd460701
SHA512

a522ba8c6daddbf69f711ef859c7e8fb79e2ab00372e6626af9119d82ef8cf22b0e2ebcc1897cd88810be5ee01b11e0950dbf0853ceb630de3e916ac3bacd847

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.jantesetaccessoires.com/p6f2/

Decoy

redsnews.com

vr859.com

postmasterstudios.com

hampsteadorganizer.com

hangshop.net

maheshwaramlawcollege.com

5156087.com

gtaaddict.com

faj.xyz

drivechicagoillinois.com

neerutech.com

b2brahmas.com

freshlookks.com

propertyparallel.tech

tlwbyads.com

sellektorkids.com

dexs.fyi

kileybrock.com

nervstudio.com

tosg-ltd.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2012-66-0x000000000041D050-mapping.dmp	xloader
behavioral1/memory/2012-65-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1788-73-0x00000000000C0000-0x00000000000E8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1256 cmd.exe

pid	process
1256	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Sales Order.exeSales Order.exemstsc.exe

description	pid	process	target process
PID 308 set thread context of 2012	308	Sales Order.exe	Sales Order.exe
PID 2012 set thread context of 1264	2012	Sales Order.exe	Explorer.EXE
PID 1788 set thread context of 1264	1788	mstsc.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

Sales Order.exemstsc.exe

pid	process
2012	Sales Order.exe
2012	Sales Order.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe
1788	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Sales Order.exemstsc.exe

pid process

2012 Sales Order.exe
2012 Sales Order.exe
2012 Sales Order.exe
1788 mstsc.exe
1788 mstsc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Sales Order.exemstsc.exe

description pid process

Token: SeDebugPrivilege 2012 Sales Order.exe
Token: SeDebugPrivilege 1788 mstsc.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE

pid	process
1264	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2012	Sales Order.exe
Token: SeDebugPrivilege	1788	mstsc.exe

pid	process
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Sales Order.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 308 wrote to memory of 2012	308	Sales Order.exe	Sales Order.exe
PID 308 wrote to memory of 2012	308	Sales Order.exe	Sales Order.exe
PID 308 wrote to memory of 2012	308	Sales Order.exe	Sales Order.exe
PID 308 wrote to memory of 2012	308	Sales Order.exe	Sales Order.exe
PID 308 wrote to memory of 2012	308	Sales Order.exe	Sales Order.exe
PID 308 wrote to memory of 2012	308	Sales Order.exe	Sales Order.exe
PID 308 wrote to memory of 2012	308	Sales Order.exe	Sales Order.exe
PID 1264 wrote to memory of 1788	1264	Explorer.EXE	mstsc.exe
PID 1264 wrote to memory of 1788	1264	Explorer.EXE	mstsc.exe
PID 1264 wrote to memory of 1788	1264	Explorer.EXE	mstsc.exe
PID 1264 wrote to memory of 1788	1264	Explorer.EXE	mstsc.exe
PID 1788 wrote to memory of 1256	1788	mstsc.exe	cmd.exe
PID 1788 wrote to memory of 1256	1788	mstsc.exe	cmd.exe
PID 1788 wrote to memory of 1256	1788	mstsc.exe	cmd.exe
PID 1788 wrote to memory of 1256	1788	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\Sales Order.exe
"C:\Users\Admin\AppData\Local\Temp\Sales Order.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:308

C:\Users\Admin\AppData\Local\Temp\Sales Order.exe
"C:\Users\Admin\AppData\Local\Temp\Sales Order.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Sales Order.exe"
3⤵
- Deletes itself
PID:1256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/308-62-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/308-63-0x0000000000800000-0x000000000087B000-memory.dmp

Filesize
492KB

Download
memory/308-64-0x0000000000270000-0x000000000027F000-memory.dmp

Filesize
60KB

Download
memory/308-60-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1256-74-0x0000000000000000-mapping.dmp

Download
memory/1264-69-0x00000000069C0000-0x0000000006B49000-memory.dmp

Filesize
1.5MB

Download
memory/1264-77-0x00000000072D0000-0x00000000073F9000-memory.dmp

Filesize
1.2MB

Download
memory/1788-73-0x00000000000C0000-0x00000000000E8000-memory.dmp

Filesize
160KB

Download
memory/1788-70-0x0000000000000000-mapping.dmp

Download
memory/1788-71-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/1788-72-0x0000000000E70000-0x0000000000F74000-memory.dmp

Filesize
1.0MB

Download
memory/1788-75-0x0000000000B50000-0x0000000000E53000-memory.dmp

Filesize
3.0MB

Download
memory/1788-76-0x0000000000A70000-0x0000000000AFF000-memory.dmp

Filesize
572KB

Download
memory/2012-68-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2012-67-0x0000000000B50000-0x0000000000E53000-memory.dmp

Filesize
3.0MB

Download
memory/2012-65-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2012-66-0x000000000041D050-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads