xloader | d064e13de302104e85c1fbc8b177bc3b17ecf1dc0063ff1865d825b219d9f11d

General

Target

TT Transmitted Copy ETT1037468..exe
Size

878KB
MD5

1dc4a1aa19afef7c048a09bd00153ae9
SHA1

cfeac51f7427a964ece4c8faac0e028d31e4b7ea
SHA256

d064e13de302104e85c1fbc8b177bc3b17ecf1dc0063ff1865d825b219d9f11d
SHA512

fb6d0157dea7fb9b2c2a7fc0419d02ad6aaee1c681dd2d99c4fa3d1c46f7b33f78a3bbffa144ac7bcf6b2d12db84a6ab839d336d46e092e7ead94061d9a39408

Score

10^/10

xloader loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.desarrollosolucionesnavarro.com/ipa8/

Decoy

royalposhpups.com

univa.world

lanerbo.com

shopbabygo.com

theutahhomestore.com

serialmixer.icu

linfeiya.com

xn--12cg3de5c2eb5cyi.com

am-conseil-communication.com

dailygame168.com

therightmilitia.com

visions-agency.com

mapopi.com

frugallyketo.com

guapandglo.com

54w-x126v.net

your-health-kick.com

blockchainhub360.com

registernowhd.xyz

votekellykitashima.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3504-125-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3504-126-0x000000000041D0D0-mapping.dmp	xloader
behavioral2/memory/3028-132-0x0000000000410000-0x0000000000439000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

TT Transmitted Copy ETT1037468..exeTT Transmitted Copy ETT1037468..execontrol.exe

description	pid	process	target process
PID 3988 set thread context of 3504	3988	TT Transmitted Copy ETT1037468..exe	TT Transmitted Copy ETT1037468..exe
PID 3504 set thread context of 2832	3504	TT Transmitted Copy ETT1037468..exe	Explorer.EXE
PID 3028 set thread context of 2832	3028	control.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

TT Transmitted Copy ETT1037468..exeTT Transmitted Copy ETT1037468..execontrol.exe

pid	process
3988	TT Transmitted Copy ETT1037468..exe
3988	TT Transmitted Copy ETT1037468..exe
3504	TT Transmitted Copy ETT1037468..exe
3504	TT Transmitted Copy ETT1037468..exe
3504	TT Transmitted Copy ETT1037468..exe
3504	TT Transmitted Copy ETT1037468..exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe
3028	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2832 Explorer.EXE

pid	process
2832	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

TT Transmitted Copy ETT1037468..execontrol.exe

pid	process
3504	TT Transmitted Copy ETT1037468..exe
3504	TT Transmitted Copy ETT1037468..exe
3504	TT Transmitted Copy ETT1037468..exe
3028	control.exe
3028	control.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

TT Transmitted Copy ETT1037468..exeTT Transmitted Copy ETT1037468..execontrol.exe

description	pid	process
Token: SeDebugPrivilege	3988	TT Transmitted Copy ETT1037468..exe
Token: SeDebugPrivilege	3504	TT Transmitted Copy ETT1037468..exe
Token: SeDebugPrivilege	3028	control.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2832 Explorer.EXE

pid	process
2832	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

TT Transmitted Copy ETT1037468..exeExplorer.EXEcontrol.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\TT Transmitted Copy ETT1037468..exe
"C:\Users\Admin\AppData\Local\Temp\TT Transmitted Copy ETT1037468..exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Local\Temp\TT Transmitted Copy ETT1037468..exe
"{path}"
3⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\TT Transmitted Copy ETT1037468..exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\TT Transmitted Copy ETT1037468..exe"
3⤵
PID:2072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2072-133-0x0000000000000000-mapping.dmp

Download
memory/2832-129-0x0000000002EA0000-0x0000000002F6C000-memory.dmp

Filesize
816KB

Download
memory/2832-136-0x00000000067D0000-0x00000000068FC000-memory.dmp

Filesize
1.2MB

Download
memory/3028-135-0x00000000042B0000-0x000000000433F000-memory.dmp

Filesize
572KB

Download
memory/3028-134-0x0000000004470000-0x0000000004790000-memory.dmp

Filesize
3.1MB

Download
memory/3028-131-0x0000000000970000-0x0000000000990000-memory.dmp

Filesize
128KB

Download
memory/3028-132-0x0000000000410000-0x0000000000439000-memory.dmp

Filesize
164KB

Download
memory/3028-130-0x0000000000000000-mapping.dmp

Download
memory/3504-125-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3504-128-0x0000000001500000-0x0000000001510000-memory.dmp

Filesize
64KB

Download
memory/3504-127-0x0000000001950000-0x0000000001C70000-memory.dmp

Filesize
3.1MB

Download
memory/3504-126-0x000000000041D0D0-mapping.dmp

Download
memory/3988-122-0x00000000065C0000-0x00000000065C1000-memory.dmp

Filesize
4KB

Download
memory/3988-114-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3988-123-0x0000000005BF0000-0x0000000005C67000-memory.dmp

Filesize
476KB

Download
memory/3988-124-0x0000000005B60000-0x0000000005B8A000-memory.dmp

Filesize
168KB

Download
memory/3988-121-0x0000000006510000-0x0000000006512000-memory.dmp

Filesize
8KB

Download
memory/3988-120-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/3988-119-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3988-118-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/3988-117-0x0000000009F50000-0x0000000009F51000-memory.dmp

Filesize
4KB

Download
memory/3988-116-0x0000000002E60000-0x0000000002EB5000-memory.dmp

Filesize
340KB

Download

description	pid	process	target process
PID 3988 wrote to memory of 3252	3988	TT Transmitted Copy ETT1037468..exe	TT Transmitted Copy ETT1037468..exe
PID 3988 wrote to memory of 3252	3988	TT Transmitted Copy ETT1037468..exe	TT Transmitted Copy ETT1037468..exe
PID 3988 wrote to memory of 3252	3988	TT Transmitted Copy ETT1037468..exe	TT Transmitted Copy ETT1037468..exe
PID 3988 wrote to memory of 3504	3988	TT Transmitted Copy ETT1037468..exe	TT Transmitted Copy ETT1037468..exe
PID 3988 wrote to memory of 3504	3988	TT Transmitted Copy ETT1037468..exe	TT Transmitted Copy ETT1037468..exe
PID 3988 wrote to memory of 3504	3988	TT Transmitted Copy ETT1037468..exe	TT Transmitted Copy ETT1037468..exe
PID 3988 wrote to memory of 3504	3988	TT Transmitted Copy ETT1037468..exe	TT Transmitted Copy ETT1037468..exe
PID 3988 wrote to memory of 3504	3988	TT Transmitted Copy ETT1037468..exe	TT Transmitted Copy ETT1037468..exe
PID 3988 wrote to memory of 3504	3988	TT Transmitted Copy ETT1037468..exe	TT Transmitted Copy ETT1037468..exe
PID 2832 wrote to memory of 3028	2832	Explorer.EXE	control.exe
PID 2832 wrote to memory of 3028	2832	Explorer.EXE	control.exe
PID 2832 wrote to memory of 3028	2832	Explorer.EXE	control.exe
PID 3028 wrote to memory of 2072	3028	control.exe	cmd.exe
PID 3028 wrote to memory of 2072	3028	control.exe	cmd.exe
PID 3028 wrote to memory of 2072	3028	control.exe	cmd.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads