xloader | f7f840a7d6ed87875a6376dedef3386e491cfafd01011f27f21b0b2b73a0d6ba

General

Target

Purchase order_dated 08-14-2021.exe
Size

1.1MB
MD5

a76c4bccf8ca3cc9a4ce06f4ec164527
SHA1

a87a39b0742b6dd4e93b975307251f7d59e1d21c
SHA256

f7f840a7d6ed87875a6376dedef3386e491cfafd01011f27f21b0b2b73a0d6ba
SHA512

30f4872fca6e46bf1cfe11489a98223ae563b3c5f16e5c99576b1b59327eee05b72a647cd8a7c0add22168cb8f4155518c8cd4f62d9b2d2cbee143f184dcd279

Score

10^/10

xloader bp39 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

bp39

C2

http://www.piadineriae45.com/bp39/

Decoy

glembos.com

adjud.net

beautifyoils.com

chilewiki.com

duxingzi.com

happygromedia.com

restpostenboerse.com

vowsweddingofficiants.com

ladingjiwa.xyz

keepmakingefforts-001.com

yeniao.net

eyildirmaz.com

sayanghae.com

promoteboost.com

lzft.net

proudindiacompany.com

birchwoodmeridianlink.com

mesinionisasi.com

wwwrigalinks.com

wewearthepants.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3860-125-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3860-126-0x000000000041D090-mapping.dmp	xloader
behavioral2/memory/3000-135-0x0000000000720000-0x0000000000749000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

Purchase order_dated 08-14-2021.exePurchase order_dated 08-14-2021.exesystray.exe

description	pid	process	target process
PID 776 set thread context of 3860	776	Purchase order_dated 08-14-2021.exe	Purchase order_dated 08-14-2021.exe
PID 3860 set thread context of 3020	3860	Purchase order_dated 08-14-2021.exe	Explorer.EXE
PID 3860 set thread context of 3020	3860	Purchase order_dated 08-14-2021.exe	Explorer.EXE
PID 3000 set thread context of 3020	3000	systray.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

Purchase order_dated 08-14-2021.exesystray.exe

pid	process
3860	Purchase order_dated 08-14-2021.exe
3860	Purchase order_dated 08-14-2021.exe
3860	Purchase order_dated 08-14-2021.exe
3860	Purchase order_dated 08-14-2021.exe
3860	Purchase order_dated 08-14-2021.exe
3860	Purchase order_dated 08-14-2021.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe
3000	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE

pid	process
3020	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Purchase order_dated 08-14-2021.exesystray.exe

pid	process
3860	Purchase order_dated 08-14-2021.exe
3860	Purchase order_dated 08-14-2021.exe
3860	Purchase order_dated 08-14-2021.exe
3860	Purchase order_dated 08-14-2021.exe
3000	systray.exe
3000	systray.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase order_dated 08-14-2021.exesystray.exe

description pid process

Token: SeDebugPrivilege 3860 Purchase order_dated 08-14-2021.exe
Token: SeDebugPrivilege 3000 systray.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3860	Purchase order_dated 08-14-2021.exe
Token: SeDebugPrivilege	3000	systray.exe

pid	process
3020	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Purchase order_dated 08-14-2021.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 776 wrote to memory of 3860	776	Purchase order_dated 08-14-2021.exe	Purchase order_dated 08-14-2021.exe
PID 776 wrote to memory of 3860	776	Purchase order_dated 08-14-2021.exe	Purchase order_dated 08-14-2021.exe
PID 776 wrote to memory of 3860	776	Purchase order_dated 08-14-2021.exe	Purchase order_dated 08-14-2021.exe
PID 776 wrote to memory of 3860	776	Purchase order_dated 08-14-2021.exe	Purchase order_dated 08-14-2021.exe
PID 776 wrote to memory of 3860	776	Purchase order_dated 08-14-2021.exe	Purchase order_dated 08-14-2021.exe
PID 776 wrote to memory of 3860	776	Purchase order_dated 08-14-2021.exe	Purchase order_dated 08-14-2021.exe
PID 3020 wrote to memory of 3000	3020	Explorer.EXE	systray.exe
PID 3020 wrote to memory of 3000	3020	Explorer.EXE	systray.exe
PID 3020 wrote to memory of 3000	3020	Explorer.EXE	systray.exe
PID 3000 wrote to memory of 976	3000	systray.exe	cmd.exe
PID 3000 wrote to memory of 976	3000	systray.exe	cmd.exe
PID 3000 wrote to memory of 976	3000	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\Purchase order_dated 08-14-2021.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order_dated 08-14-2021.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\Purchase order_dated 08-14-2021.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order_dated 08-14-2021.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1340

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Purchase order_dated 08-14-2021.exe"
3⤵
PID:976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-114-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/776-116-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/776-117-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/776-118-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/776-119-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/776-120-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/776-121-0x0000000005250000-0x000000000574E000-memory.dmp

Filesize
5.0MB

Download
memory/776-122-0x0000000005490000-0x00000000054A8000-memory.dmp

Filesize
96KB

Download
memory/776-123-0x0000000008A30000-0x0000000008AC8000-memory.dmp

Filesize
608KB

Download
memory/776-124-0x00000000070D0000-0x00000000070FA000-memory.dmp

Filesize
168KB

Download
memory/976-133-0x0000000000000000-mapping.dmp

Download
memory/3000-135-0x0000000000720000-0x0000000000749000-memory.dmp

Filesize
164KB

Download
memory/3000-132-0x0000000000000000-mapping.dmp

Download
memory/3000-134-0x0000000001080000-0x0000000001086000-memory.dmp

Filesize
24KB

Download
memory/3000-136-0x00000000047C0000-0x0000000004AE0000-memory.dmp

Filesize
3.1MB

Download
memory/3000-137-0x0000000004AE0000-0x0000000004B70000-memory.dmp

Filesize
576KB

Download
memory/3020-129-0x0000000002420000-0x00000000024E7000-memory.dmp

Filesize
796KB

Download
memory/3020-131-0x0000000005910000-0x00000000059E7000-memory.dmp

Filesize
860KB

Download
memory/3020-138-0x0000000005D10000-0x0000000005E1C000-memory.dmp

Filesize
1.0MB

Download
memory/3860-127-0x0000000001A10000-0x0000000001D30000-memory.dmp

Filesize
3.1MB

Download
memory/3860-128-0x0000000001470000-0x00000000015BA000-memory.dmp

Filesize
1.3MB

Download
memory/3860-130-0x00000000019D0000-0x00000000019E1000-memory.dmp

Filesize
68KB

Download
memory/3860-125-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3860-126-0x000000000041D090-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads