xloader | eddb900c9e73f050ce4a90866c3923abf4bee473aedd23b2ac603868cd88f311

General

Target

Stamped Agreement.exe
Size

1.0MB
MD5

d4ea38bc35cb738b29f73e6750923a95
SHA1

8a4d5b7fa21b73f189b82565e3748368148b6a26
SHA256

3edf6811850efc722b39737bf3623a42127e728f0c32a0a6ab7c66044838d307
SHA512

b72774638a4dd856220117dc9f29bacf0166db6519ecd1f023a446829d403715d6b4a2d8bbb9783b32e412376194e63368a300d1ac326e440c40d9ff6128d958

Score

10^/10

xloader ipa8 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ipa8

C2

http://www.desarrollosolucionesnavarro.com/ipa8/

Decoy

royalposhpups.com

univa.world

lanerbo.com

shopbabygo.com

theutahhomestore.com

serialmixer.icu

linfeiya.com

xn--12cg3de5c2eb5cyi.com

am-conseil-communication.com

dailygame168.com

therightmilitia.com

visions-agency.com

mapopi.com

frugallyketo.com

guapandglo.com

54w-x126v.net

your-health-kick.com

blockchainhub360.com

registernowhd.xyz

votekellykitashima.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2964-125-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2964-126-0x000000000041D0D0-mapping.dmp	xloader
behavioral2/memory/3040-132-0x0000000002700000-0x0000000002729000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

Stamped Agreement.exeStamped Agreement.exehelp.exe

description	pid	process	target process
PID 416 set thread context of 2964	416	Stamped Agreement.exe	Stamped Agreement.exe
PID 2964 set thread context of 3032	2964	Stamped Agreement.exe	Explorer.EXE
PID 3040 set thread context of 3032	3040	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

Stamped Agreement.exeStamped Agreement.exehelp.exe

pid	process
416	Stamped Agreement.exe
416	Stamped Agreement.exe
2964	Stamped Agreement.exe
2964	Stamped Agreement.exe
2964	Stamped Agreement.exe
2964	Stamped Agreement.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe
3040	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3032 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Stamped Agreement.exehelp.exe

pid process

2964 Stamped Agreement.exe
2964 Stamped Agreement.exe
2964 Stamped Agreement.exe
3040 help.exe
3040 help.exe

pid	process
3032	Explorer.EXE

pid	process
2964	Stamped Agreement.exe
2964	Stamped Agreement.exe
2964	Stamped Agreement.exe
3040	help.exe
3040	help.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Stamped Agreement.exeStamped Agreement.exehelp.exe

description	pid	process
Token: SeDebugPrivilege	416	Stamped Agreement.exe
Token: SeDebugPrivilege	2964	Stamped Agreement.exe
Token: SeDebugPrivilege	3040	help.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3032 Explorer.EXE

pid	process
3032	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Stamped Agreement.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 416 wrote to memory of 2376	416	Stamped Agreement.exe	Stamped Agreement.exe
PID 416 wrote to memory of 2376	416	Stamped Agreement.exe	Stamped Agreement.exe
PID 416 wrote to memory of 2376	416	Stamped Agreement.exe	Stamped Agreement.exe
PID 416 wrote to memory of 2964	416	Stamped Agreement.exe	Stamped Agreement.exe
PID 416 wrote to memory of 2964	416	Stamped Agreement.exe	Stamped Agreement.exe
PID 416 wrote to memory of 2964	416	Stamped Agreement.exe	Stamped Agreement.exe
PID 416 wrote to memory of 2964	416	Stamped Agreement.exe	Stamped Agreement.exe
PID 416 wrote to memory of 2964	416	Stamped Agreement.exe	Stamped Agreement.exe
PID 416 wrote to memory of 2964	416	Stamped Agreement.exe	Stamped Agreement.exe
PID 3032 wrote to memory of 3040	3032	Explorer.EXE	help.exe
PID 3032 wrote to memory of 3040	3032	Explorer.EXE	help.exe
PID 3032 wrote to memory of 3040	3032	Explorer.EXE	help.exe
PID 3040 wrote to memory of 3540	3040	help.exe	cmd.exe
PID 3040 wrote to memory of 3540	3040	help.exe	cmd.exe
PID 3040 wrote to memory of 3540	3040	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\Stamped Agreement.exe
"C:\Users\Admin\AppData\Local\Temp\Stamped Agreement.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:416

C:\Users\Admin\AppData\Local\Temp\Stamped Agreement.exe
"C:\Users\Admin\AppData\Local\Temp\Stamped Agreement.exe"
3⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\Stamped Agreement.exe
"C:\Users\Admin\AppData\Local\Temp\Stamped Agreement.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Stamped Agreement.exe"
3⤵
PID:3540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/416-114-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/416-116-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/416-117-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/416-118-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/416-119-0x0000000005850000-0x0000000005D4E000-memory.dmp

Filesize
5.0MB

Download
memory/416-120-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/416-121-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/416-122-0x00000000031B0000-0x00000000031C8000-memory.dmp

Filesize
96KB

Download
memory/416-123-0x0000000009050000-0x00000000090E8000-memory.dmp

Filesize
608KB

Download
memory/416-124-0x0000000007650000-0x000000000767A000-memory.dmp

Filesize
168KB

Download
memory/2964-125-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2964-126-0x000000000041D0D0-mapping.dmp

Download
memory/2964-128-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/2964-127-0x0000000001540000-0x0000000001860000-memory.dmp

Filesize
3.1MB

Download
memory/3032-129-0x0000000004DF0000-0x0000000004F0D000-memory.dmp

Filesize
1.1MB

Download
memory/3032-136-0x0000000005690000-0x00000000057BB000-memory.dmp

Filesize
1.2MB

Download
memory/3040-130-0x0000000000000000-mapping.dmp

Download
memory/3040-132-0x0000000002700000-0x0000000002729000-memory.dmp

Filesize
164KB

Download
memory/3040-131-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/3040-133-0x0000000002C90000-0x0000000002FB0000-memory.dmp

Filesize
3.1MB

Download
memory/3040-135-0x0000000002B10000-0x0000000002B9F000-memory.dmp

Filesize
572KB

Download
memory/3540-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads