xloader | d62663072daa5bde186f1d0c406225099d7ae372d00969a57016206c099ee1b7

General

Target

PO.exe
Size

484KB
MD5

0650530c0192eead0466f36564026598
SHA1

a731bbf3310af1d83119131c0e182e4302062eef
SHA256

d62663072daa5bde186f1d0c406225099d7ae372d00969a57016206c099ee1b7
SHA512

b35bf8737584a618af06804f7ea4b2fcfaa56d0cb2fa6c22a6584a243a65f544598e24ff317749bac39148f79439e7139d0847eaf77d1589d3764e073fd66d97

Score

10^/10

xloader n58i loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n58i

C2

http://www.mack3sleeve.com/n58i/

Decoy

nl-cafe.com

votetedjaleta.com

britrobertsrealtor.com

globipark.com

citysucces.com

verisignwebsite-verified.com

riddlepc.com

rosecityclimbing.com

oleandrinextract.com

salmankonstruksi.com

needhamchannel.com

refreshx2z.com

youth66.com

pla-russia.com

halloweenmaskpro.com

exdysis.com

1gcz.com

lookgoodman.com

rlxagva.com

stlcityc.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1276-124-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1276-125-0x000000000041D070-mapping.dmp	xloader
behavioral2/memory/768-132-0x0000000002920000-0x0000000002949000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO.exeRegSvcs.execmd.exe

description	pid	process	target process
PID 644 set thread context of 1276	644	PO.exe	RegSvcs.exe
PID 1276 set thread context of 3092	1276	RegSvcs.exe	Explorer.EXE
PID 768 set thread context of 3092	768	cmd.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

PO.exeRegSvcs.execmd.exe

pid	process
644	PO.exe
644	PO.exe
1276	RegSvcs.exe
1276	RegSvcs.exe
1276	RegSvcs.exe
1276	RegSvcs.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe
768	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3092 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.execmd.exe

pid process

1276 RegSvcs.exe
1276 RegSvcs.exe
1276 RegSvcs.exe
768 cmd.exe
768 cmd.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO.exeRegSvcs.execmd.exe

description pid process

Token: SeDebugPrivilege 644 PO.exe
Token: SeDebugPrivilege 1276 RegSvcs.exe
Token: SeDebugPrivilege 768 cmd.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3092 Explorer.EXE

pid	process
3092	Explorer.EXE

pid	process
1276	RegSvcs.exe
1276	RegSvcs.exe
1276	RegSvcs.exe
768	cmd.exe
768	cmd.exe

description	pid	process
Token: SeDebugPrivilege	644	PO.exe
Token: SeDebugPrivilege	1276	RegSvcs.exe
Token: SeDebugPrivilege	768	cmd.exe

pid	process
3092	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PO.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 644 wrote to memory of 1276	644	PO.exe	RegSvcs.exe
PID 644 wrote to memory of 1276	644	PO.exe	RegSvcs.exe
PID 644 wrote to memory of 1276	644	PO.exe	RegSvcs.exe
PID 644 wrote to memory of 1276	644	PO.exe	RegSvcs.exe
PID 644 wrote to memory of 1276	644	PO.exe	RegSvcs.exe
PID 644 wrote to memory of 1276	644	PO.exe	RegSvcs.exe
PID 3092 wrote to memory of 768	3092	Explorer.EXE	cmd.exe
PID 3092 wrote to memory of 768	3092	Explorer.EXE	cmd.exe
PID 3092 wrote to memory of 768	3092	Explorer.EXE	cmd.exe
PID 768 wrote to memory of 1272	768	cmd.exe	cmd.exe
PID 768 wrote to memory of 1272	768	cmd.exe	cmd.exe
PID 768 wrote to memory of 1272	768	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3092

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-121-0x00000000054B0000-0x00000000054C6000-memory.dmp

Filesize
88KB

Download
memory/644-123-0x0000000009D20000-0x0000000009D4A000-memory.dmp

Filesize
168KB

Download
memory/644-117-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/644-118-0x0000000005160000-0x000000000565E000-memory.dmp

Filesize
5.0MB

Download
memory/644-119-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/644-120-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/644-116-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/644-114-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/644-122-0x00000000074F0000-0x000000000754F000-memory.dmp

Filesize
380KB

Download
memory/768-134-0x00000000030F0000-0x0000000003180000-memory.dmp

Filesize
576KB

Download
memory/768-133-0x0000000002DD0000-0x00000000030F0000-memory.dmp

Filesize
3.1MB

Download
memory/768-131-0x0000000000150000-0x00000000001A9000-memory.dmp

Filesize
356KB

Download
memory/768-132-0x0000000002920000-0x0000000002949000-memory.dmp

Filesize
164KB

Download
memory/768-129-0x0000000000000000-mapping.dmp

Download
memory/1272-130-0x0000000000000000-mapping.dmp

Download
memory/1276-126-0x0000000001590000-0x00000000018B0000-memory.dmp

Filesize
3.1MB

Download
memory/1276-127-0x0000000001A90000-0x0000000001AA1000-memory.dmp

Filesize
68KB

Download
memory/1276-125-0x000000000041D070-mapping.dmp

Download
memory/1276-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3092-128-0x0000000008AB0000-0x0000000008C3F000-memory.dmp

Filesize
1.6MB

Download
memory/3092-135-0x0000000005E40000-0x0000000005F11000-memory.dmp

Filesize
836KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads