xloader | 36ce9036dc3f761e10f1a795451aa70aa689aa988e3ec78092749db4e02142d4

General

Target

onxyPs4yG1MUPbN.exe
Size

751KB
MD5

dcf0af8133ef8884811ad04f6c4274e8
SHA1

65c24521f2670260e9abe932c639f51b0847971b
SHA256

115716164b2092df207c750d11a2b4ce05bee204b7f21f1f62d93a5b7d78afa1
SHA512

1ff607115b6a831783f6273a7ab84bd6d9899d2ef6fcea96e1449a9ee692b74e0405a9a17349275ef6ae588fd9aaf4aa7fd29c767619502ba73ea31b24c61514

Score

10^/10

xloader gjeh loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

gjeh

C2

http://www.getaudionow.com/gjeh/

Decoy

carmator.com

bsbqrp.com

siemens-mp.com

dunnfloorcoverings.com

cpassminimedicalschools.info

howtodesignyourhomeoffice.com

famliytaste.com

freesocialmarketing.com

jejuhaenyeo.net

tradebot.icu

arzug.com

carrefour-solucoes.online

ladyom.com

aoironote.com

newmexicocarwreckattorney.com

wealthpatternsllc.net

thinkpinkalicous.com

prajapati.company

bjhwky.com

jsdigitalekuns.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3864-127-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3864-128-0x000000000041D460-mapping.dmp	xloader
behavioral2/memory/588-135-0x0000000000180000-0x00000000001A9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

onxyPs4yG1MUPbN.exeRegSvcs.execontrol.exe

description	pid	process	target process
PID 3580 set thread context of 3864	3580	onxyPs4yG1MUPbN.exe	RegSvcs.exe
PID 3864 set thread context of 3060	3864	RegSvcs.exe	Explorer.EXE
PID 588 set thread context of 3060	588	control.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

onxyPs4yG1MUPbN.exeRegSvcs.execontrol.exe

pid	process
3580	onxyPs4yG1MUPbN.exe
3580	onxyPs4yG1MUPbN.exe
3864	RegSvcs.exe
3864	RegSvcs.exe
3864	RegSvcs.exe
3864	RegSvcs.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe
588	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3060 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.execontrol.exe

pid process

3864 RegSvcs.exe
3864 RegSvcs.exe
3864 RegSvcs.exe
588 control.exe
588 control.exe

pid	process
3060	Explorer.EXE

pid	process
3864	RegSvcs.exe
3864	RegSvcs.exe
3864	RegSvcs.exe
588	control.exe
588	control.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

onxyPs4yG1MUPbN.exeRegSvcs.exeExplorer.EXEcontrol.exe

description	pid	process
Token: SeDebugPrivilege	3580	onxyPs4yG1MUPbN.exe
Token: SeDebugPrivilege	3864	RegSvcs.exe
Token: SeShutdownPrivilege	3060	Explorer.EXE
Token: SeCreatePagefilePrivilege	3060	Explorer.EXE
Token: SeShutdownPrivilege	3060	Explorer.EXE
Token: SeCreatePagefilePrivilege	3060	Explorer.EXE
Token: SeDebugPrivilege	588	control.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

onxyPs4yG1MUPbN.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 3580 wrote to memory of 3864	3580	onxyPs4yG1MUPbN.exe	RegSvcs.exe
PID 3580 wrote to memory of 3864	3580	onxyPs4yG1MUPbN.exe	RegSvcs.exe
PID 3580 wrote to memory of 3864	3580	onxyPs4yG1MUPbN.exe	RegSvcs.exe
PID 3580 wrote to memory of 3864	3580	onxyPs4yG1MUPbN.exe	RegSvcs.exe
PID 3580 wrote to memory of 3864	3580	onxyPs4yG1MUPbN.exe	RegSvcs.exe
PID 3580 wrote to memory of 3864	3580	onxyPs4yG1MUPbN.exe	RegSvcs.exe
PID 3060 wrote to memory of 588	3060	Explorer.EXE	control.exe
PID 3060 wrote to memory of 588	3060	Explorer.EXE	control.exe
PID 3060 wrote to memory of 588	3060	Explorer.EXE	control.exe
PID 588 wrote to memory of 4208	588	control.exe	cmd.exe
PID 588 wrote to memory of 4208	588	control.exe	cmd.exe
PID 588 wrote to memory of 4208	588	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Local\Temp\onxyPs4yG1MUPbN.exe
"C:\Users\Admin\AppData\Local\Temp\onxyPs4yG1MUPbN.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-137-0x00000000040D0000-0x0000000004160000-memory.dmp

Filesize
576KB

Download
memory/588-136-0x0000000004310000-0x0000000004630000-memory.dmp

Filesize
3.1MB

Download
memory/588-134-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/588-135-0x0000000000180000-0x00000000001A9000-memory.dmp

Filesize
164KB

Download
memory/588-132-0x0000000000000000-mapping.dmp

Download
memory/3060-131-0x0000000004D30000-0x0000000004EB4000-memory.dmp

Filesize
1.5MB

Download
memory/3060-138-0x0000000004EC0000-0x000000000504A000-memory.dmp

Filesize
1.5MB

Download
memory/3580-121-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/3580-115-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/3580-125-0x0000000007950000-0x00000000079B8000-memory.dmp

Filesize
416KB

Download
memory/3580-126-0x00000000079E0000-0x0000000007A19000-memory.dmp

Filesize
228KB

Download
memory/3580-117-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/3580-118-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/3580-119-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/3580-124-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/3580-123-0x0000000004B30000-0x000000000502E000-memory.dmp

Filesize
5.0MB

Download
memory/3580-122-0x00000000073C0000-0x00000000073DD000-memory.dmp

Filesize
116KB

Download
memory/3580-120-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/3864-129-0x0000000001560000-0x0000000001880000-memory.dmp

Filesize
3.1MB

Download
memory/3864-130-0x0000000000F00000-0x000000000104A000-memory.dmp

Filesize
1.3MB

Download
memory/3864-128-0x000000000041D460-mapping.dmp

Download
memory/3864-127-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4208-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads