xloader | 2fc9a61642b9083e8ae6c8674596d894fea53124bd5b210a06ab2767e37a2196

General

Target

PAYMENT COPY.exe
Size

866KB
MD5

24736913b455be2ed3d1cc67c767afc4
SHA1

8026db0f265178cf013ac579c1b7267f4014bf2c
SHA256

a109f0b9407728fef1b41d766e8228085ee04661156d84ef543777bf311f450b
SHA512

49dd3e5ecbf6d4cd310a45d0b52e36a363d701f0a9cc14a1d3c103b613eb5a756fdc9ce8b028d69b56c4c8137d29ea3d57865b4ff75dac44bf982e5c80ee56ee

Score

10^/10

xloader c2ue loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

c2ue

C2

http://www.heidevelop.xyz/c2ue/

Decoy

isportdata.com

stellarex.energy

hsucollections.com

menuhaisan.com

joe-tzu.com

lumichargemktg.com

uae.tires

rapidcae.com

softwaresystemsolutions.com

s-galaxy.website

daewon-talks.net

northgamesnetwork.com

catalogue-bouyguestele.com

criativanet.com

theseasonalshift.com

actionfoto.online

openmaildoe.com

trashpenguin.com

ennopure.net

azurermine.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1212-60-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1212-61-0x000000000041D3A0-mapping.dmp	xloader
behavioral1/memory/288-70-0x0000000000090000-0x00000000000B9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1008 cmd.exe

pid	process
1008	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

PAYMENT COPY.exePAYMENT COPY.exewuapp.exe

description	pid	process	target process
PID 1048 set thread context of 1212	1048	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 1212 set thread context of 1216	1212	PAYMENT COPY.exe	Explorer.EXE
PID 1212 set thread context of 1216	1212	PAYMENT COPY.exe	Explorer.EXE
PID 288 set thread context of 1216	288	wuapp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

PAYMENT COPY.exewuapp.exe

pid	process
1212	PAYMENT COPY.exe
1212	PAYMENT COPY.exe
1212	PAYMENT COPY.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe
288	wuapp.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

PAYMENT COPY.exewuapp.exe

pid process

1212 PAYMENT COPY.exe
1212 PAYMENT COPY.exe
1212 PAYMENT COPY.exe
1212 PAYMENT COPY.exe
288 wuapp.exe
288 wuapp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PAYMENT COPY.exewuapp.exe

description pid process

Token: SeDebugPrivilege 1212 PAYMENT COPY.exe
Token: SeDebugPrivilege 288 wuapp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1212	PAYMENT COPY.exe
Token: SeDebugPrivilege	288	wuapp.exe

pid	process
1216	Explorer.EXE
1216	Explorer.EXE

pid	process
1216	Explorer.EXE
1216	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

PAYMENT COPY.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 1048 wrote to memory of 1212	1048	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 1048 wrote to memory of 1212	1048	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 1048 wrote to memory of 1212	1048	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 1048 wrote to memory of 1212	1048	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 1048 wrote to memory of 1212	1048	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 1048 wrote to memory of 1212	1048	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 1048 wrote to memory of 1212	1048	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 1216 wrote to memory of 288	1216	Explorer.EXE	wuapp.exe
PID 1216 wrote to memory of 288	1216	Explorer.EXE	wuapp.exe
PID 1216 wrote to memory of 288	1216	Explorer.EXE	wuapp.exe
PID 1216 wrote to memory of 288	1216	Explorer.EXE	wuapp.exe
PID 1216 wrote to memory of 288	1216	Explorer.EXE	wuapp.exe
PID 1216 wrote to memory of 288	1216	Explorer.EXE	wuapp.exe
PID 1216 wrote to memory of 288	1216	Explorer.EXE	wuapp.exe
PID 288 wrote to memory of 1008	288	wuapp.exe	cmd.exe
PID 288 wrote to memory of 1008	288	wuapp.exe	cmd.exe
PID 288 wrote to memory of 1008	288	wuapp.exe	cmd.exe
PID 288 wrote to memory of 1008	288	wuapp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:572

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:664

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:772

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1136

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:240

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1512

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:552

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1504

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1496

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1644

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:836

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1828

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1196

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1884

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1416

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:508

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:564

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:268

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
3⤵
- Deletes itself
PID:1008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-67-0x0000000000000000-mapping.dmp

Download
memory/288-72-0x0000000000540000-0x00000000005D0000-memory.dmp

Filesize
576KB

Download
memory/288-71-0x0000000001FB0000-0x00000000022B3000-memory.dmp

Filesize
3.0MB

Download
memory/288-70-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/288-69-0x00000000001E0000-0x00000000001EB000-memory.dmp

Filesize
44KB

Download
memory/1008-68-0x0000000000000000-mapping.dmp

Download
memory/1048-59-0x0000000000610000-0x000000000063B000-memory.dmp

Filesize
172KB

Download
memory/1048-54-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1048-58-0x00000000051D0000-0x0000000005249000-memory.dmp

Filesize
484KB

Download
memory/1048-57-0x0000000000450000-0x000000000045E000-memory.dmp

Filesize
56KB

Download
memory/1048-56-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/1212-62-0x0000000000A50000-0x0000000000D53000-memory.dmp

Filesize
3.0MB

Download
memory/1212-63-0x0000000000230000-0x0000000000241000-memory.dmp

Filesize
68KB

Download
memory/1212-65-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/1212-61-0x000000000041D3A0-mapping.dmp

Download
memory/1212-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1216-64-0x0000000007320000-0x000000000744D000-memory.dmp

Filesize
1.2MB

Download
memory/1216-66-0x0000000004910000-0x00000000049E8000-memory.dmp

Filesize
864KB

Download
memory/1216-73-0x0000000004FB0000-0x0000000005072000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads