xloader | 2fc9a61642b9083e8ae6c8674596d894fea53124bd5b210a06ab2767e37a2196

General

Target

PAYMENT COPY.exe
Size

866KB
MD5

24736913b455be2ed3d1cc67c767afc4
SHA1

8026db0f265178cf013ac579c1b7267f4014bf2c
SHA256

a109f0b9407728fef1b41d766e8228085ee04661156d84ef543777bf311f450b
SHA512

49dd3e5ecbf6d4cd310a45d0b52e36a363d701f0a9cc14a1d3c103b613eb5a756fdc9ce8b028d69b56c4c8137d29ea3d57865b4ff75dac44bf982e5c80ee56ee

Score

10^/10

xloader c2ue loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

c2ue

C2

http://www.heidevelop.xyz/c2ue/

Decoy

isportdata.com

stellarex.energy

hsucollections.com

menuhaisan.com

joe-tzu.com

lumichargemktg.com

uae.tires

rapidcae.com

softwaresystemsolutions.com

s-galaxy.website

daewon-talks.net

northgamesnetwork.com

catalogue-bouyguestele.com

criativanet.com

theseasonalshift.com

actionfoto.online

openmaildoe.com

trashpenguin.com

ennopure.net

azurermine.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3348-126-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3348-127-0x000000000041D3A0-mapping.dmp	xloader
behavioral2/memory/1804-136-0x0000000000800000-0x0000000000829000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

PAYMENT COPY.exePAYMENT COPY.exemsiexec.exe

description	pid	process	target process
PID 628 set thread context of 3348	628	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 3348 set thread context of 2996	3348	PAYMENT COPY.exe	Explorer.EXE
PID 1804 set thread context of 2996	1804	msiexec.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

PAYMENT COPY.exePAYMENT COPY.exemsiexec.exe

pid	process
628	PAYMENT COPY.exe
628	PAYMENT COPY.exe
628	PAYMENT COPY.exe
628	PAYMENT COPY.exe
3348	PAYMENT COPY.exe
3348	PAYMENT COPY.exe
3348	PAYMENT COPY.exe
3348	PAYMENT COPY.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe
1804	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2996 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PAYMENT COPY.exemsiexec.exe

pid process

3348 PAYMENT COPY.exe
3348 PAYMENT COPY.exe
3348 PAYMENT COPY.exe
1804 msiexec.exe
1804 msiexec.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PAYMENT COPY.exePAYMENT COPY.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 628 PAYMENT COPY.exe
Token: SeDebugPrivilege 3348 PAYMENT COPY.exe
Token: SeDebugPrivilege 1804 msiexec.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2996 Explorer.EXE

pid	process
2996	Explorer.EXE

pid	process
3348	PAYMENT COPY.exe
3348	PAYMENT COPY.exe
3348	PAYMENT COPY.exe
1804	msiexec.exe
1804	msiexec.exe

description	pid	process
Token: SeDebugPrivilege	628	PAYMENT COPY.exe
Token: SeDebugPrivilege	3348	PAYMENT COPY.exe
Token: SeDebugPrivilege	1804	msiexec.exe

pid	process
2996	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

PAYMENT COPY.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 628 wrote to memory of 3632	628	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 628 wrote to memory of 3632	628	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 628 wrote to memory of 3632	628	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 628 wrote to memory of 2664	628	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 628 wrote to memory of 2664	628	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 628 wrote to memory of 2664	628	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 628 wrote to memory of 3348	628	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 628 wrote to memory of 3348	628	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 628 wrote to memory of 3348	628	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 628 wrote to memory of 3348	628	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 628 wrote to memory of 3348	628	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 628 wrote to memory of 3348	628	PAYMENT COPY.exe	PAYMENT COPY.exe
PID 2996 wrote to memory of 1804	2996	Explorer.EXE	msiexec.exe
PID 2996 wrote to memory of 1804	2996	Explorer.EXE	msiexec.exe
PID 2996 wrote to memory of 1804	2996	Explorer.EXE	msiexec.exe
PID 1804 wrote to memory of 404	1804	msiexec.exe	cmd.exe
PID 1804 wrote to memory of 404	1804	msiexec.exe	cmd.exe
PID 1804 wrote to memory of 404	1804	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2996

C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
"{path}"
3⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
"{path}"
3⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
3⤵
PID:404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/404-134-0x0000000000000000-mapping.dmp

Download
memory/628-125-0x0000000008B80000-0x0000000008BAB000-memory.dmp

Filesize
172KB

Download
memory/628-118-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/628-116-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/628-119-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/628-120-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/628-121-0x00000000049C0000-0x0000000004A5C000-memory.dmp

Filesize
624KB

Download
memory/628-122-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/628-123-0x00000000044F0000-0x00000000044FE000-memory.dmp

Filesize
56KB

Download
memory/628-124-0x0000000008AD0000-0x0000000008B49000-memory.dmp

Filesize
484KB

Download
memory/628-114-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/628-117-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/1804-131-0x0000000000000000-mapping.dmp

Download
memory/1804-135-0x0000000001390000-0x00000000013A2000-memory.dmp

Filesize
72KB

Download
memory/1804-136-0x0000000000800000-0x0000000000829000-memory.dmp

Filesize
164KB

Download
memory/1804-137-0x00000000047B0000-0x0000000004AD0000-memory.dmp

Filesize
3.1MB

Download
memory/1804-138-0x0000000001150000-0x00000000011E0000-memory.dmp

Filesize
576KB

Download
memory/2996-139-0x0000000007040000-0x0000000007164000-memory.dmp

Filesize
1.1MB

Download
memory/2996-130-0x0000000006EF0000-0x0000000007038000-memory.dmp

Filesize
1.3MB

Download
memory/3348-129-0x00000000010F0000-0x0000000001101000-memory.dmp

Filesize
68KB

Download
memory/3348-128-0x0000000001180000-0x00000000014A0000-memory.dmp

Filesize
3.1MB

Download
memory/3348-127-0x000000000041D3A0-mapping.dmp

Download
memory/3348-126-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads