xloader | 3121d773a680fbac7dc37f75c38ae8ef20f1b88915cc0b83ca9bf2bf7c22ee94

General

Target

GLEASON_QT2309.exe
Size

642KB
MD5

d601604552146dd9a412f1db8ff0cdd4
SHA1

8dc649c53d100c5d1f1330dc5ba33c680208d7f8
SHA256

3121d773a680fbac7dc37f75c38ae8ef20f1b88915cc0b83ca9bf2bf7c22ee94
SHA512

ae739f1a3ec1b0890dfc46a2b5d88e8cf211ecbc462539a1878e25c33c081ada166d1ad09bf859dd8e83f246d73b7bc9cf5c9f75465be7b09b0566aae50ebc34

Score

10^/10

xloader g9vg loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

g9vg

C2

http://www.supra413.com/g9vg/

Decoy

selenebrennan.com

htsfrance.com

monsieurtechno.com

argosy.city

lit-clouds.com

emilio-m.com

crashycraft.net

washmebro.com

1houroflife.com

millershaga.com

newtonpod.com

camopants.net

animator-show.com

qqzome.com

assetacre.com

letsmakeyourchoice.com

gileadpreferences.com

ecomarklifestyle.com

mivaautomotive.com

rattle100.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3012-124-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3012-125-0x000000000041D450-mapping.dmp	xloader
behavioral2/memory/500-132-0x00000000006C0000-0x00000000006E9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

GLEASON_QT2309.exeGLEASON_QT2309.exeraserver.exe

description	pid	process	target process
PID 808 set thread context of 3012	808	GLEASON_QT2309.exe	GLEASON_QT2309.exe
PID 3012 set thread context of 3052	3012	GLEASON_QT2309.exe	Explorer.EXE
PID 500 set thread context of 3052	500	raserver.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

GLEASON_QT2309.exeGLEASON_QT2309.exeraserver.exe

pid	process
808	GLEASON_QT2309.exe
808	GLEASON_QT2309.exe
3012	GLEASON_QT2309.exe
3012	GLEASON_QT2309.exe
3012	GLEASON_QT2309.exe
3012	GLEASON_QT2309.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe
500	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

GLEASON_QT2309.exeraserver.exe

pid process

3012 GLEASON_QT2309.exe
3012 GLEASON_QT2309.exe
3012 GLEASON_QT2309.exe
500 raserver.exe
500 raserver.exe

pid	process
3052	Explorer.EXE

pid	process
3012	GLEASON_QT2309.exe
3012	GLEASON_QT2309.exe
3012	GLEASON_QT2309.exe
500	raserver.exe
500	raserver.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

GLEASON_QT2309.exeGLEASON_QT2309.exeraserver.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	808	GLEASON_QT2309.exe
Token: SeDebugPrivilege	3012	GLEASON_QT2309.exe
Token: SeDebugPrivilege	500	raserver.exe
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE

pid	process
3052	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

GLEASON_QT2309.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 808 wrote to memory of 3216	808	GLEASON_QT2309.exe	GLEASON_QT2309.exe
PID 808 wrote to memory of 3216	808	GLEASON_QT2309.exe	GLEASON_QT2309.exe
PID 808 wrote to memory of 3216	808	GLEASON_QT2309.exe	GLEASON_QT2309.exe
PID 808 wrote to memory of 3012	808	GLEASON_QT2309.exe	GLEASON_QT2309.exe
PID 808 wrote to memory of 3012	808	GLEASON_QT2309.exe	GLEASON_QT2309.exe
PID 808 wrote to memory of 3012	808	GLEASON_QT2309.exe	GLEASON_QT2309.exe
PID 808 wrote to memory of 3012	808	GLEASON_QT2309.exe	GLEASON_QT2309.exe
PID 808 wrote to memory of 3012	808	GLEASON_QT2309.exe	GLEASON_QT2309.exe
PID 808 wrote to memory of 3012	808	GLEASON_QT2309.exe	GLEASON_QT2309.exe
PID 3052 wrote to memory of 500	3052	Explorer.EXE	raserver.exe
PID 3052 wrote to memory of 500	3052	Explorer.EXE	raserver.exe
PID 3052 wrote to memory of 500	3052	Explorer.EXE	raserver.exe
PID 500 wrote to memory of 584	500	raserver.exe	cmd.exe
PID 500 wrote to memory of 584	500	raserver.exe	cmd.exe
PID 500 wrote to memory of 584	500	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\GLEASON_QT2309.exe
"C:\Users\Admin\AppData\Local\Temp\GLEASON_QT2309.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\GLEASON_QT2309.exe
"C:\Users\Admin\AppData\Local\Temp\GLEASON_QT2309.exe"
3⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\GLEASON_QT2309.exe
"C:\Users\Admin\AppData\Local\Temp\GLEASON_QT2309.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\GLEASON_QT2309.exe"
3⤵
PID:584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/500-129-0x0000000000000000-mapping.dmp

Download
memory/500-134-0x00000000044B0000-0x0000000004540000-memory.dmp

Filesize
576KB

Download
memory/500-133-0x00000000047E0000-0x0000000004B00000-memory.dmp

Filesize
3.1MB

Download
memory/500-131-0x0000000000B80000-0x0000000000B9F000-memory.dmp

Filesize
124KB

Download
memory/500-132-0x00000000006C0000-0x00000000006E9000-memory.dmp

Filesize
164KB

Download
memory/584-130-0x0000000000000000-mapping.dmp

Download
memory/808-120-0x0000000005580000-0x000000000559D000-memory.dmp

Filesize
116KB

Download
memory/808-114-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/808-123-0x0000000007B20000-0x0000000007B57000-memory.dmp

Filesize
220KB

Download
memory/808-116-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/808-122-0x0000000007AB0000-0x0000000007B16000-memory.dmp

Filesize
408KB

Download
memory/808-117-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/808-118-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/808-119-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/808-121-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/3012-125-0x000000000041D450-mapping.dmp

Download
memory/3012-126-0x0000000001960000-0x0000000001C80000-memory.dmp

Filesize
3.1MB

Download
memory/3012-127-0x00000000017E0000-0x00000000017F1000-memory.dmp

Filesize
68KB

Download
memory/3012-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3052-128-0x0000000004C80000-0x0000000004D5D000-memory.dmp

Filesize
884KB

Download
memory/3052-135-0x0000000004DA0000-0x0000000004EA0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads