xloader | bb60b98852cad89fe450ec8486cee96bb6932b29c692f97d5b7ed7936556845f

General

Target

Payment document.exe
Size

532KB
MD5

d0cceb56aaec4f8d458498904813b790
SHA1

8efefaefb2a32c05c3282721be10c0b838c0cc96
SHA256

bb60b98852cad89fe450ec8486cee96bb6932b29c692f97d5b7ed7936556845f
SHA512

26137c91ab694b4bc21d06ed5f5f916c6884f7a7a94536a22948290c9cfa1cb1ac84ecd4f0893784eaab0eb6c674f05d6062b0dc6f61293935bb3eef53571de0

Score

10^/10

xloader dbew loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.4

Campaign

dbew

C2

http://www.mengtai.xyz/dbew/

Decoy

unblock-sites.xyz

xkmfiue.com

8pz96.com

affkart.com

attila-velte.com

hyrq30.website

tinoovia.com

egraintrade.com

smokynagata.com

welojz.xyz

lizethdavid.com

traumland56.com

player23games.com

mvnupersonaltraining.com

anonymousmen.com

learnchinese-school.com

haus-us.com

homayounmusic.com

kp-taku.com

djalleykat.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1516-59-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1516-60-0x000000000041D3E0-mapping.dmp	xloader
behavioral1/memory/516-67-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Blocklisted process makes network request 9 IoCs

Processes:

cmd.exe

flow pid process

25 516 cmd.exe
33 516 cmd.exe
48 516 cmd.exe
55 516 cmd.exe
59 516 cmd.exe
72 516 cmd.exe
80 516 cmd.exe
85 516 cmd.exe
105 516 cmd.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

460 cmd.exe

flow	pid	process
25	516	cmd.exe
33	516	cmd.exe
48	516	cmd.exe
55	516	cmd.exe
59	516	cmd.exe
72	516	cmd.exe
80	516	cmd.exe
85	516	cmd.exe
105	516	cmd.exe

pid	process
460	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Payment document.exePayment document.execmd.exe

description	pid	process	target process
PID 1268 set thread context of 1516	1268	Payment document.exe	Payment document.exe
PID 1516 set thread context of 1216	1516	Payment document.exe	Explorer.EXE
PID 516 set thread context of 1216	516	cmd.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Payment document.exePayment document.execmd.exe

pid	process
1268	Payment document.exe
1268	Payment document.exe
1268	Payment document.exe
1516	Payment document.exe
1516	Payment document.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe
516	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Payment document.execmd.exe

pid process

1516 Payment document.exe
1516 Payment document.exe
1516 Payment document.exe
516 cmd.exe
516 cmd.exe

pid	process
1216	Explorer.EXE

pid	process
1516	Payment document.exe
1516	Payment document.exe
1516	Payment document.exe
516	cmd.exe
516	cmd.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Payment document.exePayment document.execmd.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1268	Payment document.exe
Token: SeDebugPrivilege	1516	Payment document.exe
Token: SeDebugPrivilege	516	cmd.exe
Token: SeShutdownPrivilege	1216	Explorer.EXE
Token: SeShutdownPrivilege	1216	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE

pid	process
1216	Explorer.EXE
1216	Explorer.EXE

pid	process
1216	Explorer.EXE
1216	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Payment document.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1268 wrote to memory of 1548	1268	Payment document.exe	Payment document.exe
PID 1268 wrote to memory of 1548	1268	Payment document.exe	Payment document.exe
PID 1268 wrote to memory of 1548	1268	Payment document.exe	Payment document.exe
PID 1268 wrote to memory of 1548	1268	Payment document.exe	Payment document.exe
PID 1268 wrote to memory of 1516	1268	Payment document.exe	Payment document.exe
PID 1268 wrote to memory of 1516	1268	Payment document.exe	Payment document.exe
PID 1268 wrote to memory of 1516	1268	Payment document.exe	Payment document.exe
PID 1268 wrote to memory of 1516	1268	Payment document.exe	Payment document.exe
PID 1268 wrote to memory of 1516	1268	Payment document.exe	Payment document.exe
PID 1268 wrote to memory of 1516	1268	Payment document.exe	Payment document.exe
PID 1268 wrote to memory of 1516	1268	Payment document.exe	Payment document.exe
PID 1216 wrote to memory of 516	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 516	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 516	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 516	1216	Explorer.EXE	cmd.exe
PID 516 wrote to memory of 460	516	cmd.exe	cmd.exe
PID 516 wrote to memory of 460	516	cmd.exe	cmd.exe
PID 516 wrote to memory of 460	516	cmd.exe	cmd.exe
PID 516 wrote to memory of 460	516	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\Payment document.exe
"C:\Users\Admin\AppData\Local\Temp\Payment document.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\Payment document.exe
"C:\Users\Admin\AppData\Local\Temp\Payment document.exe"
3⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\Payment document.exe
"C:\Users\Admin\AppData\Local\Temp\Payment document.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Payment document.exe"
3⤵
- Deletes itself
PID:460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/460-65-0x0000000000000000-mapping.dmp

Download
memory/516-71-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download
memory/516-69-0x0000000001F80000-0x0000000002010000-memory.dmp

Filesize
576KB

Download
memory/516-68-0x00000000020B0000-0x00000000023B3000-memory.dmp

Filesize
3.0MB

Download
memory/516-67-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/516-66-0x000000004A7A0000-0x000000004A7EC000-memory.dmp

Filesize
304KB

Download
memory/516-64-0x0000000000000000-mapping.dmp

Download
memory/1216-63-0x0000000007320000-0x0000000007482000-memory.dmp

Filesize
1.4MB

Download
memory/1216-70-0x0000000009080000-0x00000000091D6000-memory.dmp

Filesize
1.3MB

Download
memory/1268-58-0x0000000000630000-0x000000000065B000-memory.dmp

Filesize
172KB

Download
memory/1268-53-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1268-57-0x0000000004400000-0x000000000445E000-memory.dmp

Filesize
376KB

Download
memory/1268-56-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/1268-55-0x0000000000210000-0x0000000000217000-memory.dmp

Filesize
28KB

Download
memory/1516-61-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1516-62-0x00000000004D0000-0x00000000004E1000-memory.dmp

Filesize
68KB

Download
memory/1516-60-0x000000000041D3E0-mapping.dmp

Download
memory/1516-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads