xloader | 2728dc98fdebc00823b877eba49ace782c17db8a07074634aafca9dc00277776

General

Target

Inquiry-URGENT.exe
Size

433KB
MD5

001127ea6a36d3b93e8c54ff1b8f22b8
SHA1

acd9171ec5641efc54a16c5c18184dd6e25138c8
SHA256

2728dc98fdebc00823b877eba49ace782c17db8a07074634aafca9dc00277776
SHA512

7a5687835380616daa433ce196fdb7badfcf74f0e1e4cb97c4064ac0eea1b633b0ed536ea409519d09a5f5c341861b1930242a3f8c706eb58f52defab8e2110f

Score

10^/10

xloader b5ce loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b5ce

C2

http://www.rheilea.com/b5ce/

Decoy

advellerd.xyz

giasuvina.com

arab-xt-pro.com

ahsltu2ua4.com

trasportesemmanuel.com

kissimmeesoccercup.com

studyengland.com

m2volleyballclub.com

shyuehuan.com

elsml.com

blog-x-history.top

coditeu.com

allattachments.net

vigautruc.com

mentication.com

zambiaedu.xyz

filadelfiacenter.com

avlaborsourceinc.info

tameka-stewart.com

studio-cleo.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3764-125-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3764-126-0x000000000041D430-mapping.dmp	xloader
behavioral2/memory/2604-132-0x0000000000CE0000-0x0000000000D09000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

Inquiry-URGENT.exeInquiry-URGENT.exeNETSTAT.EXE

description	pid	process	target process
PID 2492 set thread context of 3764	2492	Inquiry-URGENT.exe	Inquiry-URGENT.exe
PID 3764 set thread context of 3036	3764	Inquiry-URGENT.exe	Explorer.EXE
PID 2604 set thread context of 3036	2604	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

2604 NETSTAT.EXE

pid	process
2604	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

Inquiry-URGENT.exeNETSTAT.EXE

pid	process
3764	Inquiry-URGENT.exe
3764	Inquiry-URGENT.exe
3764	Inquiry-URGENT.exe
3764	Inquiry-URGENT.exe
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE
2604	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3036 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Inquiry-URGENT.exeNETSTAT.EXE

pid process

3764 Inquiry-URGENT.exe
3764 Inquiry-URGENT.exe
3764 Inquiry-URGENT.exe
2604 NETSTAT.EXE
2604 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Inquiry-URGENT.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 3764 Inquiry-URGENT.exe
Token: SeDebugPrivilege 2604 NETSTAT.EXE

pid	process
3036	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3764	Inquiry-URGENT.exe
Token: SeDebugPrivilege	2604	NETSTAT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Inquiry-URGENT.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 2492 wrote to memory of 3764	2492	Inquiry-URGENT.exe	Inquiry-URGENT.exe
PID 2492 wrote to memory of 3764	2492	Inquiry-URGENT.exe	Inquiry-URGENT.exe
PID 2492 wrote to memory of 3764	2492	Inquiry-URGENT.exe	Inquiry-URGENT.exe
PID 2492 wrote to memory of 3764	2492	Inquiry-URGENT.exe	Inquiry-URGENT.exe
PID 2492 wrote to memory of 3764	2492	Inquiry-URGENT.exe	Inquiry-URGENT.exe
PID 2492 wrote to memory of 3764	2492	Inquiry-URGENT.exe	Inquiry-URGENT.exe
PID 3036 wrote to memory of 2604	3036	Explorer.EXE	NETSTAT.EXE
PID 3036 wrote to memory of 2604	3036	Explorer.EXE	NETSTAT.EXE
PID 3036 wrote to memory of 2604	3036	Explorer.EXE	NETSTAT.EXE
PID 2604 wrote to memory of 4084	2604	NETSTAT.EXE	cmd.exe
PID 2604 wrote to memory of 4084	2604	NETSTAT.EXE	cmd.exe
PID 2604 wrote to memory of 4084	2604	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\Inquiry-URGENT.exe
"C:\Users\Admin\AppData\Local\Temp\Inquiry-URGENT.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2492

C:\Users\Admin\AppData\Local\Temp\Inquiry-URGENT.exe
"C:\Users\Admin\AppData\Local\Temp\Inquiry-URGENT.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Inquiry-URGENT.exe"
3⤵
PID:4084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2492-115-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/2492-117-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

Filesize
4KB

Download
memory/2492-118-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/2492-119-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/2492-120-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/2492-121-0x0000000005890000-0x0000000005897000-memory.dmp

Filesize
28KB

Download
memory/2492-122-0x00000000057C0000-0x0000000005CBE000-memory.dmp

Filesize
5.0MB

Download
memory/2492-123-0x0000000006440000-0x000000000649A000-memory.dmp

Filesize
360KB

Download
memory/2492-124-0x0000000006210000-0x000000000623C000-memory.dmp

Filesize
176KB

Download
memory/2604-132-0x0000000000CE0000-0x0000000000D09000-memory.dmp

Filesize
164KB

Download
memory/2604-130-0x0000000000000000-mapping.dmp

Download
memory/2604-133-0x0000000003430000-0x0000000003750000-memory.dmp

Filesize
3.1MB

Download
memory/2604-131-0x00000000010E0000-0x00000000010EB000-memory.dmp

Filesize
44KB

Download
memory/2604-135-0x0000000003280000-0x0000000003310000-memory.dmp

Filesize
576KB

Download
memory/3036-129-0x0000000002810000-0x00000000028DD000-memory.dmp

Filesize
820KB

Download
memory/3036-136-0x0000000005C20000-0x0000000005D7B000-memory.dmp

Filesize
1.4MB

Download
memory/3764-126-0x000000000041D430-mapping.dmp

Download
memory/3764-128-0x0000000001C60000-0x0000000001C71000-memory.dmp

Filesize
68KB

Download
memory/3764-127-0x0000000001840000-0x0000000001B60000-memory.dmp

Filesize
3.1MB

Download
memory/3764-125-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4084-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads