xloader | 129d230573fdb00a681a7f0c507bc16d2efcd08c4408f544f1d7653162b2cd92

General

Target

51195e0d79dacd68acd8b5bcbc356ab1.exe
Size

378KB
MD5

51195e0d79dacd68acd8b5bcbc356ab1
SHA1

b2578edd7f1a89474639271df4c7cf0cba336a05
SHA256

129d230573fdb00a681a7f0c507bc16d2efcd08c4408f544f1d7653162b2cd92
SHA512

81cb6dc51d75a4bf734ba73ad30175c80066953ded42b46fe16935eb8cc5ed4fa8513f6082707e1ad42c0bb60723b45dc7963ef72ea57d8e18cc2ec43d7720e8

Score

10^/10

xloader mjyv loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mjyv

C2

http://www.simpeltattofor.men/mjyv/

Decoy

wenyuexuan.com

tropicaldepression.info

healthylifefit.com

reemletenleafy.com

jmrrve.com

mabduh.com

esomvw.com

selfcaresereneneness.com

murdabudz.com

meinemail.online

brandqrcodes.com

live-in-pflege.com

nickrecovery.com

ziototoristorante.com

chatcure.com

corlora.com

localagentlab.com

yogo7.net

krveop.com

heianswer.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1808-65-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1808-66-0x000000000041D460-mapping.dmp	xloader

Downloads MZ/PE file
Suspicious use of SetThreadContext 1 IoCs

Processes:

51195e0d79dacd68acd8b5bcbc356ab1.exe

description pid process target process

PID 748 set thread context of 1808 748 51195e0d79dacd68acd8b5bcbc356ab1.exe 51195e0d79dacd68acd8b5bcbc356ab1.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2004 748 WerFault.exe 51195e0d79dacd68acd8b5bcbc356ab1.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

51195e0d79dacd68acd8b5bcbc356ab1.exeWerFault.exe

pid process

1808 51195e0d79dacd68acd8b5bcbc356ab1.exe
2004 WerFault.exe
2004 WerFault.exe
2004 WerFault.exe
2004 WerFault.exe
2004 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

2004 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

51195e0d79dacd68acd8b5bcbc356ab1.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 748 51195e0d79dacd68acd8b5bcbc356ab1.exe
Token: SeDebugPrivilege 2004 WerFault.exe

description	pid	process	target process
PID 748 set thread context of 1808	748	51195e0d79dacd68acd8b5bcbc356ab1.exe	51195e0d79dacd68acd8b5bcbc356ab1.exe

pid	pid_target	process	target process
2004	748	WerFault.exe	51195e0d79dacd68acd8b5bcbc356ab1.exe

pid	process
1808	51195e0d79dacd68acd8b5bcbc356ab1.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe

pid	process
2004	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	748	51195e0d79dacd68acd8b5bcbc356ab1.exe
Token: SeDebugPrivilege	2004	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

51195e0d79dacd68acd8b5bcbc356ab1.exe

description	pid	process	target process
PID 748 wrote to memory of 1808	748	51195e0d79dacd68acd8b5bcbc356ab1.exe	51195e0d79dacd68acd8b5bcbc356ab1.exe
PID 748 wrote to memory of 1808	748	51195e0d79dacd68acd8b5bcbc356ab1.exe	51195e0d79dacd68acd8b5bcbc356ab1.exe
PID 748 wrote to memory of 1808	748	51195e0d79dacd68acd8b5bcbc356ab1.exe	51195e0d79dacd68acd8b5bcbc356ab1.exe
PID 748 wrote to memory of 1808	748	51195e0d79dacd68acd8b5bcbc356ab1.exe	51195e0d79dacd68acd8b5bcbc356ab1.exe
PID 748 wrote to memory of 1808	748	51195e0d79dacd68acd8b5bcbc356ab1.exe	51195e0d79dacd68acd8b5bcbc356ab1.exe
PID 748 wrote to memory of 1808	748	51195e0d79dacd68acd8b5bcbc356ab1.exe	51195e0d79dacd68acd8b5bcbc356ab1.exe
PID 748 wrote to memory of 1808	748	51195e0d79dacd68acd8b5bcbc356ab1.exe	51195e0d79dacd68acd8b5bcbc356ab1.exe
PID 748 wrote to memory of 1808	748	51195e0d79dacd68acd8b5bcbc356ab1.exe	51195e0d79dacd68acd8b5bcbc356ab1.exe
PID 748 wrote to memory of 1808	748	51195e0d79dacd68acd8b5bcbc356ab1.exe	51195e0d79dacd68acd8b5bcbc356ab1.exe
PID 748 wrote to memory of 1808	748	51195e0d79dacd68acd8b5bcbc356ab1.exe	51195e0d79dacd68acd8b5bcbc356ab1.exe
PID 748 wrote to memory of 2004	748	51195e0d79dacd68acd8b5bcbc356ab1.exe	WerFault.exe
PID 748 wrote to memory of 2004	748	51195e0d79dacd68acd8b5bcbc356ab1.exe	WerFault.exe
PID 748 wrote to memory of 2004	748	51195e0d79dacd68acd8b5bcbc356ab1.exe	WerFault.exe
PID 748 wrote to memory of 2004	748	51195e0d79dacd68acd8b5bcbc356ab1.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\51195e0d79dacd68acd8b5bcbc356ab1.exe
"C:\Users\Admin\AppData\Local\Temp\51195e0d79dacd68acd8b5bcbc356ab1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\51195e0d79dacd68acd8b5bcbc356ab1.exe
"C:\Users\Admin\AppData\Local\Temp\51195e0d79dacd68acd8b5bcbc356ab1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1560
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/748-60-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/748-62-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/748-63-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/748-64-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/1808-65-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1808-66-0x000000000041D460-mapping.dmp

Download
memory/1808-68-0x0000000000AC0000-0x0000000000DC3000-memory.dmp

Filesize
3.0MB

Download
memory/2004-67-0x0000000000000000-mapping.dmp

Download
memory/2004-69-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing