xloader | 5f849b2eff2280adf1041388bbad6fc2e4f047c36b6d942ecd4e07946352049c

General

Target

1ZA109T4043832978.exe
Size

870KB
MD5

b9c97800cf3e146a5ab333672363db14
SHA1

545da9f150fcdf0994b87d09b26963c3a2788665
SHA256

5f849b2eff2280adf1041388bbad6fc2e4f047c36b6d942ecd4e07946352049c
SHA512

65f5ed4a6ebfb6125faa6f347070d391c5ec883f84603777605da2790cb8bf90c372e8d1bb86447479e2ddb3d63ea6b4fb089667a0fdb7ed6587b2416c7a7fb5

Score

10^/10

xloader tr7h loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

tr7h

C2

http://www.globalinterchangellc.com/tr7h/

Decoy

hnhstudios.com

du-lang.com

lonestartradeoilllc.com

criptool.online

rebus-automotive.com

boxedwallconsepts.net

helixarray.com

jinqiaodianfen.com

goldenwaxi.com

comprarloterianacional.com

digebitdigital.com

cryptoupp.com

332151.com

bousui.club

redakassoumeh.com

giantinosglobalreachstore.com

resultsnft.com

papicolar.com

juvesti.com

tax-kaikei.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3744-125-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3744-126-0x000000000041D4C0-mapping.dmp	xloader
behavioral2/memory/544-133-0x00000000008A0000-0x00000000008C9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

1ZA109T4043832978.exe1ZA109T4043832978.exesvchost.exe

description	pid	process	target process
PID 656 set thread context of 3744	656	1ZA109T4043832978.exe	1ZA109T4043832978.exe
PID 3744 set thread context of 3060	3744	1ZA109T4043832978.exe	Explorer.EXE
PID 544 set thread context of 3060	544	svchost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

1ZA109T4043832978.exesvchost.exe

pid	process
3744	1ZA109T4043832978.exe
3744	1ZA109T4043832978.exe
3744	1ZA109T4043832978.exe
3744	1ZA109T4043832978.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3060 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

1ZA109T4043832978.exesvchost.exe

pid process

3744 1ZA109T4043832978.exe
3744 1ZA109T4043832978.exe
3744 1ZA109T4043832978.exe
544 svchost.exe
544 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1ZA109T4043832978.exesvchost.exe

description pid process

Token: SeDebugPrivilege 3744 1ZA109T4043832978.exe
Token: SeDebugPrivilege 544 svchost.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3060 Explorer.EXE

pid	process
3060	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3744	1ZA109T4043832978.exe
Token: SeDebugPrivilege	544	svchost.exe

pid	process
3060	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1ZA109T4043832978.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 656 wrote to memory of 3744	656	1ZA109T4043832978.exe	1ZA109T4043832978.exe
PID 656 wrote to memory of 3744	656	1ZA109T4043832978.exe	1ZA109T4043832978.exe
PID 656 wrote to memory of 3744	656	1ZA109T4043832978.exe	1ZA109T4043832978.exe
PID 656 wrote to memory of 3744	656	1ZA109T4043832978.exe	1ZA109T4043832978.exe
PID 656 wrote to memory of 3744	656	1ZA109T4043832978.exe	1ZA109T4043832978.exe
PID 656 wrote to memory of 3744	656	1ZA109T4043832978.exe	1ZA109T4043832978.exe
PID 3060 wrote to memory of 544	3060	Explorer.EXE	svchost.exe
PID 3060 wrote to memory of 544	3060	Explorer.EXE	svchost.exe
PID 3060 wrote to memory of 544	3060	Explorer.EXE	svchost.exe
PID 544 wrote to memory of 2556	544	svchost.exe	cmd.exe
PID 544 wrote to memory of 2556	544	svchost.exe	cmd.exe
PID 544 wrote to memory of 2556	544	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Local\Temp\1ZA109T4043832978.exe
"C:\Users\Admin\AppData\Local\Temp\1ZA109T4043832978.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Local\Temp\1ZA109T4043832978.exe
"C:\Users\Admin\AppData\Local\Temp\1ZA109T4043832978.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\1ZA109T4043832978.exe"
3⤵
PID:2556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/544-130-0x0000000000000000-mapping.dmp

Download
memory/544-135-0x0000000003400000-0x0000000003490000-memory.dmp

Filesize
576KB

Download
memory/544-134-0x0000000003620000-0x0000000003940000-memory.dmp

Filesize
3.1MB

Download
memory/544-133-0x00000000008A0000-0x00000000008C9000-memory.dmp

Filesize
164KB

Download
memory/544-132-0x0000000000990000-0x000000000099C000-memory.dmp

Filesize
48KB

Download
memory/656-120-0x00000000087F0000-0x00000000087F1000-memory.dmp

Filesize
4KB

Download
memory/656-122-0x0000000008D20000-0x0000000008D88000-memory.dmp

Filesize
416KB

Download
memory/656-123-0x0000000008D90000-0x0000000008D92000-memory.dmp

Filesize
8KB

Download
memory/656-124-0x0000000008DB0000-0x0000000008DE8000-memory.dmp

Filesize
224KB

Download
memory/656-116-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/656-117-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/656-118-0x0000000005380000-0x000000000587E000-memory.dmp

Filesize
5.0MB

Download
memory/656-119-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/656-121-0x0000000005840000-0x0000000005853000-memory.dmp

Filesize
76KB

Download
memory/656-114-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2556-131-0x0000000000000000-mapping.dmp

Download
memory/3060-129-0x0000000006950000-0x0000000006A9F000-memory.dmp

Filesize
1.3MB

Download
memory/3060-136-0x0000000006CD0000-0x0000000006DEC000-memory.dmp

Filesize
1.1MB

Download
memory/3744-127-0x0000000001960000-0x0000000001C80000-memory.dmp

Filesize
3.1MB

Download
memory/3744-128-0x00000000018F0000-0x0000000001901000-memory.dmp

Filesize
68KB

Download
memory/3744-126-0x000000000041D4C0-mapping.dmp

Download
memory/3744-125-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads