xloader | 07826de5569163107133c374c0f4fde7f494118f127cce285a2a280d98b2dd3b

General

Target

DHL invoice KULIR00895239.pdf.exe
Size

438KB
MD5

f668e4c9cc8a691b159e2033f30f50b5
SHA1

3ef37ae10df8f196b68f69db29a7f369fa181970
SHA256

07826de5569163107133c374c0f4fde7f494118f127cce285a2a280d98b2dd3b
SHA512

92cef7c693652fbd31f878b2f5a759c6bacfc07e479a64cf0ce8ddb9cf35468c4a0630eac572185b90b1fc7e7076e3b6f6859d1ad39c7da7d1fdffb8cf67d90d

Score

10^/10

xloader m6t2 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m6t2

C2

http://www.vmhenterprise.com/m6t2/

Decoy

somethinghaatke.net

bluehubwriters.com

ptfitnet.com

coastelevatorinteriors.com

hellensilvamkd.com

feekyfeeky.com

studioemiko.com

high-clicks2.com

troyleedesigns.club

peopletrucksinsurance.com

lameducation.com

pundiajaib.com

photosonunderwear.com

hautegirlmarket.com

groopadamce.quest

ignitivehq.com

partyprintable.digital

unlimitedrehab.com

awaytraveltnpasumo6.xyz

hourly.limo

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/916-124-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/916-125-0x000000000041D450-mapping.dmp	xloader
behavioral2/memory/916-128-0x0000000000F00000-0x000000000104A000-memory.dmp	xloader
behavioral2/memory/2876-132-0x0000000000B30000-0x0000000000B59000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

DHL invoice KULIR00895239.pdf.exeDHL invoice KULIR00895239.pdf.exemsdt.exe

description	pid	process	target process
PID 500 set thread context of 916	500	DHL invoice KULIR00895239.pdf.exe	DHL invoice KULIR00895239.pdf.exe
PID 916 set thread context of 3008	916	DHL invoice KULIR00895239.pdf.exe	Explorer.EXE
PID 2876 set thread context of 3008	2876	msdt.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

DHL invoice KULIR00895239.pdf.exemsdt.exe

pid	process
916	DHL invoice KULIR00895239.pdf.exe
916	DHL invoice KULIR00895239.pdf.exe
916	DHL invoice KULIR00895239.pdf.exe
916	DHL invoice KULIR00895239.pdf.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe
2876	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3008 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

DHL invoice KULIR00895239.pdf.exemsdt.exe

pid process

916 DHL invoice KULIR00895239.pdf.exe
916 DHL invoice KULIR00895239.pdf.exe
916 DHL invoice KULIR00895239.pdf.exe
2876 msdt.exe
2876 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DHL invoice KULIR00895239.pdf.exemsdt.exe

description pid process

Token: SeDebugPrivilege 916 DHL invoice KULIR00895239.pdf.exe
Token: SeDebugPrivilege 2876 msdt.exe

pid	process
3008	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	916	DHL invoice KULIR00895239.pdf.exe
Token: SeDebugPrivilege	2876	msdt.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

DHL invoice KULIR00895239.pdf.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 500 wrote to memory of 916	500	DHL invoice KULIR00895239.pdf.exe	DHL invoice KULIR00895239.pdf.exe
PID 500 wrote to memory of 916	500	DHL invoice KULIR00895239.pdf.exe	DHL invoice KULIR00895239.pdf.exe
PID 500 wrote to memory of 916	500	DHL invoice KULIR00895239.pdf.exe	DHL invoice KULIR00895239.pdf.exe
PID 500 wrote to memory of 916	500	DHL invoice KULIR00895239.pdf.exe	DHL invoice KULIR00895239.pdf.exe
PID 500 wrote to memory of 916	500	DHL invoice KULIR00895239.pdf.exe	DHL invoice KULIR00895239.pdf.exe
PID 500 wrote to memory of 916	500	DHL invoice KULIR00895239.pdf.exe	DHL invoice KULIR00895239.pdf.exe
PID 3008 wrote to memory of 2876	3008	Explorer.EXE	msdt.exe
PID 3008 wrote to memory of 2876	3008	Explorer.EXE	msdt.exe
PID 3008 wrote to memory of 2876	3008	Explorer.EXE	msdt.exe
PID 2876 wrote to memory of 1524	2876	msdt.exe	cmd.exe
PID 2876 wrote to memory of 1524	2876	msdt.exe	cmd.exe
PID 2876 wrote to memory of 1524	2876	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\DHL invoice KULIR00895239.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL invoice KULIR00895239.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:500

C:\Users\Admin\AppData\Local\Temp\DHL invoice KULIR00895239.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL invoice KULIR00895239.pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\DHL invoice KULIR00895239.pdf.exe"
3⤵
PID:1524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/500-115-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/500-117-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/500-118-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/500-119-0x00000000055C0000-0x0000000005ABE000-memory.dmp

Filesize
5.0MB

Download
memory/500-120-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/500-121-0x00000000059C0000-0x00000000059C7000-memory.dmp

Filesize
28KB

Download
memory/500-122-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/500-123-0x00000000062C0000-0x000000000630B000-memory.dmp

Filesize
300KB

Download
memory/916-128-0x0000000000F00000-0x000000000104A000-memory.dmp

Filesize
1.3MB

Download
memory/916-125-0x000000000041D450-mapping.dmp

Download
memory/916-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/916-127-0x0000000001510000-0x0000000001830000-memory.dmp

Filesize
3.1MB

Download
memory/1524-133-0x0000000000000000-mapping.dmp

Download
memory/2876-130-0x0000000000000000-mapping.dmp

Download
memory/2876-131-0x0000000001220000-0x0000000001393000-memory.dmp

Filesize
1.4MB

Download
memory/2876-132-0x0000000000B30000-0x0000000000B59000-memory.dmp

Filesize
164KB

Download
memory/2876-134-0x0000000004F00000-0x0000000005220000-memory.dmp

Filesize
3.1MB

Download
memory/2876-135-0x0000000004D60000-0x0000000004DF0000-memory.dmp

Filesize
576KB

Download
memory/3008-129-0x0000000005C20000-0x0000000005D66000-memory.dmp

Filesize
1.3MB

Download
memory/3008-136-0x0000000006BD0000-0x0000000006CE5000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads