xloader | 3ed36b8022b12ec4f03856980ae7bcbdd4b0e192bc7c0dbf4b4c190e24b5eac0

General

Target

SOA.exe
Size

580KB
MD5

a0661a2081100ffcb2a6f012237c4955
SHA1

2331112fa3c9357aaba68c3d7402b112c705c72a
SHA256

11f0960531aa51e1fc9e04c007c60d731d309baa35e90d9d4e9c49feff74d47d
SHA512

dd3173fd770ec1601a6b454d450ce8118c596b3e72ead12c79df5f3dd4165be9892b8273775b9da1aa6136a55898bfb31a4da2c16e15303b402c00e9b117b774

Score

10^/10

xloader imm8 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

imm8

C2

http://www.hideserthealthinsurance.com/imm8/

Decoy

ewgnkxdgtqfspem.com

patxipiruli.com

eejy.ltd

parc-pro.com

kdcindia.com

dimathi.com

majesticreinsstable.com

zhaoyun.xyz

starfroot.com

dikanwang.com

420moxielane.com

danilaschembri.com

stablecoinreviews.com

camham.co.uk

happyspaces4life.com

ivonina.com

businesszukai.com

dietkusimple.com

nomeasureu.com

youthcampresources.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1844-125-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/1844-126-0x000000000041D030-mapping.dmp	xloader
behavioral2/memory/816-134-0x0000000002870000-0x0000000002898000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

SOA.exeRegSvcs.exerundll32.exe

description	pid	process	target process
PID 3164 set thread context of 1844	3164	SOA.exe	RegSvcs.exe
PID 1844 set thread context of 2920	1844	RegSvcs.exe	Explorer.EXE
PID 816 set thread context of 2920	816	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

SOA.exeRegSvcs.exerundll32.exe

pid	process
3164	SOA.exe
3164	SOA.exe
1844	RegSvcs.exe
1844	RegSvcs.exe
1844	RegSvcs.exe
1844	RegSvcs.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2920 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exerundll32.exe

pid process

1844 RegSvcs.exe
1844 RegSvcs.exe
1844 RegSvcs.exe
816 rundll32.exe
816 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SOA.exeRegSvcs.exerundll32.exe

description pid process

Token: SeDebugPrivilege 3164 SOA.exe
Token: SeDebugPrivilege 1844 RegSvcs.exe
Token: SeDebugPrivilege 816 rundll32.exe

pid	process
2920	Explorer.EXE

pid	process
1844	RegSvcs.exe
1844	RegSvcs.exe
1844	RegSvcs.exe
816	rundll32.exe
816	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	3164	SOA.exe
Token: SeDebugPrivilege	1844	RegSvcs.exe
Token: SeDebugPrivilege	816	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SOA.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 3164 wrote to memory of 1844	3164	SOA.exe	RegSvcs.exe
PID 3164 wrote to memory of 1844	3164	SOA.exe	RegSvcs.exe
PID 3164 wrote to memory of 1844	3164	SOA.exe	RegSvcs.exe
PID 3164 wrote to memory of 1844	3164	SOA.exe	RegSvcs.exe
PID 3164 wrote to memory of 1844	3164	SOA.exe	RegSvcs.exe
PID 3164 wrote to memory of 1844	3164	SOA.exe	RegSvcs.exe
PID 2920 wrote to memory of 816	2920	Explorer.EXE	rundll32.exe
PID 2920 wrote to memory of 816	2920	Explorer.EXE	rundll32.exe
PID 2920 wrote to memory of 816	2920	Explorer.EXE	rundll32.exe
PID 816 wrote to memory of 1512	816	rundll32.exe	cmd.exe
PID 816 wrote to memory of 1512	816	rundll32.exe	cmd.exe
PID 816 wrote to memory of 1512	816	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2920

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:3616

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/816-131-0x0000000000000000-mapping.dmp

Download
memory/816-136-0x0000000004390000-0x000000000441F000-memory.dmp

Filesize
572KB

Download
memory/816-133-0x0000000000280000-0x0000000000293000-memory.dmp

Filesize
76KB

Download
memory/816-135-0x00000000045D0000-0x00000000048F0000-memory.dmp

Filesize
3.1MB

Download
memory/816-134-0x0000000002870000-0x0000000002898000-memory.dmp

Filesize
160KB

Download
memory/1512-132-0x0000000000000000-mapping.dmp

Download
memory/1844-126-0x000000000041D030-mapping.dmp

Download
memory/1844-128-0x0000000001830000-0x0000000001B50000-memory.dmp

Filesize
3.1MB

Download
memory/1844-125-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1844-129-0x00000000017B0000-0x00000000017C0000-memory.dmp

Filesize
64KB

Download
memory/2920-137-0x0000000004760000-0x0000000004891000-memory.dmp

Filesize
1.2MB

Download
memory/2920-130-0x0000000002640000-0x00000000026F2000-memory.dmp

Filesize
712KB

Download
memory/3164-115-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/3164-123-0x0000000008900000-0x0000000008978000-memory.dmp

Filesize
480KB

Download
memory/3164-122-0x0000000008460000-0x0000000008461000-memory.dmp

Filesize
4KB

Download
memory/3164-121-0x00000000051F0000-0x00000000051F7000-memory.dmp

Filesize
28KB

Download
memory/3164-120-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/3164-119-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/3164-118-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/3164-117-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/3164-124-0x000000000B0C0000-0x000000000B103000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads