xloader | 6440e29b946df58c3cbd6ecdfb42ae88bb42d19b892bce094abf6834019c051f

General

Target

PO#202110223.exe
Size

358KB
MD5

83b2d40ea6befc3d84aa4a074b44d883
SHA1

92705faddead19db804e2c4d919f661afe0c3453
SHA256

6440e29b946df58c3cbd6ecdfb42ae88bb42d19b892bce094abf6834019c051f
SHA512

d018645af02a775f001ecf84ce06f0fe51f8df4c40902b5c1e570fa43bbb50ee9af86a86cc872f8f37a5860eb0729552435a8b862a4c3f17d85954b6c6c3d864

Score

10^/10

xloader op08 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

op08

C2

http://www.jjmpestman.com/op08/

Decoy

youva.online

bbyyn1.xyz

cuttizy.com

octoorder.com

empiredigitaldating.com

giuseppedelcampo.com

kingstons.info

kwanta.info

soulworkerrush.com

sookrit.com

flambeauxartpottery.com

360metaverse.online

adnilm.com

interiordesignhampshire.com

bitpaynumber.support

aliancafm.com

tivohub.xyz

xn--ucy193f.com

smartmapom.com

thelifeofrileyelizabeth.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/840-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/840-64-0x000000000041D420-mapping.dmp	xloader
behavioral1/memory/1940-72-0x0000000000090000-0x00000000000B9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

300 cmd.exe

pid	process
300	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO#202110223.exePO#202110223.exewuapp.exe

description	pid	process	target process
PID 1820 set thread context of 840	1820	PO#202110223.exe	PO#202110223.exe
PID 840 set thread context of 1268	840	PO#202110223.exe	Explorer.EXE
PID 1940 set thread context of 1268	1940	wuapp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

PO#202110223.exePO#202110223.exewuapp.exe

pid	process
1820	PO#202110223.exe
840	PO#202110223.exe
840	PO#202110223.exe
1940	wuapp.exe
1940	wuapp.exe
1940	wuapp.exe
1940	wuapp.exe
1940	wuapp.exe
1940	wuapp.exe
1940	wuapp.exe
1940	wuapp.exe
1940	wuapp.exe
1940	wuapp.exe
1940	wuapp.exe
1940	wuapp.exe
1940	wuapp.exe
1940	wuapp.exe
1940	wuapp.exe
1940	wuapp.exe
1940	wuapp.exe
1940	wuapp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PO#202110223.exewuapp.exe

pid process

840 PO#202110223.exe
840 PO#202110223.exe
840 PO#202110223.exe
1940 wuapp.exe
1940 wuapp.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO#202110223.exePO#202110223.exewuapp.exe

description pid process

Token: SeDebugPrivilege 1820 PO#202110223.exe
Token: SeDebugPrivilege 840 PO#202110223.exe
Token: SeDebugPrivilege 1940 wuapp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE

pid	process
840	PO#202110223.exe
840	PO#202110223.exe
840	PO#202110223.exe
1940	wuapp.exe
1940	wuapp.exe

description	pid	process
Token: SeDebugPrivilege	1820	PO#202110223.exe
Token: SeDebugPrivilege	840	PO#202110223.exe
Token: SeDebugPrivilege	1940	wuapp.exe

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

PO#202110223.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 1820 wrote to memory of 992	1820	PO#202110223.exe	PO#202110223.exe
PID 1820 wrote to memory of 992	1820	PO#202110223.exe	PO#202110223.exe
PID 1820 wrote to memory of 992	1820	PO#202110223.exe	PO#202110223.exe
PID 1820 wrote to memory of 992	1820	PO#202110223.exe	PO#202110223.exe
PID 1820 wrote to memory of 840	1820	PO#202110223.exe	PO#202110223.exe
PID 1820 wrote to memory of 840	1820	PO#202110223.exe	PO#202110223.exe
PID 1820 wrote to memory of 840	1820	PO#202110223.exe	PO#202110223.exe
PID 1820 wrote to memory of 840	1820	PO#202110223.exe	PO#202110223.exe
PID 1820 wrote to memory of 840	1820	PO#202110223.exe	PO#202110223.exe
PID 1820 wrote to memory of 840	1820	PO#202110223.exe	PO#202110223.exe
PID 1820 wrote to memory of 840	1820	PO#202110223.exe	PO#202110223.exe
PID 1268 wrote to memory of 1940	1268	Explorer.EXE	wuapp.exe
PID 1268 wrote to memory of 1940	1268	Explorer.EXE	wuapp.exe
PID 1268 wrote to memory of 1940	1268	Explorer.EXE	wuapp.exe
PID 1268 wrote to memory of 1940	1268	Explorer.EXE	wuapp.exe
PID 1268 wrote to memory of 1940	1268	Explorer.EXE	wuapp.exe
PID 1268 wrote to memory of 1940	1268	Explorer.EXE	wuapp.exe
PID 1268 wrote to memory of 1940	1268	Explorer.EXE	wuapp.exe
PID 1940 wrote to memory of 300	1940	wuapp.exe	cmd.exe
PID 1940 wrote to memory of 300	1940	wuapp.exe	cmd.exe
PID 1940 wrote to memory of 300	1940	wuapp.exe	cmd.exe
PID 1940 wrote to memory of 300	1940	wuapp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\PO#202110223.exe
"C:\Users\Admin\AppData\Local\Temp\PO#202110223.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\PO#202110223.exe
"C:\Users\Admin\AppData\Local\Temp\PO#202110223.exe"
3⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\PO#202110223.exe
"C:\Users\Admin\AppData\Local\Temp\PO#202110223.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO#202110223.exe"
3⤵
- Deletes itself
PID:300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/300-70-0x0000000000000000-mapping.dmp

Download
memory/840-67-0x0000000000150000-0x0000000000161000-memory.dmp

Filesize
68KB

Download
memory/840-66-0x0000000000B60000-0x0000000000E63000-memory.dmp

Filesize
3.0MB

Download
memory/840-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/840-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/840-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/840-64-0x000000000041D420-mapping.dmp

Download
memory/1268-75-0x0000000006FD0000-0x0000000007129000-memory.dmp

Filesize
1.3MB

Download
memory/1268-68-0x0000000003E70000-0x0000000003F2F000-memory.dmp

Filesize
764KB

Download
memory/1820-60-0x00000000020D0000-0x000000000211A000-memory.dmp

Filesize
296KB

Download
memory/1820-55-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1820-59-0x0000000000410000-0x0000000000416000-memory.dmp

Filesize
24KB

Download
memory/1820-58-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/1820-57-0x0000000074A41000-0x0000000074A43000-memory.dmp

Filesize
8KB

Download
memory/1940-69-0x0000000000000000-mapping.dmp

Download
memory/1940-71-0x00000000010C0000-0x00000000010CB000-memory.dmp

Filesize
44KB

Download
memory/1940-72-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1940-73-0x0000000000950000-0x0000000000C53000-memory.dmp

Filesize
3.0MB

Download
memory/1940-74-0x00000000007C0000-0x0000000000850000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads