xloader | 66ebc2bbaf8ea07be988cce296542d9e1d7d24fbfe4523894bfd5a8c4474502e

General

Target

shipping docs 07853 draft CI+PL_pdf.exe
Size

405KB
MD5

d2416ffd6622325de15094f298d46498
SHA1

5a732449aded6f18071dc053ba23031effd9ce1a
SHA256

66ebc2bbaf8ea07be988cce296542d9e1d7d24fbfe4523894bfd5a8c4474502e
SHA512

14df50fdde872c1f11f68dba2fad672dee8c4473abe3ee05f4a1ad7c97d573e08b4bf15dca6bfe63a5d8ebc2d43eb93d9397bd59dbd030b429359e5992b263fe

Score

10^/10

xloader bs8f loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

bs8f

C2

http://www.rwilogisticsandbrokerage.com/bs8f/

Decoy

vasilnikov.com

parkate.club

pol360.com

handmadequatang.com

consult-set.com

nourkoki.com

theveganfusspot.com

dreamssail.com

pinpinyouqian.xyz

satellitphonestore.com

yotosunny.com

telosaolympics.com

gogetemm.com

yozotnpasumo2.xyz

avantgardemarket.com

glenndcp.com

dirtydriverz.com

avaui.com

anchoredtheblog.com

marianaoliveiraarquitetura.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3796-124-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3796-125-0x000000000041D4C0-mapping.dmp	xloader
behavioral2/memory/3796-130-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

shipping docs 07853 draft CI+PL_pdf.exeshipping docs 07853 draft CI+PL_pdf.exe

description	pid	process	target process
PID 2848 set thread context of 3796	2848	shipping docs 07853 draft CI+PL_pdf.exe	shipping docs 07853 draft CI+PL_pdf.exe
PID 3796 set thread context of 2872	3796	shipping docs 07853 draft CI+PL_pdf.exe	Explorer.EXE
PID 3796 set thread context of 2872	3796	shipping docs 07853 draft CI+PL_pdf.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

shipping docs 07853 draft CI+PL_pdf.exe

pid	process
3796	shipping docs 07853 draft CI+PL_pdf.exe
3796	shipping docs 07853 draft CI+PL_pdf.exe
3796	shipping docs 07853 draft CI+PL_pdf.exe
3796	shipping docs 07853 draft CI+PL_pdf.exe
3796	shipping docs 07853 draft CI+PL_pdf.exe
3796	shipping docs 07853 draft CI+PL_pdf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2872 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

shipping docs 07853 draft CI+PL_pdf.exe

pid process

3796 shipping docs 07853 draft CI+PL_pdf.exe
3796 shipping docs 07853 draft CI+PL_pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

shipping docs 07853 draft CI+PL_pdf.exe

description pid process

Token: SeDebugPrivilege 3796 shipping docs 07853 draft CI+PL_pdf.exe

pid	process
2872	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3796	shipping docs 07853 draft CI+PL_pdf.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

shipping docs 07853 draft CI+PL_pdf.exe

description	pid	process	target process
PID 2848 wrote to memory of 3796	2848	shipping docs 07853 draft CI+PL_pdf.exe	shipping docs 07853 draft CI+PL_pdf.exe
PID 2848 wrote to memory of 3796	2848	shipping docs 07853 draft CI+PL_pdf.exe	shipping docs 07853 draft CI+PL_pdf.exe
PID 2848 wrote to memory of 3796	2848	shipping docs 07853 draft CI+PL_pdf.exe	shipping docs 07853 draft CI+PL_pdf.exe
PID 2848 wrote to memory of 3796	2848	shipping docs 07853 draft CI+PL_pdf.exe	shipping docs 07853 draft CI+PL_pdf.exe
PID 2848 wrote to memory of 3796	2848	shipping docs 07853 draft CI+PL_pdf.exe	shipping docs 07853 draft CI+PL_pdf.exe
PID 2848 wrote to memory of 3796	2848	shipping docs 07853 draft CI+PL_pdf.exe	shipping docs 07853 draft CI+PL_pdf.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2872

C:\Users\Admin\AppData\Local\Temp\shipping docs 07853 draft CI+PL_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\shipping docs 07853 draft CI+PL_pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2848

C:\Users\Admin\AppData\Local\Temp\shipping docs 07853 draft CI+PL_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\shipping docs 07853 draft CI+PL_pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2848-115-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2848-117-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/2848-118-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/2848-119-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/2848-120-0x00000000059A0000-0x00000000059A6000-memory.dmp

Filesize
24KB

Download
memory/2848-121-0x0000000005600000-0x0000000005AFE000-memory.dmp

Filesize
5.0MB

Download
memory/2848-122-0x0000000007D90000-0x0000000007D91000-memory.dmp

Filesize
4KB

Download
memory/2848-123-0x00000000077F0000-0x000000000783A000-memory.dmp

Filesize
296KB

Download
memory/2872-129-0x0000000005E50000-0x0000000005F61000-memory.dmp

Filesize
1.1MB

Download
memory/2872-132-0x0000000005AC0000-0x0000000005C50000-memory.dmp

Filesize
1.6MB

Download
memory/3796-125-0x000000000041D4C0-mapping.dmp

Download
memory/3796-126-0x0000000001480000-0x00000000017A0000-memory.dmp

Filesize
3.1MB

Download
memory/3796-128-0x00000000013C0000-0x00000000013D1000-memory.dmp

Filesize
68KB

Download
memory/3796-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3796-130-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3796-131-0x0000000001400000-0x0000000001411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads