xloader | 28b77890ae9535db2da6bf03e7c41471d173b86fa67b907dafa38aede34fc148

General

Target

PO_#10292132.exe
Size

377KB
MD5

026df37a937471af093a3e8bc8636b7b
SHA1

57d0b25b3dd1d648c710c3ff5e44041d39d0cafc
SHA256

28b77890ae9535db2da6bf03e7c41471d173b86fa67b907dafa38aede34fc148
SHA512

6efdd2b07055c93e9b18d169ed5f5a9d9aca550b76874ff36c1d6dc8687942bb401916463b85e410def704cdacb8e58d4311336605976bb3426439d557c698c0

Score

10^/10

xloader op08 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

op08

C2

http://www.jjmpestman.com/op08/

Decoy

youva.online

bbyyn1.xyz

cuttizy.com

octoorder.com

empiredigitaldating.com

giuseppedelcampo.com

kingstons.info

kwanta.info

soulworkerrush.com

sookrit.com

flambeauxartpottery.com

360metaverse.online

adnilm.com

interiordesignhampshire.com

bitpaynumber.support

aliancafm.com

tivohub.xyz

xn--ucy193f.com

smartmapom.com

thelifeofrileyelizabeth.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3492-124-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3492-125-0x000000000041D420-mapping.dmp	xloader
behavioral2/memory/404-132-0x0000000000E00000-0x0000000000E29000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO_#10292132.exePO_#10292132.exeraserver.exe

description	pid	process	target process
PID 2012 set thread context of 3492	2012	PO_#10292132.exe	PO_#10292132.exe
PID 3492 set thread context of 3008	3492	PO_#10292132.exe	Explorer.EXE
PID 404 set thread context of 3008	404	raserver.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

PO_#10292132.exeraserver.exe

pid	process
3492	PO_#10292132.exe
3492	PO_#10292132.exe
3492	PO_#10292132.exe
3492	PO_#10292132.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe
404	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3008 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PO_#10292132.exeraserver.exe

pid process

3492 PO_#10292132.exe
3492 PO_#10292132.exe
3492 PO_#10292132.exe
404 raserver.exe
404 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO_#10292132.exeraserver.exe

description pid process

Token: SeDebugPrivilege 3492 PO_#10292132.exe
Token: SeDebugPrivilege 404 raserver.exe

pid	process
3008	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3492	PO_#10292132.exe
Token: SeDebugPrivilege	404	raserver.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PO_#10292132.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 2012 wrote to memory of 3492	2012	PO_#10292132.exe	PO_#10292132.exe
PID 2012 wrote to memory of 3492	2012	PO_#10292132.exe	PO_#10292132.exe
PID 2012 wrote to memory of 3492	2012	PO_#10292132.exe	PO_#10292132.exe
PID 2012 wrote to memory of 3492	2012	PO_#10292132.exe	PO_#10292132.exe
PID 2012 wrote to memory of 3492	2012	PO_#10292132.exe	PO_#10292132.exe
PID 2012 wrote to memory of 3492	2012	PO_#10292132.exe	PO_#10292132.exe
PID 3008 wrote to memory of 404	3008	Explorer.EXE	raserver.exe
PID 3008 wrote to memory of 404	3008	Explorer.EXE	raserver.exe
PID 3008 wrote to memory of 404	3008	Explorer.EXE	raserver.exe
PID 404 wrote to memory of 684	404	raserver.exe	cmd.exe
PID 404 wrote to memory of 684	404	raserver.exe	cmd.exe
PID 404 wrote to memory of 684	404	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\PO_#10292132.exe
"C:\Users\Admin\AppData\Local\Temp\PO_#10292132.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\PO_#10292132.exe
"C:\Users\Admin\AppData\Local\Temp\PO_#10292132.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO_#10292132.exe"
3⤵
PID:684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/404-130-0x0000000000000000-mapping.dmp

Download
memory/404-135-0x0000000001080000-0x0000000001110000-memory.dmp

Filesize
576KB

Download
memory/404-133-0x0000000004560000-0x0000000004880000-memory.dmp

Filesize
3.1MB

Download
memory/404-132-0x0000000000E00000-0x0000000000E29000-memory.dmp

Filesize
164KB

Download
memory/404-131-0x0000000001140000-0x000000000115F000-memory.dmp

Filesize
124KB

Download
memory/684-134-0x0000000000000000-mapping.dmp

Download
memory/2012-121-0x0000000005700000-0x0000000005706000-memory.dmp

Filesize
24KB

Download
memory/2012-119-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download
memory/2012-117-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/2012-118-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/2012-123-0x0000000008BE0000-0x0000000008C2B000-memory.dmp

Filesize
300KB

Download
memory/2012-120-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/2012-115-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2012-122-0x0000000008C30000-0x0000000008C31000-memory.dmp

Filesize
4KB

Download
memory/3008-129-0x00000000053E0000-0x00000000054E3000-memory.dmp

Filesize
1.0MB

Download
memory/3008-136-0x0000000002C70000-0x0000000002D57000-memory.dmp

Filesize
924KB

Download
memory/3492-127-0x0000000001A30000-0x0000000001D50000-memory.dmp

Filesize
3.1MB

Download
memory/3492-128-0x0000000001940000-0x0000000001951000-memory.dmp

Filesize
68KB

Download
memory/3492-125-0x000000000041D420-mapping.dmp

Download
memory/3492-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads