xloader | 9afdb99019075297859112547af462379993b79cbae5f8f9076952c6f088646c

General

Target

Enquiry Reference Number 0025559278.exe
Size

744KB
MD5

cd9435966d20de265bc5f6f40daff4a3
SHA1

76cb2ab21a6009275ba3dcbe256a15a211833f35
SHA256

45790f1cc3cb37ecfe541981ddf9d25684d92576cceb6bdb809f345014de84f0
SHA512

95b3749be5950d52c3124df37971a0d03f3c7dd10168df13d9d2a2e523f6c435e51866207d9263f12164d86ab9e310ad098175ef59b9f1d83c678197cb44d528

Score

10^/10

xloader u0n0 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u0n0

C2

http://www.52xjg3.xyz/u0n0/

Decoy

learnwithvr.net

minismi2.com

slimfitbottle.com

gzartisan.com

fullfamilyclub.com

adaptationstudios.com

domynt.com

aboydnfuid.com

dirtroaddesigns.net

timhortons-ca.xyz

gladiator-111.com

breakingza.com

njjbds.com

keithrgordon.com

litestore365.host

unichromegame.com

wundversorgung-tirol.com

wholistic-choice.com

shingletownrrn.com

kapikenya.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/552-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/552-64-0x000000000041D440-mapping.dmp	xloader
behavioral1/memory/1088-72-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

988 cmd.exe

pid	process
988	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Enquiry Reference Number 0025559278.exeEnquiry Reference Number 0025559278.exenetsh.exe

description	pid	process	target process
PID 1472 set thread context of 552	1472	Enquiry Reference Number 0025559278.exe	Enquiry Reference Number 0025559278.exe
PID 552 set thread context of 1412	552	Enquiry Reference Number 0025559278.exe	Explorer.EXE
PID 1088 set thread context of 1412	1088	netsh.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

Enquiry Reference Number 0025559278.exenetsh.exe

pid	process
552	Enquiry Reference Number 0025559278.exe
552	Enquiry Reference Number 0025559278.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe
1088	netsh.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Enquiry Reference Number 0025559278.exenetsh.exe

pid	process
552	Enquiry Reference Number 0025559278.exe
552	Enquiry Reference Number 0025559278.exe
552	Enquiry Reference Number 0025559278.exe
1088	netsh.exe
1088	netsh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Enquiry Reference Number 0025559278.exenetsh.exe

description pid process

Token: SeDebugPrivilege 552 Enquiry Reference Number 0025559278.exe
Token: SeDebugPrivilege 1088 netsh.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
1412 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
1412 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	552	Enquiry Reference Number 0025559278.exe
Token: SeDebugPrivilege	1088	netsh.exe

pid	process
1412	Explorer.EXE
1412	Explorer.EXE

pid	process
1412	Explorer.EXE
1412	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Enquiry Reference Number 0025559278.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 1472 wrote to memory of 552	1472	Enquiry Reference Number 0025559278.exe	Enquiry Reference Number 0025559278.exe
PID 1472 wrote to memory of 552	1472	Enquiry Reference Number 0025559278.exe	Enquiry Reference Number 0025559278.exe
PID 1472 wrote to memory of 552	1472	Enquiry Reference Number 0025559278.exe	Enquiry Reference Number 0025559278.exe
PID 1472 wrote to memory of 552	1472	Enquiry Reference Number 0025559278.exe	Enquiry Reference Number 0025559278.exe
PID 1472 wrote to memory of 552	1472	Enquiry Reference Number 0025559278.exe	Enquiry Reference Number 0025559278.exe
PID 1472 wrote to memory of 552	1472	Enquiry Reference Number 0025559278.exe	Enquiry Reference Number 0025559278.exe
PID 1472 wrote to memory of 552	1472	Enquiry Reference Number 0025559278.exe	Enquiry Reference Number 0025559278.exe
PID 1412 wrote to memory of 1088	1412	Explorer.EXE	netsh.exe
PID 1412 wrote to memory of 1088	1412	Explorer.EXE	netsh.exe
PID 1412 wrote to memory of 1088	1412	Explorer.EXE	netsh.exe
PID 1412 wrote to memory of 1088	1412	Explorer.EXE	netsh.exe
PID 1088 wrote to memory of 988	1088	netsh.exe	cmd.exe
PID 1088 wrote to memory of 988	1088	netsh.exe	cmd.exe
PID 1088 wrote to memory of 988	1088	netsh.exe	cmd.exe
PID 1088 wrote to memory of 988	1088	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\Enquiry Reference Number 0025559278.exe
"C:\Users\Admin\AppData\Local\Temp\Enquiry Reference Number 0025559278.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\Enquiry Reference Number 0025559278.exe
"C:\Users\Admin\AppData\Local\Temp\Enquiry Reference Number 0025559278.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Enquiry Reference Number 0025559278.exe"
3⤵
- Deletes itself
PID:988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/552-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-67-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/552-65-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/552-64-0x000000000041D440-mapping.dmp

Download
memory/552-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/988-70-0x0000000000000000-mapping.dmp

Download
memory/1088-69-0x0000000000000000-mapping.dmp

Download
memory/1088-71-0x00000000012D0000-0x00000000012EB000-memory.dmp

Filesize
108KB

Download
memory/1088-72-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1088-73-0x0000000000BD0000-0x0000000000ED3000-memory.dmp

Filesize
3.0MB

Download
memory/1088-74-0x0000000000990000-0x0000000000A20000-memory.dmp

Filesize
576KB

Download
memory/1412-68-0x0000000004EE0000-0x0000000004FDE000-memory.dmp

Filesize
1016KB

Download
memory/1412-75-0x0000000005160000-0x00000000052C5000-memory.dmp

Filesize
1.4MB

Download
memory/1472-60-0x00000000051D0000-0x0000000005216000-memory.dmp

Filesize
280KB

Download
memory/1472-59-0x0000000000440000-0x0000000000447000-memory.dmp

Filesize
28KB

Download
memory/1472-58-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/1472-55-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/1472-57-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads