xloader | cd11ff6fd92ca115b19fec46fbb9d1ef8540bc1e2ffc21ffcb46ef1f22482e0c

General

Target

PO NOVEMBER 2021 22 PDF.exe
Size

1012KB
MD5

96423701a8a3e23e41a7e6d6542f2dc6
SHA1

6116c35ff15742f9373ec512e474331e2b1eeffe
SHA256

015174d2840ba0ff84b09efa54379b87fdb761a306d55ec707353f162b8ba39a
SHA512

cc0e48830c2c0d503ac37e8b6000eb4c8060c25a86abe72e1122b5bd2645f7855be267ec5ffcc28166389200228275a0d4ca13d38a1f1d08a95740a8c1987509

Score

10^/10

xloader re6p agilenet loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

re6p

C2

http://www.workwithmarym.com/re6p/

Decoy

jedidpress.com

firstimpression.global

iflycny.com

greenandskin.com

tt9577.com

sumidocpa.com

readsprouts.com

heavenlyhighcreations.com

jlhvz.com

ita-web.com

graeds.com

soundtolight.xyz

rajtantra.net

wearinganawesomewoman.store

hrappur.net

wangmiaojf.xyz

youtogo.xyz

mydeadzone.com

qenagypsum.com

kopijhony.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/668-64-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/668-65-0x000000000041D480-mapping.dmp	xloader
behavioral1/memory/668-70-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1056-76-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1960 cmd.exe

pid	process
1960	cmd.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2036-58-0x00000000004F0000-0x0000000000511000-memory.dmp	agile_net

Suspicious use of SetThreadContext 4 IoCs

Processes:

PO NOVEMBER 2021 22 PDF.exePO NOVEMBER 2021 22 PDF.exewininit.exe

description	pid	process	target process
PID 2036 set thread context of 668	2036	PO NOVEMBER 2021 22 PDF.exe	PO NOVEMBER 2021 22 PDF.exe
PID 668 set thread context of 1300	668	PO NOVEMBER 2021 22 PDF.exe	Explorer.EXE
PID 668 set thread context of 1300	668	PO NOVEMBER 2021 22 PDF.exe	Explorer.EXE
PID 1056 set thread context of 1300	1056	wininit.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

PO NOVEMBER 2021 22 PDF.exePO NOVEMBER 2021 22 PDF.exewininit.exe

pid	process
2036	PO NOVEMBER 2021 22 PDF.exe
2036	PO NOVEMBER 2021 22 PDF.exe
668	PO NOVEMBER 2021 22 PDF.exe
668	PO NOVEMBER 2021 22 PDF.exe
668	PO NOVEMBER 2021 22 PDF.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe
1056	wininit.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

PO NOVEMBER 2021 22 PDF.exewininit.exe

pid	process
668	PO NOVEMBER 2021 22 PDF.exe
668	PO NOVEMBER 2021 22 PDF.exe
668	PO NOVEMBER 2021 22 PDF.exe
668	PO NOVEMBER 2021 22 PDF.exe
1056	wininit.exe
1056	wininit.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO NOVEMBER 2021 22 PDF.exePO NOVEMBER 2021 22 PDF.exewininit.exe

description	pid	process
Token: SeDebugPrivilege	2036	PO NOVEMBER 2021 22 PDF.exe
Token: SeDebugPrivilege	668	PO NOVEMBER 2021 22 PDF.exe
Token: SeDebugPrivilege	1056	wininit.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

PO NOVEMBER 2021 22 PDF.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 2036 wrote to memory of 668	2036	PO NOVEMBER 2021 22 PDF.exe	PO NOVEMBER 2021 22 PDF.exe
PID 2036 wrote to memory of 668	2036	PO NOVEMBER 2021 22 PDF.exe	PO NOVEMBER 2021 22 PDF.exe
PID 2036 wrote to memory of 668	2036	PO NOVEMBER 2021 22 PDF.exe	PO NOVEMBER 2021 22 PDF.exe
PID 2036 wrote to memory of 668	2036	PO NOVEMBER 2021 22 PDF.exe	PO NOVEMBER 2021 22 PDF.exe
PID 2036 wrote to memory of 668	2036	PO NOVEMBER 2021 22 PDF.exe	PO NOVEMBER 2021 22 PDF.exe
PID 2036 wrote to memory of 668	2036	PO NOVEMBER 2021 22 PDF.exe	PO NOVEMBER 2021 22 PDF.exe
PID 2036 wrote to memory of 668	2036	PO NOVEMBER 2021 22 PDF.exe	PO NOVEMBER 2021 22 PDF.exe
PID 1300 wrote to memory of 1056	1300	Explorer.EXE	wininit.exe
PID 1300 wrote to memory of 1056	1300	Explorer.EXE	wininit.exe
PID 1300 wrote to memory of 1056	1300	Explorer.EXE	wininit.exe
PID 1300 wrote to memory of 1056	1300	Explorer.EXE	wininit.exe
PID 1056 wrote to memory of 1960	1056	wininit.exe	cmd.exe
PID 1056 wrote to memory of 1960	1056	wininit.exe	cmd.exe
PID 1056 wrote to memory of 1960	1056	wininit.exe	cmd.exe
PID 1056 wrote to memory of 1960	1056	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Local\Temp\PO NOVEMBER 2021 22 PDF.exe
"C:\Users\Admin\AppData\Local\Temp\PO NOVEMBER 2021 22 PDF.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\PO NOVEMBER 2021 22 PDF.exe
"C:\Users\Admin\AppData\Local\Temp\PO NOVEMBER 2021 22 PDF.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO NOVEMBER 2021 22 PDF.exe"
3⤵
- Deletes itself
PID:1960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-64-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/668-71-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/668-70-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/668-67-0x0000000000A60000-0x0000000000D63000-memory.dmp

Filesize
3.0MB

Download
memory/668-68-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/668-65-0x000000000041D480-mapping.dmp

Download
memory/668-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/668-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1056-75-0x00000000004F0000-0x000000000050A000-memory.dmp

Filesize
104KB

Download
memory/1056-73-0x0000000000000000-mapping.dmp

Download
memory/1056-79-0x0000000000510000-0x00000000005A0000-memory.dmp

Filesize
576KB

Download
memory/1056-78-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1056-77-0x0000000001FA0000-0x00000000022A3000-memory.dmp

Filesize
3.0MB

Download
memory/1056-76-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1300-72-0x00000000071E0000-0x000000000730D000-memory.dmp

Filesize
1.2MB

Download
memory/1300-69-0x00000000070C0000-0x00000000071D8000-memory.dmp

Filesize
1.1MB

Download
memory/1300-80-0x00000000074D0000-0x0000000007652000-memory.dmp

Filesize
1.5MB

Download
memory/1960-74-0x0000000000000000-mapping.dmp

Download
memory/2036-61-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2036-57-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/2036-55-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2036-58-0x00000000004F0000-0x0000000000511000-memory.dmp

Filesize
132KB

Download
memory/2036-59-0x0000000004A51000-0x0000000004A52000-memory.dmp

Filesize
4KB

Download
memory/2036-60-0x0000000000610000-0x000000000061B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads