xloader | cd11ff6fd92ca115b19fec46fbb9d1ef8540bc1e2ffc21ffcb46ef1f22482e0c

General

Target

PO NOVEMBER 2021 22 PDF.exe
Size

1012KB
MD5

96423701a8a3e23e41a7e6d6542f2dc6
SHA1

6116c35ff15742f9373ec512e474331e2b1eeffe
SHA256

015174d2840ba0ff84b09efa54379b87fdb761a306d55ec707353f162b8ba39a
SHA512

cc0e48830c2c0d503ac37e8b6000eb4c8060c25a86abe72e1122b5bd2645f7855be267ec5ffcc28166389200228275a0d4ca13d38a1f1d08a95740a8c1987509

Score

10^/10

xloader re6p agilenet loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

re6p

C2

http://www.workwithmarym.com/re6p/

Decoy

jedidpress.com

firstimpression.global

iflycny.com

greenandskin.com

tt9577.com

sumidocpa.com

readsprouts.com

heavenlyhighcreations.com

jlhvz.com

ita-web.com

graeds.com

soundtolight.xyz

rajtantra.net

wearinganawesomewoman.store

hrappur.net

wangmiaojf.xyz

youtogo.xyz

mydeadzone.com

qenagypsum.com

kopijhony.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3160-127-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3160-128-0x000000000041D480-mapping.dmp	xloader
behavioral2/memory/64-135-0x0000000000280000-0x00000000002A9000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

38 64 wscript.exe

flow	pid	process
38	64	wscript.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/2504-121-0x0000000005950000-0x0000000005971000-memory.dmp	agile_net
behavioral2/memory/2504-124-0x0000000002E00000-0x0000000002E9C000-memory.dmp	agile_net

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO NOVEMBER 2021 22 PDF.exePO NOVEMBER 2021 22 PDF.exewscript.exe

description	pid	process	target process
PID 2504 set thread context of 3160	2504	PO NOVEMBER 2021 22 PDF.exe	PO NOVEMBER 2021 22 PDF.exe
PID 3160 set thread context of 3056	3160	PO NOVEMBER 2021 22 PDF.exe	Explorer.EXE
PID 64 set thread context of 3056	64	wscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

PO NOVEMBER 2021 22 PDF.exePO NOVEMBER 2021 22 PDF.exewscript.exe

pid	process
2504	PO NOVEMBER 2021 22 PDF.exe
2504	PO NOVEMBER 2021 22 PDF.exe
3160	PO NOVEMBER 2021 22 PDF.exe
3160	PO NOVEMBER 2021 22 PDF.exe
3160	PO NOVEMBER 2021 22 PDF.exe
3160	PO NOVEMBER 2021 22 PDF.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe
64	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3056 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PO NOVEMBER 2021 22 PDF.exewscript.exe

pid process

3160 PO NOVEMBER 2021 22 PDF.exe
3160 PO NOVEMBER 2021 22 PDF.exe
3160 PO NOVEMBER 2021 22 PDF.exe
64 wscript.exe
64 wscript.exe

pid	process
3056	Explorer.EXE

pid	process
3160	PO NOVEMBER 2021 22 PDF.exe
3160	PO NOVEMBER 2021 22 PDF.exe
3160	PO NOVEMBER 2021 22 PDF.exe
64	wscript.exe
64	wscript.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO NOVEMBER 2021 22 PDF.exePO NOVEMBER 2021 22 PDF.exewscript.exe

description	pid	process
Token: SeDebugPrivilege	2504	PO NOVEMBER 2021 22 PDF.exe
Token: SeDebugPrivilege	3160	PO NOVEMBER 2021 22 PDF.exe
Token: SeDebugPrivilege	64	wscript.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PO NOVEMBER 2021 22 PDF.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 2504 wrote to memory of 3160	2504	PO NOVEMBER 2021 22 PDF.exe	PO NOVEMBER 2021 22 PDF.exe
PID 2504 wrote to memory of 3160	2504	PO NOVEMBER 2021 22 PDF.exe	PO NOVEMBER 2021 22 PDF.exe
PID 2504 wrote to memory of 3160	2504	PO NOVEMBER 2021 22 PDF.exe	PO NOVEMBER 2021 22 PDF.exe
PID 2504 wrote to memory of 3160	2504	PO NOVEMBER 2021 22 PDF.exe	PO NOVEMBER 2021 22 PDF.exe
PID 2504 wrote to memory of 3160	2504	PO NOVEMBER 2021 22 PDF.exe	PO NOVEMBER 2021 22 PDF.exe
PID 2504 wrote to memory of 3160	2504	PO NOVEMBER 2021 22 PDF.exe	PO NOVEMBER 2021 22 PDF.exe
PID 3056 wrote to memory of 64	3056	Explorer.EXE	wscript.exe
PID 3056 wrote to memory of 64	3056	Explorer.EXE	wscript.exe
PID 3056 wrote to memory of 64	3056	Explorer.EXE	wscript.exe
PID 64 wrote to memory of 1620	64	wscript.exe	cmd.exe
PID 64 wrote to memory of 1620	64	wscript.exe	cmd.exe
PID 64 wrote to memory of 1620	64	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\PO NOVEMBER 2021 22 PDF.exe
"C:\Users\Admin\AppData\Local\Temp\PO NOVEMBER 2021 22 PDF.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Local\Temp\PO NOVEMBER 2021 22 PDF.exe
"C:\Users\Admin\AppData\Local\Temp\PO NOVEMBER 2021 22 PDF.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1832

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO NOVEMBER 2021 22 PDF.exe"
3⤵
PID:1620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-133-0x0000000000000000-mapping.dmp

Download
memory/64-138-0x0000000004520000-0x00000000045B0000-memory.dmp

Filesize
576KB

Download
memory/64-136-0x0000000004650000-0x0000000004970000-memory.dmp

Filesize
3.1MB

Download
memory/64-134-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/64-135-0x0000000000280000-0x00000000002A9000-memory.dmp

Filesize
164KB

Download
memory/1620-137-0x0000000000000000-mapping.dmp

Download
memory/2504-126-0x0000000009600000-0x0000000009601000-memory.dmp

Filesize
4KB

Download
memory/2504-119-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/2504-124-0x0000000002E00000-0x0000000002E9C000-memory.dmp

Filesize
624KB

Download
memory/2504-125-0x0000000007040000-0x000000000704B000-memory.dmp

Filesize
44KB

Download
memory/2504-115-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/2504-123-0x00000000065E0000-0x00000000065E1000-memory.dmp

Filesize
4KB

Download
memory/2504-117-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/2504-118-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/2504-122-0x0000000006620000-0x0000000006621000-memory.dmp

Filesize
4KB

Download
memory/2504-121-0x0000000005950000-0x0000000005971000-memory.dmp

Filesize
132KB

Download
memory/2504-120-0x0000000002E00000-0x0000000002E9C000-memory.dmp

Filesize
624KB

Download
memory/3056-139-0x00000000028C0000-0x0000000002989000-memory.dmp

Filesize
804KB

Download
memory/3056-132-0x0000000006140000-0x00000000062CF000-memory.dmp

Filesize
1.6MB

Download
memory/3160-127-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3160-130-0x0000000001730000-0x0000000001A50000-memory.dmp

Filesize
3.1MB

Download
memory/3160-131-0x0000000001680000-0x0000000001691000-memory.dmp

Filesize
68KB

Download
memory/3160-128-0x000000000041D480-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads