xloader | 7254ad698d310793a1caa4fd73c6e3b0fa01002b5a8fb71783991fe405219283

General

Target

4tWrWVF8FkB9IrJ.exe
Size

414KB
MD5

edcc11c57c2fb4d186e43c373e26767e
SHA1

9213cc1be29f552bb97312cba2d7976a682c77bb
SHA256

72417f2e53964171cecc3819ad3033955ef54b7eb0d7cb542fe089d4f19c5f5d
SHA512

efafe40f26016e6e7853b94f43431b29ce75cf14c92feba4f15cadcd9fd18080d0b770e0dbbff992616d0842c6d5d6c661151cc6776fae3cb6d2d49cb6e6476e

Score

10^/10

xloader cbgo loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

tablescaperendezvous4two.net

abktransportllc.net

roseevision.com

skategrindingwheels.com

robux-generator-free.xyz

yacusi.com

mgav35.xyz

paravocecommerce.com

venkatramanrm.com

freakyhamster.com

jenaashoponline.com

dmozlisting.com

lorrainekclark.store

handyman-prime.com

thecrashingbrains.com

ukpms.com

livingstonemines.com

papeisonline.com

chrisbakerpr.com

omnipets.store

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3512-127-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3512-130-0x0000000000A80000-0x0000000000C13000-memory.dmp	xloader
behavioral2/memory/2836-134-0x0000000002EC0000-0x0000000002EE9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

4tWrWVF8FkB9IrJ.exe4tWrWVF8FkB9IrJ.exemsdt.exe

description	pid	process	target process
PID 3764 set thread context of 3512	3764	4tWrWVF8FkB9IrJ.exe	4tWrWVF8FkB9IrJ.exe
PID 3512 set thread context of 3004	3512	4tWrWVF8FkB9IrJ.exe	Explorer.EXE
PID 2836 set thread context of 3004	2836	msdt.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

4tWrWVF8FkB9IrJ.exe4tWrWVF8FkB9IrJ.exemsdt.exe

pid	process
3764	4tWrWVF8FkB9IrJ.exe
3764	4tWrWVF8FkB9IrJ.exe
3512	4tWrWVF8FkB9IrJ.exe
3512	4tWrWVF8FkB9IrJ.exe
3512	4tWrWVF8FkB9IrJ.exe
3512	4tWrWVF8FkB9IrJ.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe
2836	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3004 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

4tWrWVF8FkB9IrJ.exemsdt.exe

pid process

3512 4tWrWVF8FkB9IrJ.exe
3512 4tWrWVF8FkB9IrJ.exe
3512 4tWrWVF8FkB9IrJ.exe
2836 msdt.exe
2836 msdt.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

4tWrWVF8FkB9IrJ.exe4tWrWVF8FkB9IrJ.exemsdt.exe

description pid process

Token: SeDebugPrivilege 3764 4tWrWVF8FkB9IrJ.exe
Token: SeDebugPrivilege 3512 4tWrWVF8FkB9IrJ.exe
Token: SeDebugPrivilege 2836 msdt.exe

pid	process
3004	Explorer.EXE

pid	process
3512	4tWrWVF8FkB9IrJ.exe
3512	4tWrWVF8FkB9IrJ.exe
3512	4tWrWVF8FkB9IrJ.exe
2836	msdt.exe
2836	msdt.exe

description	pid	process
Token: SeDebugPrivilege	3764	4tWrWVF8FkB9IrJ.exe
Token: SeDebugPrivilege	3512	4tWrWVF8FkB9IrJ.exe
Token: SeDebugPrivilege	2836	msdt.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

4tWrWVF8FkB9IrJ.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 3764 wrote to memory of 2828	3764	4tWrWVF8FkB9IrJ.exe	4tWrWVF8FkB9IrJ.exe
PID 3764 wrote to memory of 2828	3764	4tWrWVF8FkB9IrJ.exe	4tWrWVF8FkB9IrJ.exe
PID 3764 wrote to memory of 2828	3764	4tWrWVF8FkB9IrJ.exe	4tWrWVF8FkB9IrJ.exe
PID 3764 wrote to memory of 3512	3764	4tWrWVF8FkB9IrJ.exe	4tWrWVF8FkB9IrJ.exe
PID 3764 wrote to memory of 3512	3764	4tWrWVF8FkB9IrJ.exe	4tWrWVF8FkB9IrJ.exe
PID 3764 wrote to memory of 3512	3764	4tWrWVF8FkB9IrJ.exe	4tWrWVF8FkB9IrJ.exe
PID 3764 wrote to memory of 3512	3764	4tWrWVF8FkB9IrJ.exe	4tWrWVF8FkB9IrJ.exe
PID 3764 wrote to memory of 3512	3764	4tWrWVF8FkB9IrJ.exe	4tWrWVF8FkB9IrJ.exe
PID 3764 wrote to memory of 3512	3764	4tWrWVF8FkB9IrJ.exe	4tWrWVF8FkB9IrJ.exe
PID 3004 wrote to memory of 2836	3004	Explorer.EXE	msdt.exe
PID 3004 wrote to memory of 2836	3004	Explorer.EXE	msdt.exe
PID 3004 wrote to memory of 2836	3004	Explorer.EXE	msdt.exe
PID 2836 wrote to memory of 3972	2836	msdt.exe	cmd.exe
PID 2836 wrote to memory of 3972	2836	msdt.exe	cmd.exe
PID 2836 wrote to memory of 3972	2836	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3004

C:\Users\Admin\AppData\Local\Temp\4tWrWVF8FkB9IrJ.exe
"C:\Users\Admin\AppData\Local\Temp\4tWrWVF8FkB9IrJ.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764

C:\Users\Admin\AppData\Local\Temp\4tWrWVF8FkB9IrJ.exe
"C:\Users\Admin\AppData\Local\Temp\4tWrWVF8FkB9IrJ.exe"
3⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\4tWrWVF8FkB9IrJ.exe
"C:\Users\Admin\AppData\Local\Temp\4tWrWVF8FkB9IrJ.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\4tWrWVF8FkB9IrJ.exe"
3⤵
PID:3972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2836-135-0x00000000043F0000-0x0000000004580000-memory.dmp

Filesize
1.6MB

Download
memory/2836-134-0x0000000002EC0000-0x0000000002EE9000-memory.dmp

Filesize
164KB

Download
memory/2836-133-0x0000000004580000-0x00000000048A0000-memory.dmp

Filesize
3.1MB

Download
memory/2836-132-0x00000000000B0000-0x0000000000223000-memory.dmp

Filesize
1.4MB

Download
memory/3004-136-0x00000000028C0000-0x000000000297B000-memory.dmp

Filesize
748KB

Download
memory/3004-131-0x0000000006A50000-0x0000000006B9E000-memory.dmp

Filesize
1.3MB

Download
memory/3512-127-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3512-130-0x0000000000A80000-0x0000000000C13000-memory.dmp

Filesize
1.6MB

Download
memory/3512-129-0x0000000000EF0000-0x0000000001210000-memory.dmp

Filesize
3.1MB

Download
memory/3764-122-0x0000000005290000-0x000000000529A000-memory.dmp

Filesize
40KB

Download
memory/3764-126-0x0000000006260000-0x00000000062BE000-memory.dmp

Filesize
376KB

Download
memory/3764-125-0x000000007EF10000-0x000000007EF11000-memory.dmp

Filesize
4KB

Download
memory/3764-124-0x0000000005DA0000-0x0000000005DAE000-memory.dmp

Filesize
56KB

Download
memory/3764-123-0x0000000005E30000-0x0000000005ECC000-memory.dmp

Filesize
624KB

Download
memory/3764-118-0x0000000000A00000-0x0000000000A6E000-memory.dmp

Filesize
440KB

Download
memory/3764-121-0x0000000005330000-0x000000000582E000-memory.dmp

Filesize
5.0MB

Download
memory/3764-120-0x0000000005330000-0x00000000053C2000-memory.dmp

Filesize
584KB

Download
memory/3764-119-0x0000000005830000-0x0000000005D2E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads