xloader | f0ae9d90c4398fa87349000d09a683a6c70487b48fbb05520db4edd5b76236ad

General

Target

b1ab3afa8e3a73c26f65463635d68aad.exe
Size

1.0MB
MD5

b1ab3afa8e3a73c26f65463635d68aad
SHA1

8a22c9b3e90389c28880402e9f1a5176cea5759c
SHA256

f0ae9d90c4398fa87349000d09a683a6c70487b48fbb05520db4edd5b76236ad
SHA512

01d9fcf1d60626816c1d9721cec27f4bfb9a3085a64a5da5ecaf2e665c8da7b6c98a49e90bea4ef37ced0243a13de30ef1a61beaf346ddb9e0dd1b51f4be082a

Score

10^/10

xloader uhq3 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uhq3

Decoy

lionsclubtunisdoyen.com

artchemindia.com

blaulicht.cloud

szlaaf.com

erucestech.com

gazeteyenidunya.xyz

ps-sac.com

maedatoshiie.site

hothess.com

nbeight.com

sufamiturbo.com

myfamilylegacy.online

cupsnax.com

c2cuae.com

mabibliothequehomepage.online

poultryvet.guide

immobilier-alienor.net

losthegame.com

creditturf.com

skillspedia.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/568-61-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral1/memory/568-62-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral1/memory/1988-69-0x0000000000130000-0x0000000000159000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

b1ab3afa8e3a73c26f65463635d68aad.exediantz.exerundll32.exe

description	pid	process	target process
PID 1320 set thread context of 568	1320	b1ab3afa8e3a73c26f65463635d68aad.exe	diantz.exe
PID 568 set thread context of 1380	568	diantz.exe	Explorer.EXE
PID 1988 set thread context of 1380	1988	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

b1ab3afa8e3a73c26f65463635d68aad.exediantz.exerundll32.exe

pid	process
1320	b1ab3afa8e3a73c26f65463635d68aad.exe
1320	b1ab3afa8e3a73c26f65463635d68aad.exe
1320	b1ab3afa8e3a73c26f65463635d68aad.exe
1320	b1ab3afa8e3a73c26f65463635d68aad.exe
568	diantz.exe
568	diantz.exe
1320	b1ab3afa8e3a73c26f65463635d68aad.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

diantz.exerundll32.exe

pid process

568 diantz.exe
568 diantz.exe
568 diantz.exe
1988 rundll32.exe
1988 rundll32.exe

pid	process
1380	Explorer.EXE

pid	process
568	diantz.exe
568	diantz.exe
568	diantz.exe
1988	rundll32.exe
1988	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b1ab3afa8e3a73c26f65463635d68aad.exediantz.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	1320	b1ab3afa8e3a73c26f65463635d68aad.exe
Token: SeDebugPrivilege	568	diantz.exe
Token: SeDebugPrivilege	1988	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
1380 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
1380 Explorer.EXE

pid	process
1380	Explorer.EXE
1380	Explorer.EXE

pid	process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

b1ab3afa8e3a73c26f65463635d68aad.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1320 wrote to memory of 568	1320	b1ab3afa8e3a73c26f65463635d68aad.exe	diantz.exe
PID 1320 wrote to memory of 568	1320	b1ab3afa8e3a73c26f65463635d68aad.exe	diantz.exe
PID 1320 wrote to memory of 568	1320	b1ab3afa8e3a73c26f65463635d68aad.exe	diantz.exe
PID 1320 wrote to memory of 568	1320	b1ab3afa8e3a73c26f65463635d68aad.exe	diantz.exe
PID 1320 wrote to memory of 568	1320	b1ab3afa8e3a73c26f65463635d68aad.exe	diantz.exe
PID 1320 wrote to memory of 568	1320	b1ab3afa8e3a73c26f65463635d68aad.exe	diantz.exe
PID 1320 wrote to memory of 568	1320	b1ab3afa8e3a73c26f65463635d68aad.exe	diantz.exe
PID 1320 wrote to memory of 568	1320	b1ab3afa8e3a73c26f65463635d68aad.exe	diantz.exe
PID 1380 wrote to memory of 1988	1380	Explorer.EXE	rundll32.exe
PID 1380 wrote to memory of 1988	1380	Explorer.EXE	rundll32.exe
PID 1380 wrote to memory of 1988	1380	Explorer.EXE	rundll32.exe
PID 1380 wrote to memory of 1988	1380	Explorer.EXE	rundll32.exe
PID 1380 wrote to memory of 1988	1380	Explorer.EXE	rundll32.exe
PID 1380 wrote to memory of 1988	1380	Explorer.EXE	rundll32.exe
PID 1380 wrote to memory of 1988	1380	Explorer.EXE	rundll32.exe
PID 1988 wrote to memory of 1592	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 1592	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 1592	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 1592	1988	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\b1ab3afa8e3a73c26f65463635d68aad.exe
"C:\Users\Admin\AppData\Local\Temp\b1ab3afa8e3a73c26f65463635d68aad.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\diantz.exe
"C:\Windows\SysWOW64\diantz.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\diantz.exe"
3⤵
PID:1592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/568-65-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/568-59-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/568-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/568-61-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/568-64-0x00000000009F0000-0x0000000000CF3000-memory.dmp

Filesize
3.0MB

Download
memory/568-60-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1320-58-0x00000000003C0000-0x00000000003FC000-memory.dmp

Filesize
240KB

Download
memory/1320-57-0x0000000004D40000-0x0000000004DFA000-memory.dmp

Filesize
744KB

Download
memory/1320-56-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/1320-55-0x0000000000FC0000-0x00000000010D2000-memory.dmp

Filesize
1.1MB

Download
memory/1380-66-0x0000000007200000-0x000000000737B000-memory.dmp

Filesize
1.5MB

Download
memory/1380-72-0x0000000005CB0000-0x0000000005D58000-memory.dmp

Filesize
672KB

Download
memory/1988-67-0x0000000074B21000-0x0000000074B23000-memory.dmp

Filesize
8KB

Download
memory/1988-68-0x00000000000B0000-0x00000000000BE000-memory.dmp

Filesize
56KB

Download
memory/1988-69-0x0000000000130000-0x0000000000159000-memory.dmp

Filesize
164KB

Download
memory/1988-70-0x0000000001F50000-0x0000000002253000-memory.dmp

Filesize
3.0MB

Download
memory/1988-71-0x0000000001DA0000-0x0000000001E30000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads