xloader | 9ecd8c9e350e594b3698eae609755d3422bd7d88a457731834a931db312a788c

General

Target

PO#00650288.doc.exe
Size

777KB
MD5

c94bd5f674928d2e347a99a84ac09c79
SHA1

8983b3c54e9978f05c7f99ad8ff7f7af8527fbbb
SHA256

9ecd8c9e350e594b3698eae609755d3422bd7d88a457731834a931db312a788c
SHA512

bcea02361b6b1ec2c9e6eb3d0251579c88130c1cfb238dcc2d8cca2b4a9fcd9886b59d30abac4221a4e4b86482bb18cd0b5faefea36fb4b32a25276aac4dc1bc

Score

10^/10

xloader nid3 loader rat

Malware Config

Extracted

Family

xloader

Version

2.4

Campaign

nid3

Decoy

bocadilleriapk2guadalajara.com

vaccinatedmaid.com

uvoznaroba.com

sore2.com

carphonegadget.com

0543hm.com

valglobalgroup.com

badbogeyclub.com

sonykameraja.biz

dpz831.icu

wyvernmediagroup.com

jason-luttrell.com

joehcq1.com

1aiizsbb.icu

thelousciouscocoon.com

crypto4.education

letrassinfronteras.com

truemovehispeed.com

se25diy.com

cisdax.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1420-123-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1420-126-0x0000000000F20000-0x00000000010B8000-memory.dmp	xloader
behavioral2/memory/612-129-0x0000000000940000-0x0000000000969000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO#00650288.doc.exePO#00650288.doc.execolorcpl.exe

description	pid	process	target process
PID 3860 set thread context of 1420	3860	PO#00650288.doc.exe	PO#00650288.doc.exe
PID 1420 set thread context of 2928	1420	PO#00650288.doc.exe	Explorer.EXE
PID 612 set thread context of 2928	612	colorcpl.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

PO#00650288.doc.exePO#00650288.doc.execolorcpl.exe

pid	process
3860	PO#00650288.doc.exe
3860	PO#00650288.doc.exe
3860	PO#00650288.doc.exe
3860	PO#00650288.doc.exe
3860	PO#00650288.doc.exe
3860	PO#00650288.doc.exe
3860	PO#00650288.doc.exe
1420	PO#00650288.doc.exe
1420	PO#00650288.doc.exe
1420	PO#00650288.doc.exe
1420	PO#00650288.doc.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe
612	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2928 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PO#00650288.doc.execolorcpl.exe

pid process

1420 PO#00650288.doc.exe
1420 PO#00650288.doc.exe
1420 PO#00650288.doc.exe
612 colorcpl.exe
612 colorcpl.exe

pid	process
2928	Explorer.EXE

pid	process
1420	PO#00650288.doc.exe
1420	PO#00650288.doc.exe
1420	PO#00650288.doc.exe
612	colorcpl.exe
612	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO#00650288.doc.exePO#00650288.doc.execolorcpl.exe

description	pid	process
Token: SeDebugPrivilege	3860	PO#00650288.doc.exe
Token: SeDebugPrivilege	1420	PO#00650288.doc.exe
Token: SeDebugPrivilege	612	colorcpl.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PO#00650288.doc.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 3860 wrote to memory of 1420	3860	PO#00650288.doc.exe	PO#00650288.doc.exe
PID 3860 wrote to memory of 1420	3860	PO#00650288.doc.exe	PO#00650288.doc.exe
PID 3860 wrote to memory of 1420	3860	PO#00650288.doc.exe	PO#00650288.doc.exe
PID 3860 wrote to memory of 1420	3860	PO#00650288.doc.exe	PO#00650288.doc.exe
PID 3860 wrote to memory of 1420	3860	PO#00650288.doc.exe	PO#00650288.doc.exe
PID 3860 wrote to memory of 1420	3860	PO#00650288.doc.exe	PO#00650288.doc.exe
PID 2928 wrote to memory of 612	2928	Explorer.EXE	colorcpl.exe
PID 2928 wrote to memory of 612	2928	Explorer.EXE	colorcpl.exe
PID 2928 wrote to memory of 612	2928	Explorer.EXE	colorcpl.exe
PID 612 wrote to memory of 872	612	colorcpl.exe	cmd.exe
PID 612 wrote to memory of 872	612	colorcpl.exe	cmd.exe
PID 612 wrote to memory of 872	612	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Local\Temp\PO#00650288.doc.exe
"C:\Users\Admin\AppData\Local\Temp\PO#00650288.doc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860

C:\Users\Admin\AppData\Local\Temp\PO#00650288.doc.exe
"C:\Users\Admin\AppData\Local\Temp\PO#00650288.doc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO#00650288.doc.exe"
3⤵
PID:872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-129-0x0000000000940000-0x0000000000969000-memory.dmp

Filesize
164KB

Download
memory/612-131-0x0000000004820000-0x00000000049B9000-memory.dmp

Filesize
1.6MB

Download
memory/612-130-0x0000000004B60000-0x0000000004E80000-memory.dmp

Filesize
3.1MB

Download
memory/612-128-0x0000000000A00000-0x0000000000A19000-memory.dmp

Filesize
100KB

Download
memory/1420-123-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1420-124-0x00000000010C0000-0x00000000013E0000-memory.dmp

Filesize
3.1MB

Download
memory/1420-126-0x0000000000F20000-0x00000000010B8000-memory.dmp

Filesize
1.6MB

Download
memory/2928-127-0x0000000005F40000-0x00000000060B3000-memory.dmp

Filesize
1.4MB

Download
memory/2928-132-0x00000000062B0000-0x00000000063FA000-memory.dmp

Filesize
1.3MB

Download
memory/3860-120-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/3860-121-0x0000000007030000-0x00000000070CC000-memory.dmp

Filesize
624KB

Download
memory/3860-122-0x00000000071D0000-0x0000000007230000-memory.dmp

Filesize
384KB

Download
memory/3860-115-0x00000000003B0000-0x0000000000478000-memory.dmp

Filesize
800KB

Download
memory/3860-119-0x0000000004CA0000-0x0000000004CAA000-memory.dmp

Filesize
40KB

Download
memory/3860-118-0x0000000004C20000-0x0000000004CB2000-memory.dmp

Filesize
584KB

Download
memory/3860-117-0x0000000004CC0000-0x0000000004D52000-memory.dmp

Filesize
584KB

Download
memory/3860-116-0x00000000052A0000-0x000000000579E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads