xloader | f79592d7f8ba73cf16c31b3ac92427cdf99789a3eece4c873d0522b3429a783f

General

Target

2t9KtoR9xzpJY4E.exe
Size

836KB
MD5

bd741cc655060dbd3967455b7dd445b1
SHA1

94affa3cf3eca5bb47e57ca14fed414af9831c48
SHA256

f79592d7f8ba73cf16c31b3ac92427cdf99789a3eece4c873d0522b3429a783f
SHA512

41ac9e124aadffdf48691775affeaf552a77a3f0283969c374cc6f408756273746c98c26f47e3ddbee5557d18bdae591f13ea0af4e29954ef98a949917301a05

Score

10^/10

xloader cbgo loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

tablescaperendezvous4two.net

abktransportllc.net

roseevision.com

skategrindingwheels.com

robux-generator-free.xyz

yacusi.com

mgav35.xyz

paravocecommerce.com

venkatramanrm.com

freakyhamster.com

jenaashoponline.com

dmozlisting.com

lorrainekclark.store

handyman-prime.com

thecrashingbrains.com

ukpms.com

livingstonemines.com

papeisonline.com

chrisbakerpr.com

omnipets.store

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4652-124-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4652-127-0x00000000014F0000-0x0000000001685000-memory.dmp	xloader
behavioral2/memory/4704-130-0x0000000002F70000-0x0000000002F99000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

2t9KtoR9xzpJY4E.exe2t9KtoR9xzpJY4E.execolorcpl.exe

description	pid	process	target process
PID 4196 set thread context of 4652	4196	2t9KtoR9xzpJY4E.exe	2t9KtoR9xzpJY4E.exe
PID 4652 set thread context of 2024	4652	2t9KtoR9xzpJY4E.exe	Explorer.EXE
PID 4704 set thread context of 2024	4704	colorcpl.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

2t9KtoR9xzpJY4E.execolorcpl.exe

pid	process
4652	2t9KtoR9xzpJY4E.exe
4652	2t9KtoR9xzpJY4E.exe
4652	2t9KtoR9xzpJY4E.exe
4652	2t9KtoR9xzpJY4E.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe
4704	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2024 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

2t9KtoR9xzpJY4E.execolorcpl.exe

pid process

4652 2t9KtoR9xzpJY4E.exe
4652 2t9KtoR9xzpJY4E.exe
4652 2t9KtoR9xzpJY4E.exe
4704 colorcpl.exe
4704 colorcpl.exe

pid	process
2024	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

2t9KtoR9xzpJY4E.exeExplorer.EXEcolorcpl.exe

description	pid	process
Token: SeDebugPrivilege	4652	2t9KtoR9xzpJY4E.exe
Token: SeShutdownPrivilege	2024	Explorer.EXE
Token: SeCreatePagefilePrivilege	2024	Explorer.EXE
Token: SeShutdownPrivilege	2024	Explorer.EXE
Token: SeCreatePagefilePrivilege	2024	Explorer.EXE
Token: SeDebugPrivilege	4704	colorcpl.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2t9KtoR9xzpJY4E.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 4196 wrote to memory of 4652	4196	2t9KtoR9xzpJY4E.exe	2t9KtoR9xzpJY4E.exe
PID 4196 wrote to memory of 4652	4196	2t9KtoR9xzpJY4E.exe	2t9KtoR9xzpJY4E.exe
PID 4196 wrote to memory of 4652	4196	2t9KtoR9xzpJY4E.exe	2t9KtoR9xzpJY4E.exe
PID 4196 wrote to memory of 4652	4196	2t9KtoR9xzpJY4E.exe	2t9KtoR9xzpJY4E.exe
PID 4196 wrote to memory of 4652	4196	2t9KtoR9xzpJY4E.exe	2t9KtoR9xzpJY4E.exe
PID 4196 wrote to memory of 4652	4196	2t9KtoR9xzpJY4E.exe	2t9KtoR9xzpJY4E.exe
PID 2024 wrote to memory of 4704	2024	Explorer.EXE	colorcpl.exe
PID 2024 wrote to memory of 4704	2024	Explorer.EXE	colorcpl.exe
PID 2024 wrote to memory of 4704	2024	Explorer.EXE	colorcpl.exe
PID 4704 wrote to memory of 4632	4704	colorcpl.exe	cmd.exe
PID 4704 wrote to memory of 4632	4704	colorcpl.exe	cmd.exe
PID 4704 wrote to memory of 4632	4704	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\2t9KtoR9xzpJY4E.exe
"C:\Users\Admin\AppData\Local\Temp\2t9KtoR9xzpJY4E.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4196

C:\Users\Admin\AppData\Local\Temp\2t9KtoR9xzpJY4E.exe
"C:\Users\Admin\AppData\Local\Temp\2t9KtoR9xzpJY4E.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\2t9KtoR9xzpJY4E.exe"
3⤵
PID:4632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2024-128-0x0000000002400000-0x000000000250B000-memory.dmp

Filesize
1.0MB

Download
memory/2024-133-0x0000000004F10000-0x0000000005070000-memory.dmp

Filesize
1.4MB

Download
memory/4196-119-0x0000000005570000-0x000000000560C000-memory.dmp

Filesize
624KB

Download
memory/4196-117-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/4196-115-0x00000000009C0000-0x0000000000A98000-memory.dmp

Filesize
864KB

Download
memory/4196-120-0x00000000052C0000-0x00000000057BE000-memory.dmp

Filesize
5.0MB

Download
memory/4196-121-0x0000000005E80000-0x0000000005E8E000-memory.dmp

Filesize
56KB

Download
memory/4196-122-0x000000007E0D0000-0x000000007E0D1000-memory.dmp

Filesize
4KB

Download
memory/4196-123-0x0000000006270000-0x0000000006318000-memory.dmp

Filesize
672KB

Download
memory/4196-116-0x00000000057C0000-0x0000000005CBE000-memory.dmp

Filesize
5.0MB

Download
memory/4196-118-0x00000000052D0000-0x00000000052DA000-memory.dmp

Filesize
40KB

Download
memory/4652-127-0x00000000014F0000-0x0000000001685000-memory.dmp

Filesize
1.6MB

Download
memory/4652-126-0x0000000001830000-0x0000000001B50000-memory.dmp

Filesize
3.1MB

Download
memory/4652-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4704-129-0x0000000000B20000-0x0000000000B39000-memory.dmp

Filesize
100KB

Download
memory/4704-130-0x0000000002F70000-0x0000000002F99000-memory.dmp

Filesize
164KB

Download
memory/4704-131-0x0000000004F10000-0x0000000005230000-memory.dmp

Filesize
3.1MB

Download
memory/4704-132-0x0000000004D70000-0x0000000004F03000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads