xloader | 472f77899f797ab92af8a3b5eacbf827ce8e287971f4dd3a9f23ae00d7b25475

General

Target

SNO22 PriceLetter595406_RACX-159814.exe
Size

7KB
MD5

7088f42f3e34585a113c57d472e7f6e9
SHA1

a3bae33f21a6068eb3c76bc3e74c61df20d5596b
SHA256

472f77899f797ab92af8a3b5eacbf827ce8e287971f4dd3a9f23ae00d7b25475
SHA512

4a86a834ad2a6cc35ab62aa0af9cd8d9c87d9fa1daf1c8328cba856fc27569c8c7d89e64be714805fdc65af6022d5602c08237f5a1344fc6ff7e9d1c54fccb01

Score

10^/10

xloader p8ce loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p8ce

Decoy

wishmeluck1.xyz

nawabumi.com

terra.fish

eoraipsumami.quest

awakeningyourid.com

csyein.com

tslsinteligentes.com

cataractusa.com

capitalwheelstogo.com

staffremotely.com

trashbinwasher.com

blaneyparkrendezvous.com

yolrt.com

northendtaproom.com

showgeini.com

b95206.com

almcpersonaltraining.com

lovabledoodleshome.com

woodlandstationcondos.com

nikahlive.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/648-119-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/648-122-0x0000000001250000-0x00000000013E2000-memory.dmp	xloader
behavioral2/memory/2912-125-0x0000000000E90000-0x0000000000EB9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

SNO22 PriceLetter595406_RACX-159814.exeaspnet_regbrowsers.execolorcpl.exe

description	pid	process	target process
PID 2700 set thread context of 648	2700	SNO22 PriceLetter595406_RACX-159814.exe	aspnet_regbrowsers.exe
PID 648 set thread context of 3036	648	aspnet_regbrowsers.exe	Explorer.EXE
PID 2912 set thread context of 3036	2912	colorcpl.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

aspnet_regbrowsers.execolorcpl.exe

pid	process
648	aspnet_regbrowsers.exe
648	aspnet_regbrowsers.exe
648	aspnet_regbrowsers.exe
648	aspnet_regbrowsers.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe
2912	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3036 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

aspnet_regbrowsers.execolorcpl.exe

pid process

648 aspnet_regbrowsers.exe
648 aspnet_regbrowsers.exe
648 aspnet_regbrowsers.exe
2912 colorcpl.exe
2912 colorcpl.exe

pid	process
3036	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

SNO22 PriceLetter595406_RACX-159814.exeaspnet_regbrowsers.execolorcpl.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2700	SNO22 PriceLetter595406_RACX-159814.exe
Token: SeDebugPrivilege	648	aspnet_regbrowsers.exe
Token: SeDebugPrivilege	2912	colorcpl.exe
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SNO22 PriceLetter595406_RACX-159814.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 2700 wrote to memory of 648	2700	SNO22 PriceLetter595406_RACX-159814.exe	aspnet_regbrowsers.exe
PID 2700 wrote to memory of 648	2700	SNO22 PriceLetter595406_RACX-159814.exe	aspnet_regbrowsers.exe
PID 2700 wrote to memory of 648	2700	SNO22 PriceLetter595406_RACX-159814.exe	aspnet_regbrowsers.exe
PID 2700 wrote to memory of 648	2700	SNO22 PriceLetter595406_RACX-159814.exe	aspnet_regbrowsers.exe
PID 2700 wrote to memory of 648	2700	SNO22 PriceLetter595406_RACX-159814.exe	aspnet_regbrowsers.exe
PID 2700 wrote to memory of 648	2700	SNO22 PriceLetter595406_RACX-159814.exe	aspnet_regbrowsers.exe
PID 3036 wrote to memory of 2912	3036	Explorer.EXE	colorcpl.exe
PID 3036 wrote to memory of 2912	3036	Explorer.EXE	colorcpl.exe
PID 3036 wrote to memory of 2912	3036	Explorer.EXE	colorcpl.exe
PID 2912 wrote to memory of 2660	2912	colorcpl.exe	cmd.exe
PID 2912 wrote to memory of 2660	2912	colorcpl.exe	cmd.exe
PID 2912 wrote to memory of 2660	2912	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\SNO22 PriceLetter595406_RACX-159814.exe
"C:\Users\Admin\AppData\Local\Temp\SNO22 PriceLetter595406_RACX-159814.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
PID:2660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/648-119-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/648-122-0x0000000001250000-0x00000000013E2000-memory.dmp

Filesize
1.6MB

Download
memory/648-121-0x00000000013F0000-0x0000000001710000-memory.dmp

Filesize
3.1MB

Download
memory/2700-118-0x0000000006DF0000-0x0000000006E8C000-memory.dmp

Filesize
624KB

Download
memory/2700-115-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/2700-117-0x0000000001410000-0x0000000001424000-memory.dmp

Filesize
80KB

Download
memory/2700-116-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/2912-124-0x00000000010A0000-0x00000000010B9000-memory.dmp

Filesize
100KB

Download
memory/2912-125-0x0000000000E90000-0x0000000000EB9000-memory.dmp

Filesize
164KB

Download
memory/2912-126-0x0000000004D10000-0x0000000005030000-memory.dmp

Filesize
3.1MB

Download
memory/2912-127-0x0000000004B70000-0x0000000004D01000-memory.dmp

Filesize
1.6MB

Download
memory/3036-123-0x0000000002370000-0x0000000002459000-memory.dmp

Filesize
932KB

Download
memory/3036-128-0x0000000002510000-0x00000000025D1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads