xloader | b195e8f91a3465794595505dd2300b00d76841883eba905d5c09b74654b946f2

General

Target

QUOTATION REVIEW.exe
Size

382KB
MD5

6de1fe838e482853719ca575540a92b0
SHA1

9fa044e5e1189948b65fea2e778fabc2c98929d5
SHA256

09c176d0c7251e2c64e8cc619bd2b20be37d9b4b1eac19962d2a1b68f7a4535a
SHA512

8d9549973563356ad07eb2462320f36701f2244f78a4a20451ea9132d6dc30de01ab445d9392e4b0d594e3f379fa9b7c16154726829d8b8c90e2f22de0e7f124

Score

10^/10

xloader iifn loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

iifn

Decoy

ramaseturs.com

yinhejump.top

realmendrinkwater.store

storyconnect.pro

likehisskin.com

miaoobaby.com

whistleittome.com

icrinc-inc.com

applelost-support.info

tenloe042.xyz

xiaoyaoshike.xyz

frontdukkan.online

disparatadora.xyz

dskensho326.xyz

fsol.pro

rootpresidential.xyz

tejidosvianey.com

diapazon-med.store

suicidestars.com

fadilacatering.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/860-61-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/860-66-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/824-71-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1168 cmd.exe

pid	process
1168	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

QUOTATION REVIEW.exeQUOTATION REVIEW.exemsdt.exe

description	pid	process	target process
PID 1128 set thread context of 860	1128	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 860 set thread context of 1416	860	QUOTATION REVIEW.exe	Explorer.EXE
PID 860 set thread context of 1416	860	QUOTATION REVIEW.exe	Explorer.EXE
PID 824 set thread context of 1416	824	msdt.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

QUOTATION REVIEW.exemsdt.exe

pid	process
860	QUOTATION REVIEW.exe
860	QUOTATION REVIEW.exe
860	QUOTATION REVIEW.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe
824	msdt.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

QUOTATION REVIEW.exemsdt.exe

pid process

860 QUOTATION REVIEW.exe
860 QUOTATION REVIEW.exe
860 QUOTATION REVIEW.exe
860 QUOTATION REVIEW.exe
824 msdt.exe
824 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

QUOTATION REVIEW.exemsdt.exe

description pid process

Token: SeDebugPrivilege 860 QUOTATION REVIEW.exe
Token: SeDebugPrivilege 824 msdt.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1416 Explorer.EXE
1416 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1416 Explorer.EXE
1416 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	860	QUOTATION REVIEW.exe
Token: SeDebugPrivilege	824	msdt.exe

pid	process
1416	Explorer.EXE
1416	Explorer.EXE

pid	process
1416	Explorer.EXE
1416	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

QUOTATION REVIEW.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 1128 wrote to memory of 860	1128	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 1128 wrote to memory of 860	1128	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 1128 wrote to memory of 860	1128	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 1128 wrote to memory of 860	1128	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 1128 wrote to memory of 860	1128	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 1128 wrote to memory of 860	1128	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 1128 wrote to memory of 860	1128	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 1416 wrote to memory of 824	1416	Explorer.EXE	msdt.exe
PID 1416 wrote to memory of 824	1416	Explorer.EXE	msdt.exe
PID 1416 wrote to memory of 824	1416	Explorer.EXE	msdt.exe
PID 1416 wrote to memory of 824	1416	Explorer.EXE	msdt.exe
PID 824 wrote to memory of 1168	824	msdt.exe	cmd.exe
PID 824 wrote to memory of 1168	824	msdt.exe	cmd.exe
PID 824 wrote to memory of 1168	824	msdt.exe	cmd.exe
PID 824 wrote to memory of 1168	824	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Local\Temp\QUOTATION REVIEW.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION REVIEW.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\AppData\Local\Temp\QUOTATION REVIEW.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION REVIEW.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\QUOTATION REVIEW.exe"
3⤵
- Deletes itself
PID:1168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/824-70-0x0000000000A80000-0x0000000000B74000-memory.dmp

Filesize
976KB

Download
memory/824-73-0x00000000009C0000-0x0000000000A50000-memory.dmp

Filesize
576KB

Download
memory/824-72-0x0000000002300000-0x0000000002603000-memory.dmp

Filesize
3.0MB

Download
memory/824-71-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/860-67-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/860-66-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/860-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/860-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/860-64-0x0000000000140000-0x0000000000151000-memory.dmp

Filesize
68KB

Download
memory/860-63-0x0000000000C00000-0x0000000000F03000-memory.dmp

Filesize
3.0MB

Download
memory/860-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1128-54-0x0000000000B90000-0x0000000000BF6000-memory.dmp

Filesize
408KB

Download
memory/1128-58-0x00000000050C0000-0x0000000005122000-memory.dmp

Filesize
392KB

Download
memory/1128-57-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/1128-56-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/1128-55-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1416-65-0x0000000006990000-0x0000000006AC6000-memory.dmp

Filesize
1.2MB

Download
memory/1416-68-0x0000000006F70000-0x0000000007097000-memory.dmp

Filesize
1.2MB

Download
memory/1416-74-0x0000000004D20000-0x0000000004E11000-memory.dmp

Filesize
964KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads