xloader | b195e8f91a3465794595505dd2300b00d76841883eba905d5c09b74654b946f2

General

Target

QUOTATION REVIEW.exe
Size

382KB
MD5

6de1fe838e482853719ca575540a92b0
SHA1

9fa044e5e1189948b65fea2e778fabc2c98929d5
SHA256

09c176d0c7251e2c64e8cc619bd2b20be37d9b4b1eac19962d2a1b68f7a4535a
SHA512

8d9549973563356ad07eb2462320f36701f2244f78a4a20451ea9132d6dc30de01ab445d9392e4b0d594e3f379fa9b7c16154726829d8b8c90e2f22de0e7f124

Score

10^/10

xloader iifn loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

iifn

Decoy

ramaseturs.com

yinhejump.top

realmendrinkwater.store

storyconnect.pro

likehisskin.com

miaoobaby.com

whistleittome.com

icrinc-inc.com

applelost-support.info

tenloe042.xyz

xiaoyaoshike.xyz

frontdukkan.online

disparatadora.xyz

dskensho326.xyz

fsol.pro

rootpresidential.xyz

tejidosvianey.com

diapazon-med.store

suicidestars.com

fadilacatering.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/380-126-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2548-132-0x0000000000850000-0x0000000000879000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

QUOTATION REVIEW.exeQUOTATION REVIEW.exerundll32.exe

description	pid	process	target process
PID 1900 set thread context of 380	1900	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 380 set thread context of 2880	380	QUOTATION REVIEW.exe	Explorer.EXE
PID 2548 set thread context of 2880	2548	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

QUOTATION REVIEW.exeQUOTATION REVIEW.exerundll32.exe

pid	process
1900	QUOTATION REVIEW.exe
1900	QUOTATION REVIEW.exe
380	QUOTATION REVIEW.exe
380	QUOTATION REVIEW.exe
380	QUOTATION REVIEW.exe
380	QUOTATION REVIEW.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

QUOTATION REVIEW.exerundll32.exe

pid process

380 QUOTATION REVIEW.exe
380 QUOTATION REVIEW.exe
380 QUOTATION REVIEW.exe
2548 rundll32.exe
2548 rundll32.exe

pid	process
380	QUOTATION REVIEW.exe
380	QUOTATION REVIEW.exe
380	QUOTATION REVIEW.exe
2548	rundll32.exe
2548	rundll32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

QUOTATION REVIEW.exeQUOTATION REVIEW.exeExplorer.EXErundll32.exe

description	pid	process
Token: SeDebugPrivilege	1900	QUOTATION REVIEW.exe
Token: SeDebugPrivilege	380	QUOTATION REVIEW.exe
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeShutdownPrivilege	2880	Explorer.EXE
Token: SeCreatePagefilePrivilege	2880	Explorer.EXE
Token: SeDebugPrivilege	2548	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

QUOTATION REVIEW.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1900 wrote to memory of 608	1900	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 1900 wrote to memory of 608	1900	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 1900 wrote to memory of 608	1900	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 1900 wrote to memory of 380	1900	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 1900 wrote to memory of 380	1900	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 1900 wrote to memory of 380	1900	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 1900 wrote to memory of 380	1900	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 1900 wrote to memory of 380	1900	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 1900 wrote to memory of 380	1900	QUOTATION REVIEW.exe	QUOTATION REVIEW.exe
PID 2880 wrote to memory of 2548	2880	Explorer.EXE	rundll32.exe
PID 2880 wrote to memory of 2548	2880	Explorer.EXE	rundll32.exe
PID 2880 wrote to memory of 2548	2880	Explorer.EXE	rundll32.exe
PID 2548 wrote to memory of 3324	2548	rundll32.exe	cmd.exe
PID 2548 wrote to memory of 3324	2548	rundll32.exe	cmd.exe
PID 2548 wrote to memory of 3324	2548	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Local\Temp\QUOTATION REVIEW.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION REVIEW.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\QUOTATION REVIEW.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION REVIEW.exe"
3⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\QUOTATION REVIEW.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION REVIEW.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\QUOTATION REVIEW.exe"
3⤵
PID:3324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/380-126-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/380-129-0x00000000016C0000-0x000000000185F000-memory.dmp

Filesize
1.6MB

Download
memory/380-128-0x0000000001860000-0x0000000001B80000-memory.dmp

Filesize
3.1MB

Download
memory/1900-122-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download
memory/1900-119-0x0000000005B50000-0x000000000604E000-memory.dmp

Filesize
5.0MB

Download
memory/1900-123-0x0000000007C50000-0x0000000007C5C000-memory.dmp

Filesize
48KB

Download
memory/1900-124-0x0000000001490000-0x000000000152C000-memory.dmp

Filesize
624KB

Download
memory/1900-125-0x0000000001630000-0x0000000001692000-memory.dmp

Filesize
392KB

Download
memory/1900-121-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/1900-120-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/1900-118-0x0000000000C40000-0x0000000000CA6000-memory.dmp

Filesize
408KB

Download
memory/2548-132-0x0000000000850000-0x0000000000879000-memory.dmp

Filesize
164KB

Download
memory/2548-131-0x0000000000BB0000-0x0000000000BC3000-memory.dmp

Filesize
76KB

Download
memory/2548-133-0x0000000004790000-0x0000000004AB0000-memory.dmp

Filesize
3.1MB

Download
memory/2548-134-0x0000000004450000-0x00000000045E7000-memory.dmp

Filesize
1.6MB

Download
memory/2880-130-0x0000000002D50000-0x0000000002E96000-memory.dmp

Filesize
1.3MB

Download
memory/2880-135-0x0000000005A00000-0x0000000005B6F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads