xloader | 9c9391787e2960bdf7769a7cdef7488571a181336110a0d70322d3a870ecf775

General

Target

Nc162VSyId1HcRH.exe
Size

389KB
MD5

01190158d9f1303cdcd3b00037dd093a
SHA1

07f1eca8ba4ffd276a207acbfe943dc3bb82beec
SHA256

9c9391787e2960bdf7769a7cdef7488571a181336110a0d70322d3a870ecf775
SHA512

98aa8a6b4eb8d0caf7d1bddefcdda3cdaeb38a711b6404ede7deac770bccc565880f0bda39e02faa4b56f877853c1aedde0e0810d922e2ccf6de9a52202c8dc7

Score

10^/10

xloader b3xd loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b3xd

Decoy

nestonconstruction.com

ratnainternational.com

3bersaudara.com

scottkmoody.store

1metroband.com

prechit.com

desertbirdmercantile.com

marciabernice.com

packard.vote

selo.global

fourthandwhiteoak.com

ecoplagas.online

api-jipotvcom.xyz

shabellafurniture.com

maxmonacomarble.com

imprimiruncalendario.com

cochepordinero.net

teamosu.club

therightleftfoot.com

mitt-masters.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1852-61-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1852-66-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1048-70-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

9 1048 cmd.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1512 cmd.exe

flow	pid	process
9	1048	cmd.exe

pid	process
1512	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Nc162VSyId1HcRH.exeNc162VSyId1HcRH.execmd.exe

description	pid	process	target process
PID 1692 set thread context of 1852	1692	Nc162VSyId1HcRH.exe	Nc162VSyId1HcRH.exe
PID 1852 set thread context of 1200	1852	Nc162VSyId1HcRH.exe	Explorer.EXE
PID 1852 set thread context of 1200	1852	Nc162VSyId1HcRH.exe	Explorer.EXE
PID 1048 set thread context of 1200	1048	cmd.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

Nc162VSyId1HcRH.exeNc162VSyId1HcRH.execmd.exe

pid	process
1692	Nc162VSyId1HcRH.exe
1852	Nc162VSyId1HcRH.exe
1852	Nc162VSyId1HcRH.exe
1852	Nc162VSyId1HcRH.exe
1048	cmd.exe
1048	cmd.exe
1048	cmd.exe
1048	cmd.exe
1048	cmd.exe
1048	cmd.exe
1048	cmd.exe
1048	cmd.exe
1048	cmd.exe
1048	cmd.exe
1048	cmd.exe
1048	cmd.exe
1048	cmd.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Nc162VSyId1HcRH.execmd.exe

pid process

1852 Nc162VSyId1HcRH.exe
1852 Nc162VSyId1HcRH.exe
1852 Nc162VSyId1HcRH.exe
1852 Nc162VSyId1HcRH.exe
1048 cmd.exe
1048 cmd.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Nc162VSyId1HcRH.exeNc162VSyId1HcRH.execmd.exe

description pid process

Token: SeDebugPrivilege 1692 Nc162VSyId1HcRH.exe
Token: SeDebugPrivilege 1852 Nc162VSyId1HcRH.exe
Token: SeDebugPrivilege 1048 cmd.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE

pid	process
1852	Nc162VSyId1HcRH.exe
1852	Nc162VSyId1HcRH.exe
1852	Nc162VSyId1HcRH.exe
1852	Nc162VSyId1HcRH.exe
1048	cmd.exe
1048	cmd.exe

description	pid	process
Token: SeDebugPrivilege	1692	Nc162VSyId1HcRH.exe
Token: SeDebugPrivilege	1852	Nc162VSyId1HcRH.exe
Token: SeDebugPrivilege	1048	cmd.exe

pid	process
1200	Explorer.EXE
1200	Explorer.EXE

pid	process
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Nc162VSyId1HcRH.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1692 wrote to memory of 1924	1692	Nc162VSyId1HcRH.exe	Nc162VSyId1HcRH.exe
PID 1692 wrote to memory of 1924	1692	Nc162VSyId1HcRH.exe	Nc162VSyId1HcRH.exe
PID 1692 wrote to memory of 1924	1692	Nc162VSyId1HcRH.exe	Nc162VSyId1HcRH.exe
PID 1692 wrote to memory of 1924	1692	Nc162VSyId1HcRH.exe	Nc162VSyId1HcRH.exe
PID 1692 wrote to memory of 1852	1692	Nc162VSyId1HcRH.exe	Nc162VSyId1HcRH.exe
PID 1692 wrote to memory of 1852	1692	Nc162VSyId1HcRH.exe	Nc162VSyId1HcRH.exe
PID 1692 wrote to memory of 1852	1692	Nc162VSyId1HcRH.exe	Nc162VSyId1HcRH.exe
PID 1692 wrote to memory of 1852	1692	Nc162VSyId1HcRH.exe	Nc162VSyId1HcRH.exe
PID 1692 wrote to memory of 1852	1692	Nc162VSyId1HcRH.exe	Nc162VSyId1HcRH.exe
PID 1692 wrote to memory of 1852	1692	Nc162VSyId1HcRH.exe	Nc162VSyId1HcRH.exe
PID 1692 wrote to memory of 1852	1692	Nc162VSyId1HcRH.exe	Nc162VSyId1HcRH.exe
PID 1200 wrote to memory of 1048	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1048	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1048	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1048	1200	Explorer.EXE	cmd.exe
PID 1048 wrote to memory of 1512	1048	cmd.exe	cmd.exe
PID 1048 wrote to memory of 1512	1048	cmd.exe	cmd.exe
PID 1048 wrote to memory of 1512	1048	cmd.exe	cmd.exe
PID 1048 wrote to memory of 1512	1048	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\Nc162VSyId1HcRH.exe
"C:\Users\Admin\AppData\Local\Temp\Nc162VSyId1HcRH.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\Nc162VSyId1HcRH.exe
"C:\Users\Admin\AppData\Local\Temp\Nc162VSyId1HcRH.exe"
3⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\Nc162VSyId1HcRH.exe
"C:\Users\Admin\AppData\Local\Temp\Nc162VSyId1HcRH.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Nc162VSyId1HcRH.exe"
3⤵
- Deletes itself
PID:1512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-72-0x0000000001C40000-0x0000000001CD0000-memory.dmp

Filesize
576KB

Download
memory/1048-71-0x0000000001E20000-0x0000000002123000-memory.dmp

Filesize
3.0MB

Download
memory/1048-70-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1048-69-0x000000004AC90000-0x000000004ACDC000-memory.dmp

Filesize
304KB

Download
memory/1200-68-0x0000000004F30000-0x0000000005097000-memory.dmp

Filesize
1.4MB

Download
memory/1200-73-0x00000000064A0000-0x00000000065BE000-memory.dmp

Filesize
1.1MB

Download
memory/1200-65-0x0000000004C80000-0x0000000004D73000-memory.dmp

Filesize
972KB

Download
memory/1692-55-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1692-56-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1692-57-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/1692-58-0x0000000000C50000-0x0000000000CB2000-memory.dmp

Filesize
392KB

Download
memory/1692-54-0x00000000011E0000-0x0000000001248000-memory.dmp

Filesize
416KB

Download
memory/1852-63-0x00000000007D0000-0x0000000000BD3000-memory.dmp

Filesize
4.0MB

Download
memory/1852-67-0x00000000001A0000-0x00000000001B1000-memory.dmp

Filesize
68KB

Download
memory/1852-66-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1852-64-0x0000000000140000-0x0000000000151000-memory.dmp

Filesize
68KB

Download
memory/1852-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1852-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1852-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads