xloader | e0da8ee3e3841832297dbb9aa41c61a4c0d4ed14cd62153da3742a5dfa7ea6e1

General

Target

Proforma Invoice #09876-INV-Order.PDF.exe
Size

652KB
MD5

e6deb32888a854099ad15feea9a528b6
SHA1

50f6573ee795bb5301ab75d3d1fe54cb02f4cef2
SHA256

e0da8ee3e3841832297dbb9aa41c61a4c0d4ed14cd62153da3742a5dfa7ea6e1
SHA512

ba35bb7d5cb11c4a3aff0bcb0c015f0cabdbc19325fcab2930bcd023b893a446780e8e580a560fbb45475e552b15ca6fa65e374f001824b670c07f18d8d9fa10

Score

10^/10

xloader pout loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pout

Decoy

leadergaterealty.com

k7bsz.info

laidjapp1.com

eastcountytaxi.com

betterlife-uae.com

materaiku.com

chanhxebinhthuan-hcm.online

06gjm.xyz

67t.xyz

here-we-meet.com

screened-articletoseetoday.info

lucykg.club

mujdobron.quest

susakhi.com

funtabse.com

unlimitedpain.com

2ed58fwec.xyz

weighttrainingexpert.com

allisonsheillax.com

yektaburgers.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4060-126-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3376-132-0x0000000000910000-0x0000000000939000-memory.dmp	xloader
behavioral2/memory/3376-134-0x00000000047C0000-0x0000000004957000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

59 3376 rundll32.exe

flow	pid	process
59	3376	rundll32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Proforma Invoice #09876-INV-Order.PDF.exeProforma Invoice #09876-INV-Order.PDF.exerundll32.exe

description	pid	process	target process
PID 3732 set thread context of 4060	3732	Proforma Invoice #09876-INV-Order.PDF.exe	Proforma Invoice #09876-INV-Order.PDF.exe
PID 4060 set thread context of 3056	4060	Proforma Invoice #09876-INV-Order.PDF.exe	Explorer.EXE
PID 3376 set thread context of 3056	3376	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

Proforma Invoice #09876-INV-Order.PDF.exerundll32.exe

pid	process
4060	Proforma Invoice #09876-INV-Order.PDF.exe
4060	Proforma Invoice #09876-INV-Order.PDF.exe
4060	Proforma Invoice #09876-INV-Order.PDF.exe
4060	Proforma Invoice #09876-INV-Order.PDF.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3056 Explorer.EXE

pid	process
3056	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Proforma Invoice #09876-INV-Order.PDF.exerundll32.exe

pid	process
4060	Proforma Invoice #09876-INV-Order.PDF.exe
4060	Proforma Invoice #09876-INV-Order.PDF.exe
4060	Proforma Invoice #09876-INV-Order.PDF.exe
3376	rundll32.exe
3376	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Proforma Invoice #09876-INV-Order.PDF.exerundll32.exe

description pid process

Token: SeDebugPrivilege 4060 Proforma Invoice #09876-INV-Order.PDF.exe
Token: SeDebugPrivilege 3376 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4060	Proforma Invoice #09876-INV-Order.PDF.exe
Token: SeDebugPrivilege	3376	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Proforma Invoice #09876-INV-Order.PDF.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 3732 wrote to memory of 4060	3732	Proforma Invoice #09876-INV-Order.PDF.exe	Proforma Invoice #09876-INV-Order.PDF.exe
PID 3732 wrote to memory of 4060	3732	Proforma Invoice #09876-INV-Order.PDF.exe	Proforma Invoice #09876-INV-Order.PDF.exe
PID 3732 wrote to memory of 4060	3732	Proforma Invoice #09876-INV-Order.PDF.exe	Proforma Invoice #09876-INV-Order.PDF.exe
PID 3732 wrote to memory of 4060	3732	Proforma Invoice #09876-INV-Order.PDF.exe	Proforma Invoice #09876-INV-Order.PDF.exe
PID 3732 wrote to memory of 4060	3732	Proforma Invoice #09876-INV-Order.PDF.exe	Proforma Invoice #09876-INV-Order.PDF.exe
PID 3732 wrote to memory of 4060	3732	Proforma Invoice #09876-INV-Order.PDF.exe	Proforma Invoice #09876-INV-Order.PDF.exe
PID 3056 wrote to memory of 3376	3056	Explorer.EXE	rundll32.exe
PID 3056 wrote to memory of 3376	3056	Explorer.EXE	rundll32.exe
PID 3056 wrote to memory of 3376	3056	Explorer.EXE	rundll32.exe
PID 3376 wrote to memory of 3356	3376	rundll32.exe	cmd.exe
PID 3376 wrote to memory of 3356	3376	rundll32.exe	cmd.exe
PID 3376 wrote to memory of 3356	3376	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\Proforma Invoice #09876-INV-Order.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice #09876-INV-Order.PDF.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3732

C:\Users\Admin\AppData\Local\Temp\Proforma Invoice #09876-INV-Order.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice #09876-INV-Order.PDF.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice #09876-INV-Order.PDF.exe"
3⤵
PID:3356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3056-130-0x0000000003120000-0x0000000003213000-memory.dmp

Filesize
972KB

Download
memory/3056-135-0x0000000006B70000-0x0000000006CA3000-memory.dmp

Filesize
1.2MB

Download
memory/3376-134-0x00000000047C0000-0x0000000004957000-memory.dmp

Filesize
1.6MB

Download
memory/3376-133-0x0000000004B00000-0x0000000004E20000-memory.dmp

Filesize
3.1MB

Download
memory/3376-131-0x0000000000AF0000-0x0000000000B03000-memory.dmp

Filesize
76KB

Download
memory/3376-132-0x0000000000910000-0x0000000000939000-memory.dmp

Filesize
164KB

Download
memory/3732-122-0x0000000005510000-0x000000000551A000-memory.dmp

Filesize
40KB

Download
memory/3732-125-0x0000000007F20000-0x0000000007FA4000-memory.dmp

Filesize
528KB

Download
memory/3732-124-0x0000000007C50000-0x0000000007CEC000-memory.dmp

Filesize
624KB

Download
memory/3732-123-0x0000000007910000-0x0000000007924000-memory.dmp

Filesize
80KB

Download
memory/3732-118-0x0000000000B70000-0x0000000000C1A000-memory.dmp

Filesize
680KB

Download
memory/3732-121-0x0000000005380000-0x000000000587E000-memory.dmp

Filesize
5.0MB

Download
memory/3732-120-0x0000000005460000-0x00000000054F2000-memory.dmp

Filesize
584KB

Download
memory/3732-119-0x0000000005880000-0x0000000005D7E000-memory.dmp

Filesize
5.0MB

Download
memory/4060-126-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4060-128-0x00000000019B0000-0x0000000001CD0000-memory.dmp

Filesize
3.1MB

Download
memory/4060-129-0x0000000001DF0000-0x0000000001E01000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads