xloader | 1bc0a120ac4b42b8463e8ab3fccaba54c810fa75475e5606a65ea371e7987782

General

Target

VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
Size

483KB
MD5

703540c2c3e8296b85f9860e4735d773
SHA1

a13a05a927377e54a006dcdf1a7b79e278eaee58
SHA256

95d52da676d92728d35e9fa0e6a49dc451dc83eadb8beb0ba0f2a3b891a69696
SHA512

ae70b95556b5263c7f4241ac24d0dd10d201f4858035359a8be41206c4778d164e768ac3ba0be6cd95c8ee38fafcdfb86ffe851e6e51e93b3520f8cdb8ce8ed6

Score

10^/10

xloader b23k loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b23k

Decoy

foxsistersofhydesville.com

jetronbang.com

agriturismopartingoli.com

ihiinscus.com

zaksrestaurants.store

aspetac.com

ycjhjd.com

fountainspringscapemay.com

earlydose.com

nocodebelgium.com

65235.xyz

yasesite.com

steeltoilets.com

xceqa.xyz

2021udtv.com

belorusneft.top

the4asofdekhockey.com

gertexhosiery.com

fidelismortgages.com

bellacomoninguna.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/848-61-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/568-67-0x0000000000090000-0x00000000000B9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1544 cmd.exe

pid	process
1544	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exeVESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exewuapp.exe

description	pid	process	target process
PID 1588 set thread context of 848	1588	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
PID 848 set thread context of 1232	848	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe	Explorer.EXE
PID 568 set thread context of 1232	568	wuapp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exewuapp.exe

pid	process
848	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
848	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exewuapp.exe

pid	process
848	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
848	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
848	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
568	wuapp.exe
568	wuapp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exewuapp.exe

description pid process

Token: SeDebugPrivilege 848 VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
Token: SeDebugPrivilege 568 wuapp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	848	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
Token: SeDebugPrivilege	568	wuapp.exe

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 1588 wrote to memory of 848	1588	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
PID 1588 wrote to memory of 848	1588	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
PID 1588 wrote to memory of 848	1588	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
PID 1588 wrote to memory of 848	1588	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
PID 1588 wrote to memory of 848	1588	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
PID 1588 wrote to memory of 848	1588	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
PID 1588 wrote to memory of 848	1588	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe	VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
PID 1232 wrote to memory of 568	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 568	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 568	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 568	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 568	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 568	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 568	1232	Explorer.EXE	wuapp.exe
PID 568 wrote to memory of 1544	568	wuapp.exe	cmd.exe
PID 568 wrote to memory of 1544	568	wuapp.exe	cmd.exe
PID 568 wrote to memory of 1544	568	wuapp.exe	cmd.exe
PID 568 wrote to memory of 1544	568	wuapp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\VESSEL DESCRIPCTION MV BERKAY N - IMO NO 9524827_PDF.exe"
3⤵
- Deletes itself
PID:1544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/568-67-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/568-69-0x0000000001D50000-0x0000000001DE0000-memory.dmp

Filesize
576KB

Download
memory/568-68-0x0000000001E50000-0x0000000002153000-memory.dmp

Filesize
3.0MB

Download
memory/568-66-0x0000000000290000-0x000000000029B000-memory.dmp

Filesize
44KB

Download
memory/848-63-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/848-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/848-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/848-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/848-64-0x0000000000480000-0x0000000000491000-memory.dmp

Filesize
68KB

Download
memory/1232-65-0x00000000068B0000-0x0000000006A1B000-memory.dmp

Filesize
1.4MB

Download
memory/1232-70-0x0000000006B60000-0x0000000006CC9000-memory.dmp

Filesize
1.4MB

Download
memory/1588-54-0x0000000001310000-0x0000000001390000-memory.dmp

Filesize
512KB

Download
memory/1588-58-0x00000000048A0000-0x0000000004900000-memory.dmp

Filesize
384KB

Download
memory/1588-57-0x0000000000490000-0x00000000004A4000-memory.dmp

Filesize
80KB

Download
memory/1588-56-0x0000000002790000-0x00000000049A0000-memory.dmp

Filesize
34.1MB

Download
memory/1588-55-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads