xloader | af662c52d97d2590fa9a275d02feaf5aab3c18365e002a288efd862bd09aa6b4

General

Target

IMG 29987 SHIPMENT Order 85 3.02.2022.exe
Size

558KB
MD5

d541dd30d857710b9a5f708b83db0241
SHA1

6a6b66e233eee0b11129732e35e4e7c65c631c84
SHA256

af662c52d97d2590fa9a275d02feaf5aab3c18365e002a288efd862bd09aa6b4
SHA512

685cdf9f95452ca8b177208cac7fc6841709167a5a46116d7267c6330fcf4f77ecca67dd9730554682bdc5fbf9e19f5f2f0bb3bb3ab2f520f49271261067ac89

Score

10^/10

xloader p8ce loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p8ce

Decoy

wishmeluck1.xyz

nawabumi.com

terra.fish

eoraipsumami.quest

awakeningyourid.com

csyein.com

tslsinteligentes.com

cataractusa.com

capitalwheelstogo.com

staffremotely.com

trashbinwasher.com

blaneyparkrendezvous.com

yolrt.com

northendtaproom.com

showgeini.com

b95206.com

almcpersonaltraining.com

lovabledoodleshome.com

woodlandstationcondos.com

nikahlive.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1696-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/736-69-0x00000000000D0000-0x00000000000F9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

288 cmd.exe

pid	process
288	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

IMG 29987 SHIPMENT Order 85 3.02.2022.exeIMG 29987 SHIPMENT Order 85 3.02.2022.execmstp.exe

description	pid	process	target process
PID 2028 set thread context of 1696	2028	IMG 29987 SHIPMENT Order 85 3.02.2022.exe	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
PID 1696 set thread context of 1404	1696	IMG 29987 SHIPMENT Order 85 3.02.2022.exe	Explorer.EXE
PID 736 set thread context of 1404	736	cmstp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

IMG 29987 SHIPMENT Order 85 3.02.2022.exeIMG 29987 SHIPMENT Order 85 3.02.2022.execmstp.exe

pid	process
2028	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
1696	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
1696	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe
736	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

IMG 29987 SHIPMENT Order 85 3.02.2022.execmstp.exe

pid	process
1696	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
1696	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
1696	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
736	cmstp.exe
736	cmstp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

IMG 29987 SHIPMENT Order 85 3.02.2022.exeIMG 29987 SHIPMENT Order 85 3.02.2022.execmstp.exe

description	pid	process
Token: SeDebugPrivilege	2028	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
Token: SeDebugPrivilege	1696	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
Token: SeDebugPrivilege	736	cmstp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1404 Explorer.EXE
1404 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1404 Explorer.EXE
1404 Explorer.EXE

pid	process
1404	Explorer.EXE
1404	Explorer.EXE

pid	process
1404	Explorer.EXE
1404	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

IMG 29987 SHIPMENT Order 85 3.02.2022.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 2028 wrote to memory of 740	2028	IMG 29987 SHIPMENT Order 85 3.02.2022.exe	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
PID 2028 wrote to memory of 740	2028	IMG 29987 SHIPMENT Order 85 3.02.2022.exe	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
PID 2028 wrote to memory of 740	2028	IMG 29987 SHIPMENT Order 85 3.02.2022.exe	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
PID 2028 wrote to memory of 740	2028	IMG 29987 SHIPMENT Order 85 3.02.2022.exe	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
PID 2028 wrote to memory of 1696	2028	IMG 29987 SHIPMENT Order 85 3.02.2022.exe	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
PID 2028 wrote to memory of 1696	2028	IMG 29987 SHIPMENT Order 85 3.02.2022.exe	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
PID 2028 wrote to memory of 1696	2028	IMG 29987 SHIPMENT Order 85 3.02.2022.exe	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
PID 2028 wrote to memory of 1696	2028	IMG 29987 SHIPMENT Order 85 3.02.2022.exe	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
PID 2028 wrote to memory of 1696	2028	IMG 29987 SHIPMENT Order 85 3.02.2022.exe	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
PID 2028 wrote to memory of 1696	2028	IMG 29987 SHIPMENT Order 85 3.02.2022.exe	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
PID 2028 wrote to memory of 1696	2028	IMG 29987 SHIPMENT Order 85 3.02.2022.exe	IMG 29987 SHIPMENT Order 85 3.02.2022.exe
PID 1404 wrote to memory of 736	1404	Explorer.EXE	cmstp.exe
PID 1404 wrote to memory of 736	1404	Explorer.EXE	cmstp.exe
PID 1404 wrote to memory of 736	1404	Explorer.EXE	cmstp.exe
PID 1404 wrote to memory of 736	1404	Explorer.EXE	cmstp.exe
PID 1404 wrote to memory of 736	1404	Explorer.EXE	cmstp.exe
PID 1404 wrote to memory of 736	1404	Explorer.EXE	cmstp.exe
PID 1404 wrote to memory of 736	1404	Explorer.EXE	cmstp.exe
PID 736 wrote to memory of 288	736	cmstp.exe	cmd.exe
PID 736 wrote to memory of 288	736	cmstp.exe	cmd.exe
PID 736 wrote to memory of 288	736	cmstp.exe	cmd.exe
PID 736 wrote to memory of 288	736	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\IMG 29987 SHIPMENT Order 85 3.02.2022.exe
"C:\Users\Admin\AppData\Local\Temp\IMG 29987 SHIPMENT Order 85 3.02.2022.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\IMG 29987 SHIPMENT Order 85 3.02.2022.exe
"C:\Users\Admin\AppData\Local\Temp\IMG 29987 SHIPMENT Order 85 3.02.2022.exe"
3⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\IMG 29987 SHIPMENT Order 85 3.02.2022.exe
"C:\Users\Admin\AppData\Local\Temp\IMG 29987 SHIPMENT Order 85 3.02.2022.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1112

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:660

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:524

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:472

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\IMG 29987 SHIPMENT Order 85 3.02.2022.exe"
3⤵
- Deletes itself
PID:288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/736-71-0x0000000001D00000-0x0000000001D90000-memory.dmp

Filesize
576KB

Download
memory/736-70-0x0000000001DF0000-0x00000000020F3000-memory.dmp

Filesize
3.0MB

Download
memory/736-69-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/736-68-0x0000000000370000-0x0000000000388000-memory.dmp

Filesize
96KB

Download
memory/1404-66-0x0000000006CF0000-0x0000000006E70000-memory.dmp

Filesize
1.5MB

Download
memory/1404-72-0x00000000048D0000-0x00000000049EC000-memory.dmp

Filesize
1.1MB

Download
memory/1696-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1696-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1696-64-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/1696-65-0x00000000001A0000-0x00000000001B1000-memory.dmp

Filesize
68KB

Download
memory/1696-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-54-0x0000000001270000-0x0000000001304000-memory.dmp

Filesize
592KB

Download
memory/2028-59-0x0000000004EF5000-0x0000000004F06000-memory.dmp

Filesize
68KB

Download
memory/2028-58-0x0000000004F30000-0x0000000004F8E000-memory.dmp

Filesize
376KB

Download
memory/2028-57-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/2028-56-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2028-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads