xloader | 3e744c3094645bf04cea5756fe54d7b04a32a59bed5d945ac4ccc9b06fb85ef5

General

Target

SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe
Size

42KB
MD5

ea07ec5ed571fe97232b71120ba5e71d
SHA1

70a5f54a056ceaa70e34ea37efd5f668e0360696
SHA256

3e744c3094645bf04cea5756fe54d7b04a32a59bed5d945ac4ccc9b06fb85ef5
SHA512

b840020b46a8ee4b1a54e20015c41221545e0776ebeb67db4e4175969a239630b771f239b183eebfbdc26f072cbfd4dfaeb583fad80e513e7da8d2d7fa18f5f6

Score

10^/10

xloader zqzw loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

zqzw

Decoy

laurentmathieu.com

nohohonndana.com

hhmc.info

shophallows.com

blazebunk.com

goodbridge.xyz

flakycloud.com

bakermckenziegroups.com

formation-adistance.com

lovingearthbotanicals.com

tbrservice.plus

heritagehousehotels.com

drwbuildersco.com

lacsghb.com

wain3x.com

dadreview.club

continiutycp.com

cockgirls.com

48mpt.xyz

033skz.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1900-134-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4396-144-0x0000000000640000-0x0000000000669000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exeaspnet_compiler.execmmon32.exe

description	pid	process	target process
PID 2780 set thread context of 1900	2780	SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe	aspnet_compiler.exe
PID 1900 set thread context of 3032	1900	aspnet_compiler.exe	Explorer.EXE
PID 4396 set thread context of 3032	4396	cmmon32.exe	Explorer.EXE

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

aspnet_compiler.execmmon32.exe

pid	process
1900	aspnet_compiler.exe
1900	aspnet_compiler.exe
1900	aspnet_compiler.exe
1900	aspnet_compiler.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe
4396	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3032 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

aspnet_compiler.execmmon32.exe

pid process

1900 aspnet_compiler.exe
1900 aspnet_compiler.exe
1900 aspnet_compiler.exe
4396 cmmon32.exe
4396 cmmon32.exe

pid	process
3032	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exeaspnet_compiler.exesvchost.execmmon32.exeTiWorker.exe

description	pid	process
Token: SeDebugPrivilege	2780	SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe
Token: SeDebugPrivilege	1900	aspnet_compiler.exe
Token: SeShutdownPrivilege	1464	svchost.exe
Token: SeCreatePagefilePrivilege	1464	svchost.exe
Token: SeShutdownPrivilege	1464	svchost.exe
Token: SeCreatePagefilePrivilege	1464	svchost.exe
Token: SeShutdownPrivilege	1464	svchost.exe
Token: SeCreatePagefilePrivilege	1464	svchost.exe
Token: SeDebugPrivilege	4396	cmmon32.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe
Token: SeRestorePrivilege	4540	TiWorker.exe
Token: SeSecurityPrivilege	4540	TiWorker.exe
Token: SeBackupPrivilege	4540	TiWorker.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 2780 wrote to memory of 1900	2780	SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe	aspnet_compiler.exe
PID 2780 wrote to memory of 1900	2780	SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe	aspnet_compiler.exe
PID 2780 wrote to memory of 1900	2780	SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe	aspnet_compiler.exe
PID 2780 wrote to memory of 1900	2780	SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe	aspnet_compiler.exe
PID 2780 wrote to memory of 1900	2780	SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe	aspnet_compiler.exe
PID 2780 wrote to memory of 1900	2780	SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe	aspnet_compiler.exe
PID 3032 wrote to memory of 4396	3032	Explorer.EXE	cmmon32.exe
PID 3032 wrote to memory of 4396	3032	Explorer.EXE	cmmon32.exe
PID 3032 wrote to memory of 4396	3032	Explorer.EXE	cmmon32.exe
PID 4396 wrote to memory of 3864	4396	cmmon32.exe	cmd.exe
PID 4396 wrote to memory of 3864	4396	cmmon32.exe	cmd.exe
PID 4396 wrote to memory of 3864	4396	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownloaderNET.252.11132.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:3864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1464-142-0x000001C1A34B0000-0x000001C1A34B4000-memory.dmp

Filesize
16KB

Download
memory/1464-140-0x000001C1A0730000-0x000001C1A0740000-memory.dmp

Filesize
64KB

Download
memory/1464-141-0x000001C1A0790000-0x000001C1A07A0000-memory.dmp

Filesize
64KB

Download
memory/1900-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1900-137-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1900-136-0x0000000000FD0000-0x000000000131A000-memory.dmp

Filesize
3.3MB

Download
memory/1900-138-0x0000000000AD0000-0x0000000000AE1000-memory.dmp

Filesize
68KB

Download
memory/2780-131-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/2780-132-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/2780-133-0x0000000005EB0000-0x0000000005F4C000-memory.dmp

Filesize
624KB

Download
memory/2780-130-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/3032-139-0x0000000008440000-0x0000000008579000-memory.dmp

Filesize
1.2MB

Download
memory/3032-147-0x0000000008840000-0x00000000089C1000-memory.dmp

Filesize
1.5MB

Download
memory/4396-144-0x0000000000640000-0x0000000000669000-memory.dmp

Filesize
164KB

Download
memory/4396-143-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/4396-145-0x0000000002520000-0x000000000286A000-memory.dmp

Filesize
3.3MB

Download
memory/4396-146-0x0000000002350000-0x00000000023E0000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads