xloader | a04a4acf00f50f8b3c3bea38914813aa75ce4ba8c30c08971a6094c492d0d41d

General

Target

LETTER OF INTENT.exe
Size

750KB
MD5

b3f43a58149d9058f8c39455869c2f84
SHA1

8f3d20b2f71e7331c355e2926a5fc5ce71e72eb8
SHA256

a04a4acf00f50f8b3c3bea38914813aa75ce4ba8c30c08971a6094c492d0d41d
SHA512

4aa74fa83551e3c2318f488cf2dbd0741e9b42899ad8501c0bf9d0e2c6471fee6ad0c1588ea652195de1ef813e51bc2bb03628cf5609792e7e59e1baa56b3fef

Score

10^/10

xloader uar3 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

jogoreviravolta.com

keysine.com

sami60.com

morganators.com

referral.directory

campdiscount.info

vanwah.com

jmtmjz.com

der-transformationscode.com

evangelvalormedia.com

bedsidehomecare.com

novaair.net

privilegetroissecurity.com

elsiepupz.com

yy77kk.com

nt-renewable.com

alyaqoutalabyadhautoparts.com

start-play-now.com

myskew.com

himalaya-finance.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/848-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/848-65-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1544-75-0x0000000000090000-0x00000000000B9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1040 cmd.exe

pid	process
1040	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

LETTER OF INTENT.exeLETTER OF INTENT.exewuapp.exe

description	pid	process	target process
PID 1688 set thread context of 848	1688	LETTER OF INTENT.exe	LETTER OF INTENT.exe
PID 848 set thread context of 1232	848	LETTER OF INTENT.exe	Explorer.EXE
PID 848 set thread context of 1232	848	LETTER OF INTENT.exe	Explorer.EXE
PID 1544 set thread context of 1232	1544	wuapp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

LETTER OF INTENT.exeLETTER OF INTENT.exewuapp.exe

pid	process
1688	LETTER OF INTENT.exe
1688	LETTER OF INTENT.exe
848	LETTER OF INTENT.exe
848	LETTER OF INTENT.exe
848	LETTER OF INTENT.exe
1544	wuapp.exe
1544	wuapp.exe
1544	wuapp.exe
1544	wuapp.exe
1544	wuapp.exe
1544	wuapp.exe
1544	wuapp.exe
1544	wuapp.exe
1544	wuapp.exe
1544	wuapp.exe
1544	wuapp.exe
1544	wuapp.exe
1544	wuapp.exe
1544	wuapp.exe
1544	wuapp.exe
1544	wuapp.exe
1544	wuapp.exe
1544	wuapp.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

LETTER OF INTENT.exewuapp.exe

pid process

848 LETTER OF INTENT.exe
848 LETTER OF INTENT.exe
848 LETTER OF INTENT.exe
848 LETTER OF INTENT.exe
1544 wuapp.exe
1544 wuapp.exe

pid	process
848	LETTER OF INTENT.exe
848	LETTER OF INTENT.exe
848	LETTER OF INTENT.exe
848	LETTER OF INTENT.exe
1544	wuapp.exe
1544	wuapp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

LETTER OF INTENT.exeLETTER OF INTENT.exewuapp.exe

description	pid	process
Token: SeDebugPrivilege	1688	LETTER OF INTENT.exe
Token: SeDebugPrivilege	848	LETTER OF INTENT.exe
Token: SeDebugPrivilege	1544	wuapp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

LETTER OF INTENT.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 1688 wrote to memory of 848	1688	LETTER OF INTENT.exe	LETTER OF INTENT.exe
PID 1688 wrote to memory of 848	1688	LETTER OF INTENT.exe	LETTER OF INTENT.exe
PID 1688 wrote to memory of 848	1688	LETTER OF INTENT.exe	LETTER OF INTENT.exe
PID 1688 wrote to memory of 848	1688	LETTER OF INTENT.exe	LETTER OF INTENT.exe
PID 1688 wrote to memory of 848	1688	LETTER OF INTENT.exe	LETTER OF INTENT.exe
PID 1688 wrote to memory of 848	1688	LETTER OF INTENT.exe	LETTER OF INTENT.exe
PID 1688 wrote to memory of 848	1688	LETTER OF INTENT.exe	LETTER OF INTENT.exe
PID 1232 wrote to memory of 1544	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 1544	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 1544	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 1544	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 1544	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 1544	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 1544	1232	Explorer.EXE	wuapp.exe
PID 1544 wrote to memory of 1040	1544	wuapp.exe	cmd.exe
PID 1544 wrote to memory of 1040	1544	wuapp.exe	cmd.exe
PID 1544 wrote to memory of 1040	1544	wuapp.exe	cmd.exe
PID 1544 wrote to memory of 1040	1544	wuapp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\LETTER OF INTENT.exe
"C:\Users\Admin\AppData\Local\Temp\LETTER OF INTENT.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\LETTER OF INTENT.exe
"C:\Users\Admin\AppData\Local\Temp\LETTER OF INTENT.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1472

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1468

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\LETTER OF INTENT.exe"
3⤵
- Deletes itself
PID:1040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/848-71-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/848-68-0x0000000000180000-0x0000000000191000-memory.dmp

Filesize
68KB

Download
memory/848-66-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/848-67-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/848-72-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/848-65-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/848-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/848-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/848-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1232-73-0x0000000006B60000-0x0000000006CE8000-memory.dmp

Filesize
1.5MB

Download
memory/1232-69-0x00000000068B0000-0x00000000069CB000-memory.dmp

Filesize
1.1MB

Download
memory/1232-78-0x00000000072E0000-0x0000000007440000-memory.dmp

Filesize
1.4MB

Download
memory/1544-76-0x0000000002210000-0x0000000002513000-memory.dmp

Filesize
3.0MB

Download
memory/1544-75-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1544-74-0x0000000000B30000-0x0000000000B3B000-memory.dmp

Filesize
44KB

Download
memory/1544-77-0x0000000000A00000-0x0000000000A90000-memory.dmp

Filesize
576KB

Download
memory/1544-79-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/1688-60-0x0000000000A50000-0x0000000000A80000-memory.dmp

Filesize
192KB

Download
memory/1688-59-0x0000000005160000-0x000000000520E000-memory.dmp

Filesize
696KB

Download
memory/1688-55-0x0000000073DAE000-0x0000000073DAF000-memory.dmp

Filesize
4KB

Download
memory/1688-56-0x0000000001280000-0x0000000001342000-memory.dmp

Filesize
776KB

Download
memory/1688-57-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/1688-58-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads