xloader | affaec3e32d0244aaf424180de568e23d03da3eb6c43dcb0b82b4e5185731abc

General

Target

Carta de pago.exe
Size

357KB
MD5

03206cea63667d5f8e8861f554720473
SHA1

43bcabbfaffce6dfb7c5ec763f11ea85d8876dad
SHA256

c15f6faab41ea44719d795995c15024db0719fa5c9a731110587ec4e1e041fc2
SHA512

7552aae69b210e543f27d707952738df7f349daf99450e53b0a39729ea7bea5e31d34b9dc6b876ef2964f759f488a83a052a913125fb6b6f50767f994277e933

Score

10^/10

xloader kio8 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

kio8

Decoy

greeaircondition.com

thewilmingtonguide.com

cbluedotlivewdmall.com

globalcrime24.com

heightsplace.com

ghar.pro

asosbira.com

melolandia.com

velactun.com

erniesimms.com

nutbullet.com

drizzerstr.com

hnqym888.com

ghorowaseba.com

1317efoxchasedrive.info

stjudetroop623.com

facestaj.com

airpromaskaccessories.com

wolfetailors.com

56ohdc2016.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1660-55-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/556-62-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1740 cmd.exe

pid	process
1740	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Carta de pago.exeCarta de pago.execontrol.exe

description	pid	process	target process
PID 756 set thread context of 1660	756	Carta de pago.exe	Carta de pago.exe
PID 1660 set thread context of 1216	1660	Carta de pago.exe	Explorer.EXE
PID 556 set thread context of 1216	556	control.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

Carta de pago.execontrol.exe

pid	process
1660	Carta de pago.exe
1660	Carta de pago.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe
556	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Carta de pago.exeCarta de pago.execontrol.exe

pid process

756 Carta de pago.exe
1660 Carta de pago.exe
1660 Carta de pago.exe
1660 Carta de pago.exe
556 control.exe
556 control.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Carta de pago.execontrol.exe

description pid process

Token: SeDebugPrivilege 1660 Carta de pago.exe
Token: SeDebugPrivilege 556 control.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE

pid	process
1216	Explorer.EXE

pid	process
756	Carta de pago.exe
1660	Carta de pago.exe
1660	Carta de pago.exe
1660	Carta de pago.exe
556	control.exe
556	control.exe

description	pid	process
Token: SeDebugPrivilege	1660	Carta de pago.exe
Token: SeDebugPrivilege	556	control.exe

pid	process
1216	Explorer.EXE
1216	Explorer.EXE

pid	process
1216	Explorer.EXE
1216	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Carta de pago.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 756 wrote to memory of 1820	756	Carta de pago.exe	cmd.exe
PID 756 wrote to memory of 1820	756	Carta de pago.exe	cmd.exe
PID 756 wrote to memory of 1820	756	Carta de pago.exe	cmd.exe
PID 756 wrote to memory of 1820	756	Carta de pago.exe	cmd.exe
PID 756 wrote to memory of 1916	756	Carta de pago.exe	cmd.exe
PID 756 wrote to memory of 1916	756	Carta de pago.exe	cmd.exe
PID 756 wrote to memory of 1916	756	Carta de pago.exe	cmd.exe
PID 756 wrote to memory of 1916	756	Carta de pago.exe	cmd.exe
PID 756 wrote to memory of 1660	756	Carta de pago.exe	Carta de pago.exe
PID 756 wrote to memory of 1660	756	Carta de pago.exe	Carta de pago.exe
PID 756 wrote to memory of 1660	756	Carta de pago.exe	Carta de pago.exe
PID 756 wrote to memory of 1660	756	Carta de pago.exe	Carta de pago.exe
PID 756 wrote to memory of 1660	756	Carta de pago.exe	Carta de pago.exe
PID 1216 wrote to memory of 556	1216	Explorer.EXE	control.exe
PID 1216 wrote to memory of 556	1216	Explorer.EXE	control.exe
PID 1216 wrote to memory of 556	1216	Explorer.EXE	control.exe
PID 1216 wrote to memory of 556	1216	Explorer.EXE	control.exe
PID 556 wrote to memory of 1740	556	control.exe	cmd.exe
PID 556 wrote to memory of 1740	556	control.exe	cmd.exe
PID 556 wrote to memory of 1740	556	control.exe	cmd.exe
PID 556 wrote to memory of 1740	556	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\Carta de pago.exe
"C:\Users\Admin\AppData\Local\Temp\Carta de pago.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\Carta de pago.exe
"C:\Users\Admin\AppData\Local\Temp\Carta de pago.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Carta de pago.exe"
3⤵
- Deletes itself
PID:1740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/556-60-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/556-61-0x0000000000BB0000-0x0000000000BCF000-memory.dmp

Filesize
124KB

Download
memory/556-62-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/556-63-0x0000000001FD0000-0x00000000022D3000-memory.dmp

Filesize
3.0MB

Download
memory/556-64-0x0000000000820000-0x00000000008AF000-memory.dmp

Filesize
572KB

Download
memory/756-54-0x000000000043D000-0x0000000000440000-memory.dmp

Filesize
12KB

Download
memory/1216-59-0x0000000004B10000-0x0000000004C37000-memory.dmp

Filesize
1.2MB

Download
memory/1216-65-0x00000000067F0000-0x0000000006915000-memory.dmp

Filesize
1.1MB

Download
memory/1660-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1660-56-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download
memory/1660-58-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1660-57-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads