xloader | 78fe3ed0e50009101124d757b0ff13967a5eda787ddad427276779c4d343ce2c

General

Target

Materials.exe
Size

357KB
MD5

8bd9a34cf06fa228b4ccd401808723cc
SHA1

e17daeaf2e0dcfdbaf026866c00fefb0beb47520
SHA256

38f3aadc65df16aed9f5bbaa5f42598d3fd9b29811429fcddd679a40b092fca0
SHA512

3d3ac1d0d90125fba07ca8a6fe0bb75a95b47b1caf177854b9e476aede2cefe396c68bb68c7dde0e32b22a740708aa3f23dd3726f3789504b83fd0b195c0479e

Score

10^/10

xloader kio8 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

kio8

Decoy

greeaircondition.com

thewilmingtonguide.com

cbluedotlivewdmall.com

globalcrime24.com

heightsplace.com

ghar.pro

asosbira.com

melolandia.com

velactun.com

erniesimms.com

nutbullet.com

drizzerstr.com

hnqym888.com

ghorowaseba.com

1317efoxchasedrive.info

stjudetroop623.com

facestaj.com

airpromaskaccessories.com

wolfetailors.com

56ohdc2016.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1248-57-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/568-61-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1064 cmd.exe

pid	process
1064	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Materials.exeMaterials.exesystray.exe

description	pid	process	target process
PID 1564 set thread context of 1248	1564	Materials.exe	Materials.exe
PID 1248 set thread context of 1200	1248	Materials.exe	Explorer.EXE
PID 568 set thread context of 1200	568	systray.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

Materials.exesystray.exe

pid	process
1248	Materials.exe
1248	Materials.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe
568	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Materials.exeMaterials.exesystray.exe

pid process

1564 Materials.exe
1248 Materials.exe
1248 Materials.exe
1248 Materials.exe
568 systray.exe
568 systray.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Materials.exesystray.exe

description pid process

Token: SeDebugPrivilege 1248 Materials.exe
Token: SeDebugPrivilege 568 systray.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE

pid	process
1200	Explorer.EXE

pid	process
1564	Materials.exe
1248	Materials.exe
1248	Materials.exe
1248	Materials.exe
568	systray.exe
568	systray.exe

description	pid	process
Token: SeDebugPrivilege	1248	Materials.exe
Token: SeDebugPrivilege	568	systray.exe

pid	process
1200	Explorer.EXE
1200	Explorer.EXE

pid	process
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Materials.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 1564 wrote to memory of 1612	1564	Materials.exe	cmd.exe
PID 1564 wrote to memory of 1612	1564	Materials.exe	cmd.exe
PID 1564 wrote to memory of 1612	1564	Materials.exe	cmd.exe
PID 1564 wrote to memory of 1612	1564	Materials.exe	cmd.exe
PID 1564 wrote to memory of 1724	1564	Materials.exe	cmd.exe
PID 1564 wrote to memory of 1724	1564	Materials.exe	cmd.exe
PID 1564 wrote to memory of 1724	1564	Materials.exe	cmd.exe
PID 1564 wrote to memory of 1724	1564	Materials.exe	cmd.exe
PID 1564 wrote to memory of 1248	1564	Materials.exe	Materials.exe
PID 1564 wrote to memory of 1248	1564	Materials.exe	Materials.exe
PID 1564 wrote to memory of 1248	1564	Materials.exe	Materials.exe
PID 1564 wrote to memory of 1248	1564	Materials.exe	Materials.exe
PID 1564 wrote to memory of 1248	1564	Materials.exe	Materials.exe
PID 1200 wrote to memory of 568	1200	Explorer.EXE	systray.exe
PID 1200 wrote to memory of 568	1200	Explorer.EXE	systray.exe
PID 1200 wrote to memory of 568	1200	Explorer.EXE	systray.exe
PID 1200 wrote to memory of 568	1200	Explorer.EXE	systray.exe
PID 568 wrote to memory of 1064	568	systray.exe	cmd.exe
PID 568 wrote to memory of 1064	568	systray.exe	cmd.exe
PID 568 wrote to memory of 1064	568	systray.exe	cmd.exe
PID 568 wrote to memory of 1064	568	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\Materials.exe
"C:\Users\Admin\AppData\Local\Temp\Materials.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\Materials.exe
"C:\Users\Admin\AppData\Local\Temp\Materials.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Materials.exe"
3⤵
- Deletes itself
PID:1064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/568-60-0x0000000000A70000-0x0000000000A75000-memory.dmp

Filesize
20KB

Download
memory/568-61-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/568-62-0x0000000002010000-0x0000000002313000-memory.dmp

Filesize
3.0MB

Download
memory/568-63-0x0000000000560000-0x00000000005EF000-memory.dmp

Filesize
572KB

Download
memory/1200-56-0x0000000004D10000-0x0000000004E45000-memory.dmp

Filesize
1.2MB

Download
memory/1200-64-0x0000000004F30000-0x0000000005062000-memory.dmp

Filesize
1.2MB

Download
memory/1248-55-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/1248-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1248-58-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1248-59-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download
memory/1564-54-0x00000000003AD000-0x00000000003B0000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads