xloader | 5598831a8a17b53751f4c34112c7c4b42d4906a6e73d60018ae8d499ce605580

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
23-02-2022 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

706KB
MD5

953708e0cefbd35c124e526d9f7bd4d2
SHA1

5c3437b790aaca62b048c38f53584aedb6aaa118
SHA256

5598831a8a17b53751f4c34112c7c4b42d4906a6e73d60018ae8d499ce605580
SHA512

1b21b714b95ae43200b652178a99b815ac6f95a3e411497cf21592e3ecb788fe8e813a5d55299c044a3ec6ad362e584cce132801efcc2c64cc85324636969960

Score

10^/10

xloader vfm2 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

vfm2

Decoy

alfaiptvturkiye.com

snagged.xyz

sarrosh.com

jpitkin.com

shiningproent.com

welcommon.com

oglesheatandair.com

qtomdnwj.xyz

threemee-pictures.com

refractory.online

ethercut.com

uniformityenegotiate.com

hawktech.club

adventplus.online

tuntun-newmarket.com

tiendasnea.online

thegranitegalleria.com

trawk.club

gold2guide.art

skphoolmakhana.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/1396-132-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1396-138-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4344-143-0x0000000000840000-0x0000000000869000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4776 set thread context of 1396	4776	tmp.exe	82
PID 1396 set thread context of 2488	1396	aspnet_compiler.exe	48
PID 1396 set thread context of 2488	1396	aspnet_compiler.exe	48
PID 4344 set thread context of 2488	4344	WWAHost.exe	48

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1396	aspnet_compiler.exe
1396	aspnet_compiler.exe
1396	aspnet_compiler.exe
1396	aspnet_compiler.exe
1396	aspnet_compiler.exe
1396	aspnet_compiler.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe
4344	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2488	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1396	aspnet_compiler.exe
1396	aspnet_compiler.exe
1396	aspnet_compiler.exe
1396	aspnet_compiler.exe
4344	WWAHost.exe
4344	WWAHost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4776	tmp.exe
Token: SeDebugPrivilege	1396	aspnet_compiler.exe
Token: SeDebugPrivilege	4344	WWAHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 1396	4776	tmp.exe	82
PID 4776 wrote to memory of 1396	4776	tmp.exe	82
PID 4776 wrote to memory of 1396	4776	tmp.exe	82
PID 4776 wrote to memory of 1396	4776	tmp.exe	82
PID 4776 wrote to memory of 1396	4776	tmp.exe	82
PID 4776 wrote to memory of 1396	4776	tmp.exe	82
PID 2488 wrote to memory of 4344	2488	Explorer.EXE	91
PID 2488 wrote to memory of 4344	2488	Explorer.EXE	91
PID 2488 wrote to memory of 4344	2488	Explorer.EXE	91
PID 4344 wrote to memory of 3532	4344	WWAHost.exe	94
PID 4344 wrote to memory of 3532	4344	WWAHost.exe	94
PID 4344 wrote to memory of 3532	4344	WWAHost.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- C:\Windows\SysWOW64\WWAHost.exe
  "C:\Windows\SysWOW64\WWAHost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:3532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1396-139-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1396-135-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1396-132-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1396-133-0x0000000001A10000-0x0000000001D5A000-memory.dmp

Filesize
3.3MB

Download
memory/1396-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1396-136-0x00000000019A0000-0x00000000019B1000-memory.dmp

Filesize
68KB

Download
memory/1396-140-0x00000000019F0000-0x0000000001A01000-memory.dmp

Filesize
68KB

Download
memory/2488-141-0x00000000086F0000-0x0000000008844000-memory.dmp

Filesize
1.3MB

Download
memory/2488-137-0x0000000008630000-0x00000000086E5000-memory.dmp

Filesize
724KB

Download
memory/2488-146-0x00000000088F0000-0x0000000008A6E000-memory.dmp

Filesize
1.5MB

Download
memory/4344-142-0x0000000000C90000-0x0000000000D6C000-memory.dmp

Filesize
880KB

Download
memory/4344-143-0x0000000000840000-0x0000000000869000-memory.dmp

Filesize
164KB

Download
memory/4344-144-0x0000000001780000-0x0000000001ACA000-memory.dmp

Filesize
3.3MB

Download
memory/4344-145-0x00000000014A0000-0x0000000001530000-memory.dmp

Filesize
576KB

Download
memory/4776-131-0x0000000004AB0000-0x0000000004B4C000-memory.dmp

Filesize
624KB

Download
memory/4776-130-0x0000000000020000-0x00000000000D6000-memory.dmp

Filesize
728KB

Download