xloader | a70a717458c5147a02dca62c03c58d2e11e165180e683fa4755c719e6f9ad9c5

General

Target

ovRDe2RyH2kWS1u.exe
Size

771KB
MD5

87ee91152f7a07f16db9756feae2fb0a
SHA1

0a3221619d69958e52f8b8719260196aa130ebcc
SHA256

a70a717458c5147a02dca62c03c58d2e11e165180e683fa4755c719e6f9ad9c5
SHA512

a385d5b89051a17c6cae76f985aea9f339423a2e6467cf460be495eda78f2791d7a02cfba30ab114a4be506b7aac754737657cd4537efb066723787385bb464a

Score

10^/10

xloader wdc8 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

wdc8

Decoy

mygotomaid.com

joyoushealthandwellnessspa.com

wefundprojects.com

magicbasketbourse.net

vitos3.xyz

oligopoly.city

beauty-bihada.asia

visitnewrichmond.com

crgeniusworld.biz

bantasis.com

transsexual.pro

casagraph.com

eastjamrecords.com

howtotrainyourmustache.com

heiappropriate.xyz

bataperu.com

ces341.com

prajahitha.com

manuelagattegger.com

wolfpackmotorcycletours.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1588-137-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1588-139-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1880-145-0x0000000000630000-0x0000000000659000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

ovRDe2RyH2kWS1u.exeovRDe2RyH2kWS1u.exehelp.exe

description	pid	process	target process
PID 3744 set thread context of 1588	3744	ovRDe2RyH2kWS1u.exe	ovRDe2RyH2kWS1u.exe
PID 1588 set thread context of 2428	1588	ovRDe2RyH2kWS1u.exe	Explorer.EXE
PID 1880 set thread context of 2428	1880	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

ovRDe2RyH2kWS1u.exehelp.exe

pid	process
1588	ovRDe2RyH2kWS1u.exe
1588	ovRDe2RyH2kWS1u.exe
1588	ovRDe2RyH2kWS1u.exe
1588	ovRDe2RyH2kWS1u.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe
1880	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2428 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

ovRDe2RyH2kWS1u.exehelp.exe

pid process

1588 ovRDe2RyH2kWS1u.exe
1588 ovRDe2RyH2kWS1u.exe
1588 ovRDe2RyH2kWS1u.exe
1880 help.exe
1880 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ovRDe2RyH2kWS1u.exehelp.exe

description pid process

Token: SeDebugPrivilege 1588 ovRDe2RyH2kWS1u.exe
Token: SeDebugPrivilege 1880 help.exe

pid	process
2428	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1588	ovRDe2RyH2kWS1u.exe
Token: SeDebugPrivilege	1880	help.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ovRDe2RyH2kWS1u.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 3744 wrote to memory of 1588	3744	ovRDe2RyH2kWS1u.exe	ovRDe2RyH2kWS1u.exe
PID 3744 wrote to memory of 1588	3744	ovRDe2RyH2kWS1u.exe	ovRDe2RyH2kWS1u.exe
PID 3744 wrote to memory of 1588	3744	ovRDe2RyH2kWS1u.exe	ovRDe2RyH2kWS1u.exe
PID 3744 wrote to memory of 1588	3744	ovRDe2RyH2kWS1u.exe	ovRDe2RyH2kWS1u.exe
PID 3744 wrote to memory of 1588	3744	ovRDe2RyH2kWS1u.exe	ovRDe2RyH2kWS1u.exe
PID 3744 wrote to memory of 1588	3744	ovRDe2RyH2kWS1u.exe	ovRDe2RyH2kWS1u.exe
PID 2428 wrote to memory of 1880	2428	Explorer.EXE	help.exe
PID 2428 wrote to memory of 1880	2428	Explorer.EXE	help.exe
PID 2428 wrote to memory of 1880	2428	Explorer.EXE	help.exe
PID 1880 wrote to memory of 2572	1880	help.exe	cmd.exe
PID 1880 wrote to memory of 2572	1880	help.exe	cmd.exe
PID 1880 wrote to memory of 2572	1880	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2428

C:\Users\Admin\AppData\Local\Temp\ovRDe2RyH2kWS1u.exe
"C:\Users\Admin\AppData\Local\Temp\ovRDe2RyH2kWS1u.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\ovRDe2RyH2kWS1u.exe
"C:\Users\Admin\AppData\Local\Temp\ovRDe2RyH2kWS1u.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ovRDe2RyH2kWS1u.exe"
3⤵
PID:2572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1588-140-0x0000000001450000-0x000000000179A000-memory.dmp

Filesize
3.3MB

Download
memory/1588-141-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1588-142-0x0000000001880000-0x0000000001891000-memory.dmp

Filesize
68KB

Download
memory/1588-137-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1588-139-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1880-147-0x0000000002C60000-0x0000000002CF0000-memory.dmp

Filesize
576KB

Download
memory/1880-146-0x0000000002D60000-0x00000000030AA000-memory.dmp

Filesize
3.3MB

Download
memory/1880-145-0x0000000000630000-0x0000000000659000-memory.dmp

Filesize
164KB

Download
memory/1880-144-0x0000000000910000-0x0000000000917000-memory.dmp

Filesize
28KB

Download
memory/2428-143-0x0000000002940000-0x0000000002A18000-memory.dmp

Filesize
864KB

Download
memory/2428-148-0x0000000007B60000-0x0000000007CA9000-memory.dmp

Filesize
1.3MB

Download
memory/3744-136-0x0000000009020000-0x00000000090BC000-memory.dmp

Filesize
624KB

Download
memory/3744-135-0x00000000057D0000-0x00000000057DA000-memory.dmp

Filesize
40KB

Download
memory/3744-130-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download
memory/3744-134-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/3744-133-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/3744-132-0x0000000005D00000-0x00000000062A4000-memory.dmp

Filesize
5.6MB

Download
memory/3744-131-0x0000000000D60000-0x0000000000E28000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads