xloader | 8cdab55f03a0103f12a901033faa5de3df31084d4ec8fe4b3bea68a3d9b83cb2

General

Target

SC51094.exe
Size

15KB
MD5

11a1903c8e55120bd87ffbbdd69ce5d5
SHA1

fe317a22318883df21958d41b51542a8f073c064
SHA256

4383e4fce4c6ea01fa19943595eff236f3c9a4470de9c790561db8592e0a92c0
SHA512

2b479072ce490a086773a8aa8d6d6aa9c900e21e8c31245182bd699f5ed539c05ad6839f70e8235cd56a5686a8e1f16a3e007dc0b6db1103cd98b93e60437db6

Score

10^/10

xloader ahc8 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4128-136-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4128-138-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4064-144-0x0000000000AF0000-0x0000000000B19000-memory.dmp	xloader

Downloads MZ/PE file

Suspicious use of SetThreadContext 3 IoCs

Processes:

SC51094.exeSC51094.exesystray.exe

description	pid	process	target process
PID 2800 set thread context of 4128	2800	SC51094.exe	SC51094.exe
PID 4128 set thread context of 2060	4128	SC51094.exe	Explorer.EXE
PID 4064 set thread context of 2060	4064	systray.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

SC51094.exesystray.exe

pid	process
4128	SC51094.exe
4128	SC51094.exe
4128	SC51094.exe
4128	SC51094.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe
4064	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2060 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

SC51094.exesystray.exe

pid process

4128 SC51094.exe
4128 SC51094.exe
4128 SC51094.exe
4064 systray.exe
4064 systray.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SC51094.exeSC51094.exesystray.exe

description pid process

Token: SeDebugPrivilege 2800 SC51094.exe
Token: SeDebugPrivilege 4128 SC51094.exe
Token: SeDebugPrivilege 4064 systray.exe

pid	process
2060	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2800	SC51094.exe
Token: SeDebugPrivilege	4128	SC51094.exe
Token: SeDebugPrivilege	4064	systray.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SC51094.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 2800 wrote to memory of 4128	2800	SC51094.exe	SC51094.exe
PID 2800 wrote to memory of 4128	2800	SC51094.exe	SC51094.exe
PID 2800 wrote to memory of 4128	2800	SC51094.exe	SC51094.exe
PID 2800 wrote to memory of 4128	2800	SC51094.exe	SC51094.exe
PID 2800 wrote to memory of 4128	2800	SC51094.exe	SC51094.exe
PID 2800 wrote to memory of 4128	2800	SC51094.exe	SC51094.exe
PID 2060 wrote to memory of 4064	2060	Explorer.EXE	systray.exe
PID 2060 wrote to memory of 4064	2060	Explorer.EXE	systray.exe
PID 2060 wrote to memory of 4064	2060	Explorer.EXE	systray.exe
PID 4064 wrote to memory of 4312	4064	systray.exe	cmd.exe
PID 4064 wrote to memory of 4312	4064	systray.exe	cmd.exe
PID 4064 wrote to memory of 4312	4064	systray.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SC51094.exe
"C:\Users\Admin\AppData\Local\Temp\SC51094.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Local\Temp\SC51094.exe
"C:\Users\Admin\AppData\Local\Temp\SC51094.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\SC51094.exe"
3⤵
PID:4312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2060-140-0x0000000007E40000-0x0000000007FE7000-memory.dmp

Filesize
1.7MB

Download
memory/2060-147-0x0000000002F10000-0x0000000002FE4000-memory.dmp

Filesize
848KB

Download
memory/2800-131-0x0000000005450000-0x00000000059F4000-memory.dmp

Filesize
5.6MB

Download
memory/2800-132-0x0000000004F40000-0x0000000004FD2000-memory.dmp

Filesize
584KB

Download
memory/2800-133-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/2800-134-0x0000000004EA0000-0x0000000005444000-memory.dmp

Filesize
5.6MB

Download
memory/2800-135-0x00000000063E0000-0x000000000647C000-memory.dmp

Filesize
624KB

Download
memory/2800-130-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/4064-143-0x0000000000B60000-0x0000000000B66000-memory.dmp

Filesize
24KB

Download
memory/4064-144-0x0000000000AF0000-0x0000000000B19000-memory.dmp

Filesize
164KB

Download
memory/4064-145-0x0000000002CC0000-0x000000000300A000-memory.dmp

Filesize
3.3MB

Download
memory/4064-146-0x0000000002A20000-0x0000000002AB0000-memory.dmp

Filesize
576KB

Download
memory/4128-139-0x00000000014F0000-0x000000000183A000-memory.dmp

Filesize
3.3MB

Download
memory/4128-141-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/4128-142-0x0000000001840000-0x0000000001851000-memory.dmp

Filesize
68KB

Download
memory/4128-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4128-136-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads