xloader | 02ad8318feb2f8ce745e2cefa321f18d19b7ad72085664371033fada68bd6b91

General

Target

RQM6HLsZQYLa9qt.exe
Size

1.3MB
MD5

2d42eded04b592b539951f61742a736a
SHA1

d0c31bc164b18121ceb884859a9a5a5547ee437e
SHA256

02ad8318feb2f8ce745e2cefa321f18d19b7ad72085664371033fada68bd6b91
SHA512

634e5223d883e42be784a02c4882109140ef7a42a781d4142978bf7a3da40ae4c535a5dffca1e26160542338c437fe44ce8f84f8ab32b7df328ad7837517f4ff

Score

10^/10

xloader wdc8 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

wdc8

Decoy

mygotomaid.com

joyoushealthandwellnessspa.com

wefundprojects.com

magicbasketbourse.net

vitos3.xyz

oligopoly.city

beauty-bihada.asia

visitnewrichmond.com

crgeniusworld.biz

bantasis.com

transsexual.pro

casagraph.com

eastjamrecords.com

howtotrainyourmustache.com

heiappropriate.xyz

bataperu.com

ces341.com

prajahitha.com

manuelagattegger.com

wolfpackmotorcycletours.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5012-140-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4220-148-0x0000000001060000-0x0000000001089000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

RQM6HLsZQYLa9qt.exeRQM6HLsZQYLa9qt.exemsiexec.exe

description	pid	process	target process
PID 2596 set thread context of 5012	2596	RQM6HLsZQYLa9qt.exe	RQM6HLsZQYLa9qt.exe
PID 5012 set thread context of 3048	5012	RQM6HLsZQYLa9qt.exe	Explorer.EXE
PID 4220 set thread context of 3048	4220	msiexec.exe	Explorer.EXE

Modifies registry class 3 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

RQM6HLsZQYLa9qt.exemsiexec.exe

pid	process
5012	RQM6HLsZQYLa9qt.exe
5012	RQM6HLsZQYLa9qt.exe
5012	RQM6HLsZQYLa9qt.exe
5012	RQM6HLsZQYLa9qt.exe
5012	RQM6HLsZQYLa9qt.exe
5012	RQM6HLsZQYLa9qt.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe
4220	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RQM6HLsZQYLa9qt.exemsiexec.exe

pid process

5012 RQM6HLsZQYLa9qt.exe
5012 RQM6HLsZQYLa9qt.exe
5012 RQM6HLsZQYLa9qt.exe
4220 msiexec.exe
4220 msiexec.exe

pid	process
3048	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

RQM6HLsZQYLa9qt.exeExplorer.EXEmsiexec.exe

description	pid	process
Token: SeDebugPrivilege	5012	RQM6HLsZQYLa9qt.exe
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeDebugPrivilege	4220	msiexec.exe
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE
3048 Explorer.EXE

pid	process
3048	Explorer.EXE
3048	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

RQM6HLsZQYLa9qt.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 2596 wrote to memory of 5012	2596	RQM6HLsZQYLa9qt.exe	RQM6HLsZQYLa9qt.exe
PID 2596 wrote to memory of 5012	2596	RQM6HLsZQYLa9qt.exe	RQM6HLsZQYLa9qt.exe
PID 2596 wrote to memory of 5012	2596	RQM6HLsZQYLa9qt.exe	RQM6HLsZQYLa9qt.exe
PID 2596 wrote to memory of 5012	2596	RQM6HLsZQYLa9qt.exe	RQM6HLsZQYLa9qt.exe
PID 2596 wrote to memory of 5012	2596	RQM6HLsZQYLa9qt.exe	RQM6HLsZQYLa9qt.exe
PID 2596 wrote to memory of 5012	2596	RQM6HLsZQYLa9qt.exe	RQM6HLsZQYLa9qt.exe
PID 3048 wrote to memory of 4220	3048	Explorer.EXE	msiexec.exe
PID 3048 wrote to memory of 4220	3048	Explorer.EXE	msiexec.exe
PID 3048 wrote to memory of 4220	3048	Explorer.EXE	msiexec.exe
PID 4220 wrote to memory of 4520	4220	msiexec.exe	cmd.exe
PID 4220 wrote to memory of 4520	4220	msiexec.exe	cmd.exe
PID 4220 wrote to memory of 4520	4220	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\RQM6HLsZQYLa9qt.exe
"C:\Users\Admin\AppData\Local\Temp\RQM6HLsZQYLa9qt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\RQM6HLsZQYLa9qt.exe
"C:\Users\Admin\AppData\Local\Temp\RQM6HLsZQYLa9qt.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RQM6HLsZQYLa9qt.exe"
3⤵
PID:4520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2596-135-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/2596-136-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/2596-137-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

Filesize
40KB

Download
memory/2596-138-0x0000000008670000-0x000000000870C000-memory.dmp

Filesize
624KB

Download
memory/2596-134-0x00000000002E0000-0x000000000043A000-memory.dmp

Filesize
1.4MB

Download
memory/3048-144-0x0000000007B90000-0x0000000007CCC000-memory.dmp

Filesize
1.2MB

Download
memory/3048-151-0x0000000007CF0000-0x0000000007DCB000-memory.dmp

Filesize
876KB

Download
memory/4220-147-0x0000000000D30000-0x0000000000D42000-memory.dmp

Filesize
72KB

Download
memory/4220-145-0x0000000000000000-mapping.dmp

Download
memory/4220-148-0x0000000001060000-0x0000000001089000-memory.dmp

Filesize
164KB

Download
memory/4220-149-0x0000000002FD0000-0x000000000331A000-memory.dmp

Filesize
3.3MB

Download
memory/4220-150-0x0000000003320000-0x00000000033B0000-memory.dmp

Filesize
576KB

Download
memory/4520-146-0x0000000000000000-mapping.dmp

Download
memory/5012-142-0x0000000001B10000-0x0000000001E5A000-memory.dmp

Filesize
3.3MB

Download
memory/5012-143-0x0000000001650000-0x0000000001661000-memory.dmp

Filesize
68KB

Download
memory/5012-140-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5012-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads