xloader | ccc3111d1efd08344fdaa03990ed7029b09e1a5f014424760b6ae2eae5539829

General

Target

BLLLLAADDEE.exe
Size

35KB
MD5

0a8d67dc73dadb3aafaa35ba4c522a99
SHA1

80ef67fc098bd298cf4d286adaf1e59dbace8211
SHA256

ccc3111d1efd08344fdaa03990ed7029b09e1a5f014424760b6ae2eae5539829
SHA512

f768f28c5981a53f36b670dc356bed13c9311c81064f1b36b062731ca4f76a336a81b7f3d447b549198ab8b50bf401a7cc0876575261e3e66cee26f9c88d1b15

Score

10^/10

xloader ssac loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ssac

Decoy

beautybybrin.com

oregemo.com

prospectoriq.com

blazermid.com

cloudnineloans.com

myyntisofta.com

filoupoils.com

web-solutiontnpasumo3.xyz

becbares.com

lines-hikkoshi.com

ohayouwww.com

writingdadsobituarywithdad.com

bridalbaes.com

jamshir.com

rangertots.com

dankbrobeans.com

titan111.com

uplearns.info

maxicashprokil.xyz

evc24.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4416-127-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4416-129-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4048-135-0x0000000000C60000-0x0000000000C89000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

BLLLLAADDEE.exeaspnet_compiler.exesvchost.exe

description	pid	process	target process
PID 3548 set thread context of 4416	3548	BLLLLAADDEE.exe	aspnet_compiler.exe
PID 4416 set thread context of 660	4416	aspnet_compiler.exe	Explorer.EXE
PID 4048 set thread context of 660	4048	svchost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

aspnet_compiler.exesvchost.exe

pid	process
4416	aspnet_compiler.exe
4416	aspnet_compiler.exe
4416	aspnet_compiler.exe
4416	aspnet_compiler.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe
4048	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

660 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

aspnet_compiler.exesvchost.exe

pid process

4416 aspnet_compiler.exe
4416 aspnet_compiler.exe
4416 aspnet_compiler.exe
4048 svchost.exe
4048 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

BLLLLAADDEE.exeaspnet_compiler.exesvchost.exe

description pid process

Token: SeDebugPrivilege 3548 BLLLLAADDEE.exe
Token: SeDebugPrivilege 4416 aspnet_compiler.exe
Token: SeDebugPrivilege 4048 svchost.exe

pid	process
660	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3548	BLLLLAADDEE.exe
Token: SeDebugPrivilege	4416	aspnet_compiler.exe
Token: SeDebugPrivilege	4048	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

BLLLLAADDEE.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 3548 wrote to memory of 4416	3548	BLLLLAADDEE.exe	aspnet_compiler.exe
PID 3548 wrote to memory of 4416	3548	BLLLLAADDEE.exe	aspnet_compiler.exe
PID 3548 wrote to memory of 4416	3548	BLLLLAADDEE.exe	aspnet_compiler.exe
PID 3548 wrote to memory of 4416	3548	BLLLLAADDEE.exe	aspnet_compiler.exe
PID 3548 wrote to memory of 4416	3548	BLLLLAADDEE.exe	aspnet_compiler.exe
PID 3548 wrote to memory of 4416	3548	BLLLLAADDEE.exe	aspnet_compiler.exe
PID 660 wrote to memory of 4048	660	Explorer.EXE	svchost.exe
PID 660 wrote to memory of 4048	660	Explorer.EXE	svchost.exe
PID 660 wrote to memory of 4048	660	Explorer.EXE	svchost.exe
PID 4048 wrote to memory of 4612	4048	svchost.exe	cmd.exe
PID 4048 wrote to memory of 4612	4048	svchost.exe	cmd.exe
PID 4048 wrote to memory of 4612	4048	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\AppData\Local\Temp\BLLLLAADDEE.exe
"C:\Users\Admin\AppData\Local\Temp\BLLLLAADDEE.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/660-139-0x0000000002D50000-0x0000000002DE4000-memory.dmp

Filesize
592KB

Download
memory/660-132-0x0000000007ED0000-0x0000000007FD3000-memory.dmp

Filesize
1.0MB

Download
memory/3548-125-0x0000000006320000-0x00000000063BC000-memory.dmp

Filesize
624KB

Download
memory/3548-124-0x0000000000C60000-0x0000000000C6C000-memory.dmp

Filesize
48KB

Download
memory/4048-134-0x00000000000D0000-0x00000000000DE000-memory.dmp

Filesize
56KB

Download
memory/4048-138-0x0000000001370000-0x0000000001400000-memory.dmp

Filesize
576KB

Download
memory/4048-137-0x0000000001700000-0x0000000001A4A000-memory.dmp

Filesize
3.3MB

Download
memory/4048-135-0x0000000000C60000-0x0000000000C89000-memory.dmp

Filesize
164KB

Download
memory/4048-133-0x0000000000000000-mapping.dmp

Download
memory/4416-127-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4416-131-0x0000000001330000-0x0000000001341000-memory.dmp

Filesize
68KB

Download
memory/4416-130-0x00000000016A0000-0x00000000019EA000-memory.dmp

Filesize
3.3MB

Download
memory/4416-129-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4416-126-0x0000000000000000-mapping.dmp

Download
memory/4612-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads