xloader | b7b54eeb2ed2b6d9d1d5c3d97646c48073234f37c798a528e41072f74e95e6b1

General

Target

b7b54eeb2ed2b6d9d1d5c3d97646c48073234f37c798a528e41072f74e95e6b1.exe
Size

451KB
MD5

bc743934aea2d49d211e3d6eb182f56e
SHA1

c3cc825ee22f0850abe6e503c5d6838ad7b44d1e
SHA256

b7b54eeb2ed2b6d9d1d5c3d97646c48073234f37c798a528e41072f74e95e6b1
SHA512

cc9c7069965230d31f0a10171bf4d4e8dfda33990c699ee1541d5f27083994ca1b5d927462383821914330db0438d54f024f492278ee54e0cb30e6df3ad2855a

Score

10^/10

xloader igqu loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

igqu

Decoy

coveloungewineandwhiskey.com

chemtradent.com

educare.cloud

shopnicknaks.com

realitytvstockwatch.com

handsfreedocs.com

trafegopago.com

ariasu-nakanokaikei.com

allmm.info

elleatx.com

erpsystem.site

whatisastaxanthin.com

hemparcade.com

ownumo.com

pasumaisangam.com

theoutdoorbed.com

plantpowered.energy

elevenelevenapparelcompany.com

vrspace.ltd

justsoldbykristen.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1660-60-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1660-61-0x000000000041CA30-mapping.dmp	xloader
behavioral1/memory/1660-63-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/524-69-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 1660	2036	b7b54eeb2ed2b6d9d1d5c3d97646c48073234f37c798a528e41072f74e95e6b1.exe	26
PID 1660 set thread context of 1200	1660	RegSvcs.exe	22
PID 524 set thread context of 1200	524	cmmon32.exe	22

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1660	RegSvcs.exe
1660	RegSvcs.exe
524	cmmon32.exe
524	cmmon32.exe
524	cmmon32.exe
524	cmmon32.exe
524	cmmon32.exe
524	cmmon32.exe
524	cmmon32.exe
524	cmmon32.exe
524	cmmon32.exe
524	cmmon32.exe
524	cmmon32.exe
524	cmmon32.exe
524	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1660	RegSvcs.exe
1660	RegSvcs.exe
1660	RegSvcs.exe
524	cmmon32.exe
524	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	RegSvcs.exe
Token: SeDebugPrivilege	524	cmmon32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1660	2036	b7b54eeb2ed2b6d9d1d5c3d97646c48073234f37c798a528e41072f74e95e6b1.exe	26
PID 2036 wrote to memory of 1660	2036	b7b54eeb2ed2b6d9d1d5c3d97646c48073234f37c798a528e41072f74e95e6b1.exe	26
PID 2036 wrote to memory of 1660	2036	b7b54eeb2ed2b6d9d1d5c3d97646c48073234f37c798a528e41072f74e95e6b1.exe	26
PID 2036 wrote to memory of 1660	2036	b7b54eeb2ed2b6d9d1d5c3d97646c48073234f37c798a528e41072f74e95e6b1.exe	26
PID 2036 wrote to memory of 1660	2036	b7b54eeb2ed2b6d9d1d5c3d97646c48073234f37c798a528e41072f74e95e6b1.exe	26
PID 2036 wrote to memory of 1660	2036	b7b54eeb2ed2b6d9d1d5c3d97646c48073234f37c798a528e41072f74e95e6b1.exe	26
PID 2036 wrote to memory of 1660	2036	b7b54eeb2ed2b6d9d1d5c3d97646c48073234f37c798a528e41072f74e95e6b1.exe	26
PID 2036 wrote to memory of 1660	2036	b7b54eeb2ed2b6d9d1d5c3d97646c48073234f37c798a528e41072f74e95e6b1.exe	26
PID 2036 wrote to memory of 1660	2036	b7b54eeb2ed2b6d9d1d5c3d97646c48073234f37c798a528e41072f74e95e6b1.exe	26
PID 2036 wrote to memory of 1660	2036	b7b54eeb2ed2b6d9d1d5c3d97646c48073234f37c798a528e41072f74e95e6b1.exe	26
PID 1200 wrote to memory of 524	1200	Explorer.EXE	27
PID 1200 wrote to memory of 524	1200	Explorer.EXE	27
PID 1200 wrote to memory of 524	1200	Explorer.EXE	27
PID 1200 wrote to memory of 524	1200	Explorer.EXE	27
PID 524 wrote to memory of 1804	524	cmmon32.exe	28
PID 524 wrote to memory of 1804	524	cmmon32.exe	28
PID 524 wrote to memory of 1804	524	cmmon32.exe	28
PID 524 wrote to memory of 1804	524	cmmon32.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\b7b54eeb2ed2b6d9d1d5c3d97646c48073234f37c798a528e41072f74e95e6b1.exe
  "C:\Users\Admin\AppData\Local\Temp\b7b54eeb2ed2b6d9d1d5c3d97646c48073234f37c798a528e41072f74e95e6b1.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-72-0x00000000003E0000-0x0000000000470000-memory.dmp

Filesize
576KB

Download
memory/524-70-0x0000000000B60000-0x0000000000E63000-memory.dmp

Filesize
3.0MB

Download
memory/524-68-0x0000000000F50000-0x0000000000F5D000-memory.dmp

Filesize
52KB

Download
memory/524-69-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1200-66-0x0000000006260000-0x00000000063EF000-memory.dmp

Filesize
1.6MB

Download
memory/1200-73-0x0000000006AA0000-0x0000000006BAF000-memory.dmp

Filesize
1.1MB

Download
memory/1660-58-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1660-64-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/1660-65-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download
memory/1660-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1660-60-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1660-57-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2036-54-0x0000000000830000-0x00000000008A6000-memory.dmp

Filesize
472KB

Download
memory/2036-56-0x0000000004710000-0x0000000004768000-memory.dmp

Filesize
352KB

Download
memory/2036-55-0x0000000000460000-0x000000000047C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing