xloader | d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860

General

Target

d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe
Size

803KB
MD5

74c748432b2e34ea92e2a386094e4fdc
SHA1

e6a0d9852ae56f195b1bf3cbe37a279f4535d9b6
SHA256

d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860
SHA512

2f1c8d6187c2e0dde4111d5b2dc9e99dce89c5bc5f5a38ee65d8ec3f5ad2c52da4749228b2261b51afb61dc72cfb19200e91d9df91c3dcfdd5272525c509667a

Score

10^/10

xloader arh2 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

arh2

Decoy

anniversaryalert.com

kinship.space

buabdullagroup.com

ghostprotectionagency.com

scion-go-getter.com

skindeepapp.com

kysp3.xyz

bonitaspringshomesearch.com

bestdeals2022.online

themarketingstinger.com

chengkayouxuan.com

fendoremi.com

j-stra.com

klingelecn.net

deluxecarepro.com

huanbaodg.com

mes-dents-blanches.com

solutionsemissionsimplifiee.com

abedbashir.tech

good-collection.store

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1056-133-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral1/memory/1656-140-0x0000000000A30000-0x0000000000A59000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exewhere.exewlanext.exe

description	pid	process	target process
PID 1020 set thread context of 1056	1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe	where.exe
PID 1056 set thread context of 2812	1056	where.exe	Explorer.EXE
PID 1656 set thread context of 2812	1656	wlanext.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exewhere.exewlanext.exe

pid	process
1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe
1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe
1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe
1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe
1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe
1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe
1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe
1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe
1056	where.exe
1056	where.exe
1056	where.exe
1056	where.exe
1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe
1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe
1656	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2812 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

where.exewlanext.exe

pid process

1056 where.exe
1056 where.exe
1056 where.exe
1656 wlanext.exe
1656 wlanext.exe

pid	process
2812	Explorer.EXE

pid	process
1056	where.exe
1056	where.exe
1056	where.exe
1656	wlanext.exe
1656	wlanext.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exewhere.exewlanext.exe

description	pid	process
Token: SeDebugPrivilege	1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe
Token: SeDebugPrivilege	1056	where.exe
Token: SeDebugPrivilege	1656	wlanext.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 1020 wrote to memory of 1056	1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe	where.exe
PID 1020 wrote to memory of 1056	1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe	where.exe
PID 1020 wrote to memory of 1056	1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe	where.exe
PID 1020 wrote to memory of 1056	1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe	where.exe
PID 1020 wrote to memory of 1056	1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe	where.exe
PID 1020 wrote to memory of 1056	1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe	where.exe
PID 1020 wrote to memory of 1056	1020	d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe	where.exe
PID 2812 wrote to memory of 1656	2812	Explorer.EXE	wlanext.exe
PID 2812 wrote to memory of 1656	2812	Explorer.EXE	wlanext.exe
PID 2812 wrote to memory of 1656	2812	Explorer.EXE	wlanext.exe
PID 1656 wrote to memory of 1544	1656	wlanext.exe	cmd.exe
PID 1656 wrote to memory of 1544	1656	wlanext.exe	cmd.exe
PID 1656 wrote to memory of 1544	1656	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\AppData\Local\Temp\d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe
"C:\Users\Admin\AppData\Local\Temp\d63789eb0eadba36bd89975294d18afa75ceef26c802b9dabde0ee81b1484860.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\where.exe
"C:\Windows\SysWOW64\where.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\where.exe"
3⤵
PID:1544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1020-130-0x0000000000EC0000-0x0000000000F90000-memory.dmp

Filesize
832KB

Download
memory/1020-131-0x00000000058B0000-0x000000000594C000-memory.dmp

Filesize
624KB

Download
memory/1056-132-0x0000000000000000-mapping.dmp

Download
memory/1056-133-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1056-135-0x0000000001230000-0x000000000157A000-memory.dmp

Filesize
3.3MB

Download
memory/1056-136-0x0000000001210000-0x0000000001221000-memory.dmp

Filesize
68KB

Download
memory/1544-141-0x0000000000000000-mapping.dmp

Download
memory/1656-139-0x0000000000CF0000-0x0000000000D07000-memory.dmp

Filesize
92KB

Download
memory/1656-140-0x0000000000A30000-0x0000000000A59000-memory.dmp

Filesize
164KB

Download
memory/1656-138-0x0000000000000000-mapping.dmp

Download
memory/1656-142-0x00000000010F0000-0x000000000143A000-memory.dmp

Filesize
3.3MB

Download
memory/1656-143-0x0000000000F90000-0x0000000001020000-memory.dmp

Filesize
576KB

Download
memory/2812-137-0x00000000082A0000-0x00000000083C8000-memory.dmp

Filesize
1.2MB

Download
memory/2812-144-0x00000000083D0000-0x000000000852C000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads