xloader | 8ecc7ecdce9763d43b61041cbc6c2151fc8583a01af584f7f5fe0999d127aaf6

General

Target

680597e569b66c1c77f1f3ef9d145080.exe
Size

659KB
MD5

680597e569b66c1c77f1f3ef9d145080
SHA1

c21684c64fe6ff4ea94691a035b47cfec7dcfb05
SHA256

8ecc7ecdce9763d43b61041cbc6c2151fc8583a01af584f7f5fe0999d127aaf6
SHA512

c9d2613706df5b2ed82f5650a1812565441e1d09f733cfbf11f14e6e53d92d12a7a827b272de6605c0230165c7526aea925ef53cdd148fbf6fa8bee86714c540

Score

10^/10

xloader ocgr loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ocgr

Decoy

shiftmedicalstaffing.agency

muktobangla.xyz

attmleather.com

modelahs.com

clime.email

yonatec.com

mftie.com

doxofcolor.com

american-atlantic.net

christineenergy.com

fjqsdz.com

nagpurmandarin.com

hofwimmer.com

gororidev.com

china-eros.com

xn--ekrt15fxyb2t2c.xn--czru2d

dabsavy.com

buggy4t.com

souplant.com

insurancewineappraisals.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1656-61-0x000000000041D480-mapping.dmp	xloader
behavioral1/memory/1656-60-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1656-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2000-73-0x00000000000A0000-0x00000000000C9000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1380 set thread context of 1656	1380	680597e569b66c1c77f1f3ef9d145080.exe	26
PID 1656 set thread context of 1388	1656	aspnet_compiler.exe	10
PID 1656 set thread context of 1388	1656	aspnet_compiler.exe	10
PID 2000 set thread context of 1388	2000	wscript.exe	10

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1656	aspnet_compiler.exe
1656	aspnet_compiler.exe
1656	aspnet_compiler.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe
2000	wscript.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1656	aspnet_compiler.exe
1656	aspnet_compiler.exe
1656	aspnet_compiler.exe
1656	aspnet_compiler.exe
2000	wscript.exe
2000	wscript.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1380	680597e569b66c1c77f1f3ef9d145080.exe
Token: SeDebugPrivilege	1656	aspnet_compiler.exe
Token: SeDebugPrivilege	2000	wscript.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1388	Explorer.EXE
1388	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1388	Explorer.EXE
1388	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1656	1380	680597e569b66c1c77f1f3ef9d145080.exe	26
PID 1380 wrote to memory of 1656	1380	680597e569b66c1c77f1f3ef9d145080.exe	26
PID 1380 wrote to memory of 1656	1380	680597e569b66c1c77f1f3ef9d145080.exe	26
PID 1380 wrote to memory of 1656	1380	680597e569b66c1c77f1f3ef9d145080.exe	26
PID 1380 wrote to memory of 1656	1380	680597e569b66c1c77f1f3ef9d145080.exe	26
PID 1380 wrote to memory of 1656	1380	680597e569b66c1c77f1f3ef9d145080.exe	26
PID 1380 wrote to memory of 1656	1380	680597e569b66c1c77f1f3ef9d145080.exe	26
PID 1656 wrote to memory of 2000	1656	aspnet_compiler.exe	27
PID 1656 wrote to memory of 2000	1656	aspnet_compiler.exe	27
PID 1656 wrote to memory of 2000	1656	aspnet_compiler.exe	27
PID 1656 wrote to memory of 2000	1656	aspnet_compiler.exe	27
PID 2000 wrote to memory of 2016	2000	wscript.exe	28
PID 2000 wrote to memory of 2016	2000	wscript.exe	28
PID 2000 wrote to memory of 2016	2000	wscript.exe	28
PID 2000 wrote to memory of 2016	2000	wscript.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1388
- C:\Users\Admin\AppData\Local\Temp\680597e569b66c1c77f1f3ef9d145080.exe
  "C:\Users\Admin\AppData\Local\Temp\680597e569b66c1c77f1f3ef9d145080.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        5⤵
        
        PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1380-55-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/1380-56-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/1380-54-0x0000000000060000-0x0000000000108000-memory.dmp

Filesize
672KB

Download
memory/1388-66-0x00000000064F0000-0x000000000662C000-memory.dmp

Filesize
1.2MB

Download
memory/1388-76-0x0000000006F50000-0x00000000070D5000-memory.dmp

Filesize
1.5MB

Download
memory/1388-69-0x0000000003F60000-0x000000000400D000-memory.dmp

Filesize
692KB

Download
memory/1656-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1656-64-0x0000000000D50000-0x0000000001053000-memory.dmp

Filesize
3.0MB

Download
memory/1656-65-0x0000000000140000-0x0000000000151000-memory.dmp

Filesize
68KB

Download
memory/1656-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1656-68-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/1656-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1656-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2000-72-0x0000000000060000-0x0000000000086000-memory.dmp

Filesize
152KB

Download
memory/2000-73-0x00000000000A0000-0x00000000000C9000-memory.dmp

Filesize
164KB

Download
memory/2000-74-0x0000000002020000-0x0000000002323000-memory.dmp

Filesize
3.0MB

Download
memory/2000-75-0x0000000000500000-0x0000000000590000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing