xloader | 4456d9055df856153b932872a02fbb44e4e11012b2b0123195a5a84e6f41b87f

General

Target

cotización_1782902.exe
Size

498KB
MD5

60cb897960cc1e4a74cde6395e74dbfe
SHA1

18a97dfd7176f8f07334d2f3836f1226f2220a4a
SHA256

a6900f47fa0f0d76b67e1c4fe017dad2665e52185327c9bbd905514cbcf7728c
SHA512

11fe445244943a3b588817369f0adf7aaa03f4a592c68eb604679c8f77ca44f9af786570d06180b87f67284effe29d695c3585ac83b34a1eaaa97a02e395c34c

Score

10^/10

xloader snjq loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

snjq

Decoy

codezonesoftware.xyz

traexcel.com

smalltowncontractors.com

classicalequestrianacademy.com

jlvip1066.com

ovacup.online

foodcravings2312.com

dbelnlogoro.quest

valeriebeijing.com

steri-spiral.com

envisionpoolsnd.biz

adclw.net

smartaf5.xyz

tech4ad.com

trimilos.info

blockplace.club

gunpowderz.com

nayrajewels.com

fapcxi.xyz

mentication.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1672-62-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral1/memory/1672-63-0x000000000041D9D0-mapping.dmp	xloader
behavioral1/memory/1672-65-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral1/memory/1636-75-0x0000000000080000-0x00000000000AA000-memory.dmp	xloader

Deletes itself 1 IoCs

pid	Process
760	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1660 set thread context of 1672	1660	cotización_1782902.exe	26
PID 1672 set thread context of 1248	1672	cotización_1782902.exe	14
PID 1672 set thread context of 1248	1672	cotización_1782902.exe	14
PID 1636 set thread context of 1248	1636	wlanext.exe	14

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1672	cotización_1782902.exe
1672	cotización_1782902.exe
1672	cotización_1782902.exe
1636	wlanext.exe
1636	wlanext.exe
1636	wlanext.exe
1636	wlanext.exe
1636	wlanext.exe
1636	wlanext.exe
1636	wlanext.exe
1636	wlanext.exe
1636	wlanext.exe
1636	wlanext.exe
1636	wlanext.exe
1636	wlanext.exe
1636	wlanext.exe
1636	wlanext.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1672	cotización_1782902.exe
1672	cotización_1782902.exe
1672	cotización_1782902.exe
1672	cotización_1782902.exe
1636	wlanext.exe
1636	wlanext.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	cotización_1782902.exe
Token: SeDebugPrivilege	1636	wlanext.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1672	1660	cotización_1782902.exe	26
PID 1660 wrote to memory of 1672	1660	cotización_1782902.exe	26
PID 1660 wrote to memory of 1672	1660	cotización_1782902.exe	26
PID 1660 wrote to memory of 1672	1660	cotización_1782902.exe	26
PID 1660 wrote to memory of 1672	1660	cotización_1782902.exe	26
PID 1660 wrote to memory of 1672	1660	cotización_1782902.exe	26
PID 1660 wrote to memory of 1672	1660	cotización_1782902.exe	26
PID 1248 wrote to memory of 1636	1248	Explorer.EXE	27
PID 1248 wrote to memory of 1636	1248	Explorer.EXE	27
PID 1248 wrote to memory of 1636	1248	Explorer.EXE	27
PID 1248 wrote to memory of 1636	1248	Explorer.EXE	27
PID 1636 wrote to memory of 760	1636	wlanext.exe	28
PID 1636 wrote to memory of 760	1636	wlanext.exe	28
PID 1636 wrote to memory of 760	1636	wlanext.exe	28
PID 1636 wrote to memory of 760	1636	wlanext.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\cotización_1782902.exe
  "C:\Users\Admin\AppData\Local\Temp\cotización_1782902.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\cotización_1782902.exe
    "C:\Users\Admin\AppData\Local\Temp\cotización_1782902.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\cotización_1782902.exe"
    3⤵
    - Deletes itself
    PID:760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1248-78-0x0000000006F30000-0x0000000007077000-memory.dmp

Filesize
1.3MB

Download
memory/1248-68-0x00000000040D0000-0x00000000041C4000-memory.dmp

Filesize
976KB

Download
memory/1248-71-0x0000000006C70000-0x0000000006DE8000-memory.dmp

Filesize
1.5MB

Download
memory/1636-75-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/1636-77-0x00000000004D0000-0x0000000000560000-memory.dmp

Filesize
576KB

Download
memory/1636-74-0x0000000002280000-0x0000000002583000-memory.dmp

Filesize
3.0MB

Download
memory/1636-73-0x0000000000E60000-0x0000000000E76000-memory.dmp

Filesize
88KB

Download
memory/1660-54-0x00000000008E0000-0x0000000000964000-memory.dmp

Filesize
528KB

Download
memory/1660-58-0x0000000000AD0000-0x0000000000B00000-memory.dmp

Filesize
192KB

Download
memory/1660-57-0x00000000055C0000-0x0000000005634000-memory.dmp

Filesize
464KB

Download
memory/1660-56-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/1660-55-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download
memory/1672-59-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1672-70-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/1672-67-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/1672-66-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/1672-65-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1672-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1672-60-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing