xloader | 4456d9055df856153b932872a02fbb44e4e11012b2b0123195a5a84e6f41b87f

General

Target

cotización_1782902.exe
Size

498KB
MD5

60cb897960cc1e4a74cde6395e74dbfe
SHA1

18a97dfd7176f8f07334d2f3836f1226f2220a4a
SHA256

a6900f47fa0f0d76b67e1c4fe017dad2665e52185327c9bbd905514cbcf7728c
SHA512

11fe445244943a3b588817369f0adf7aaa03f4a592c68eb604679c8f77ca44f9af786570d06180b87f67284effe29d695c3585ac83b34a1eaaa97a02e395c34c

Score

10^/10

xloader snjq loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

snjq

Decoy

codezonesoftware.xyz

traexcel.com

smalltowncontractors.com

classicalequestrianacademy.com

jlvip1066.com

ovacup.online

foodcravings2312.com

dbelnlogoro.quest

valeriebeijing.com

steri-spiral.com

envisionpoolsnd.biz

adclw.net

smartaf5.xyz

tech4ad.com

trimilos.info

blockplace.club

gunpowderz.com

nayrajewels.com

fapcxi.xyz

mentication.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3856-138-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral2/memory/3856-140-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral2/memory/220-147-0x0000000000D40000-0x0000000000D6A000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

cotización_1782902.execotización_1782902.execontrol.exe

description	pid	process	target process
PID 3248 set thread context of 3856	3248	cotización_1782902.exe	cotización_1782902.exe
PID 3856 set thread context of 3152	3856	cotización_1782902.exe	Explorer.EXE
PID 220 set thread context of 3152	220	control.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

cotización_1782902.execotización_1782902.execontrol.exe

pid	process
3248	cotización_1782902.exe
3248	cotización_1782902.exe
3856	cotización_1782902.exe
3856	cotización_1782902.exe
3856	cotización_1782902.exe
3856	cotización_1782902.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe
220	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3152 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

cotización_1782902.execontrol.exe

pid process

3856 cotización_1782902.exe
3856 cotización_1782902.exe
3856 cotización_1782902.exe
220 control.exe
220 control.exe

pid	process
3152	Explorer.EXE

pid	process
3856	cotización_1782902.exe
3856	cotización_1782902.exe
3856	cotización_1782902.exe
220	control.exe
220	control.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

cotización_1782902.execotización_1782902.execontrol.exe

description	pid	process
Token: SeDebugPrivilege	3248	cotización_1782902.exe
Token: SeDebugPrivilege	3856	cotización_1782902.exe
Token: SeDebugPrivilege	220	control.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cotización_1782902.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 3248 wrote to memory of 4300	3248	cotización_1782902.exe	cotización_1782902.exe
PID 3248 wrote to memory of 4300	3248	cotización_1782902.exe	cotización_1782902.exe
PID 3248 wrote to memory of 4300	3248	cotización_1782902.exe	cotización_1782902.exe
PID 3248 wrote to memory of 3856	3248	cotización_1782902.exe	cotización_1782902.exe
PID 3248 wrote to memory of 3856	3248	cotización_1782902.exe	cotización_1782902.exe
PID 3248 wrote to memory of 3856	3248	cotización_1782902.exe	cotización_1782902.exe
PID 3248 wrote to memory of 3856	3248	cotización_1782902.exe	cotización_1782902.exe
PID 3248 wrote to memory of 3856	3248	cotización_1782902.exe	cotización_1782902.exe
PID 3248 wrote to memory of 3856	3248	cotización_1782902.exe	cotización_1782902.exe
PID 3152 wrote to memory of 220	3152	Explorer.EXE	control.exe
PID 3152 wrote to memory of 220	3152	Explorer.EXE	control.exe
PID 3152 wrote to memory of 220	3152	Explorer.EXE	control.exe
PID 220 wrote to memory of 4820	220	control.exe	cmd.exe
PID 220 wrote to memory of 4820	220	control.exe	cmd.exe
PID 220 wrote to memory of 4820	220	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\cotización_1782902.exe
"C:\Users\Admin\AppData\Local\Temp\cotización_1782902.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248

C:\Users\Admin\AppData\Local\Temp\cotización_1782902.exe
"C:\Users\Admin\AppData\Local\Temp\cotización_1782902.exe"
3⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\cotización_1782902.exe
"C:\Users\Admin\AppData\Local\Temp\cotización_1782902.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\cotización_1782902.exe"
3⤵
PID:4820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/220-149-0x0000000002C30000-0x0000000002CC0000-memory.dmp

Filesize
576KB

Download
memory/220-148-0x0000000002F00000-0x000000000324A000-memory.dmp

Filesize
3.3MB

Download
memory/220-147-0x0000000000D40000-0x0000000000D6A000-memory.dmp

Filesize
168KB

Download
memory/220-146-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/220-144-0x0000000000000000-mapping.dmp

Download
memory/3152-143-0x0000000002730000-0x000000000281E000-memory.dmp

Filesize
952KB

Download
memory/3152-150-0x0000000008130000-0x0000000008279000-memory.dmp

Filesize
1.3MB

Download
memory/3248-135-0x0000000007830000-0x0000000007896000-memory.dmp

Filesize
408KB

Download
memory/3248-130-0x00000000003B0000-0x0000000000434000-memory.dmp

Filesize
528KB

Download
memory/3248-134-0x0000000007590000-0x000000000762C000-memory.dmp

Filesize
624KB

Download
memory/3248-133-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

Filesize
40KB

Download
memory/3248-132-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/3248-131-0x0000000005350000-0x00000000058F4000-memory.dmp

Filesize
5.6MB

Download
memory/3856-138-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3856-140-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3856-141-0x0000000001930000-0x0000000001C7A000-memory.dmp

Filesize
3.3MB

Download
memory/3856-142-0x00000000018F0000-0x0000000001901000-memory.dmp

Filesize
68KB

Download
memory/3856-137-0x0000000000000000-mapping.dmp

Download
memory/4300-136-0x0000000000000000-mapping.dmp

Download
memory/4820-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads