xloader | 4d8cc87942499042195cec4fdb2fc5869d4bf98a1d827fd30fb74e82cf0fdc0f

General

Target

ce42fe431b88922ab59b6fd880cadcf6.exe
Size

224KB
MD5

ce42fe431b88922ab59b6fd880cadcf6
SHA1

652914d960da1d37d270db7f6e3b07c9d4b0e3a9
SHA256

4d8cc87942499042195cec4fdb2fc5869d4bf98a1d827fd30fb74e82cf0fdc0f
SHA512

62b30a77cb2ef3491abb3ec517ca966c4a9eafa0f263118ba817a4ce87f8d3cddc014bce25ff268435b7f69605e6c14b8031b482f7caf00e855964c618c609ba

Score

10^/10

xloader ocgr loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ocgr

Decoy

shiftmedicalstaffing.agency

muktobangla.xyz

attmleather.com

modelahs.com

clime.email

yonatec.com

mftie.com

doxofcolor.com

american-atlantic.net

christineenergy.com

fjqsdz.com

nagpurmandarin.com

hofwimmer.com

gororidev.com

china-eros.com

xn--ekrt15fxyb2t2c.xn--czru2d

dabsavy.com

buggy4t.com

souplant.com

insurancewineappraisals.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4272-133-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2936-141-0x00000000004F0000-0x0000000000519000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

ce42fe431b88922ab59b6fd880cadcf6.exeaspnet_compiler.exeWWAHost.exe

description	pid	process	target process
PID 1848 set thread context of 4272	1848	ce42fe431b88922ab59b6fd880cadcf6.exe	aspnet_compiler.exe
PID 4272 set thread context of 2996	4272	aspnet_compiler.exe	Explorer.EXE
PID 2936 set thread context of 2996	2936	WWAHost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

aspnet_compiler.exeWWAHost.exe

pid	process
4272	aspnet_compiler.exe
4272	aspnet_compiler.exe
4272	aspnet_compiler.exe
4272	aspnet_compiler.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe
2936	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2996 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

aspnet_compiler.exeWWAHost.exe

pid process

4272 aspnet_compiler.exe
4272 aspnet_compiler.exe
4272 aspnet_compiler.exe
2936 WWAHost.exe
2936 WWAHost.exe

pid	process
2996	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ce42fe431b88922ab59b6fd880cadcf6.exeaspnet_compiler.exeWWAHost.exe

description	pid	process
Token: SeDebugPrivilege	1848	ce42fe431b88922ab59b6fd880cadcf6.exe
Token: SeDebugPrivilege	4272	aspnet_compiler.exe
Token: SeDebugPrivilege	2936	WWAHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ce42fe431b88922ab59b6fd880cadcf6.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 1848 wrote to memory of 4272	1848	ce42fe431b88922ab59b6fd880cadcf6.exe	aspnet_compiler.exe
PID 1848 wrote to memory of 4272	1848	ce42fe431b88922ab59b6fd880cadcf6.exe	aspnet_compiler.exe
PID 1848 wrote to memory of 4272	1848	ce42fe431b88922ab59b6fd880cadcf6.exe	aspnet_compiler.exe
PID 1848 wrote to memory of 4272	1848	ce42fe431b88922ab59b6fd880cadcf6.exe	aspnet_compiler.exe
PID 1848 wrote to memory of 4272	1848	ce42fe431b88922ab59b6fd880cadcf6.exe	aspnet_compiler.exe
PID 1848 wrote to memory of 4272	1848	ce42fe431b88922ab59b6fd880cadcf6.exe	aspnet_compiler.exe
PID 2996 wrote to memory of 2936	2996	Explorer.EXE	WWAHost.exe
PID 2996 wrote to memory of 2936	2996	Explorer.EXE	WWAHost.exe
PID 2996 wrote to memory of 2936	2996	Explorer.EXE	WWAHost.exe
PID 2936 wrote to memory of 1228	2936	WWAHost.exe	cmd.exe
PID 2936 wrote to memory of 1228	2936	WWAHost.exe	cmd.exe
PID 2936 wrote to memory of 1228	2936	WWAHost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\ce42fe431b88922ab59b6fd880cadcf6.exe
  "C:\Users\Admin\AppData\Local\Temp\ce42fe431b88922ab59b6fd880cadcf6.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4272
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:3960
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:3764
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:3836
- C:\Windows\SysWOW64\WWAHost.exe
  "C:\Windows\SysWOW64\WWAHost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:1228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1228-139-0x0000000000000000-mapping.dmp

Download
memory/1848-131-0x00000000053F0000-0x000000000548C000-memory.dmp

Filesize
624KB

Download
memory/1848-130-0x0000000000940000-0x000000000097E000-memory.dmp

Filesize
248KB

Download
memory/2936-143-0x00000000011E0000-0x0000000001270000-memory.dmp

Filesize
576KB

Download
memory/2936-142-0x00000000013C0000-0x000000000170A000-memory.dmp

Filesize
3.3MB

Download
memory/2936-141-0x00000000004F0000-0x0000000000519000-memory.dmp

Filesize
164KB

Download
memory/2936-140-0x0000000000350000-0x000000000042C000-memory.dmp

Filesize
880KB

Download
memory/2936-138-0x0000000000000000-mapping.dmp

Download
memory/2996-137-0x0000000002BE0000-0x0000000002C9D000-memory.dmp

Filesize
756KB

Download
memory/2996-144-0x0000000007BC0000-0x0000000007C54000-memory.dmp

Filesize
592KB

Download
memory/4272-136-0x00000000016C0000-0x00000000016D1000-memory.dmp

Filesize
68KB

Download
memory/4272-135-0x0000000001270000-0x00000000015BA000-memory.dmp

Filesize
3.3MB

Download
memory/4272-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4272-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads