xloader | d10a6b48293d226a0700a84f7dc756fe50c78a9d167500e3b3c763781c52b006

General

Target

R00127789.exe
Size

754KB
MD5

5ade5905aebb3d0f6cafd3d36c01927b
SHA1

8b5f6901647c9f17114e3092fc2b226c7478121d
SHA256

d10a6b48293d226a0700a84f7dc756fe50c78a9d167500e3b3c763781c52b006
SHA512

c2e324286d7a819f9dc228b51258e888db980fbdd5a05171bd25ba6c742b3ff71d285db095ab7d577f620f8a3e5baba0c863154d4f63df6e5b1e0241362421a4

Score

10^/10

xloader mjup loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mjup

Decoy

cyqcc.com

mynext.guru

clickbuzz.tech

testingsitewp.store

starblast.space

xn--cocola-6wa.com

kathicrafts.com

tiktokshop.cloud

akasa42.com

therosedalefw.com

fabuluxepicnicsatl.com

dtoyer.com

trungtambtx.com

uploaded.space

newgradient.com

micron365.com

driving-ukrainka.com

feretsfreshcutsproduce.com

1781tudor301.info

mecca-services.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1952-62-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral1/memory/1952-63-0x000000000041DA90-mapping.dmp	xloader
behavioral1/memory/1952-66-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral1/memory/1956-75-0x0000000000080000-0x00000000000AA000-memory.dmp	xloader

Executes dropped EXE 1 IoCs

Processes:

AddInProcess32.exe

pid process

1952 AddInProcess32.exe
Loads dropped DLL 1 IoCs

Processes:

R00127789.exe

pid process

1688 R00127789.exe

pid	process
1952	AddInProcess32.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

R00127789.exeAddInProcess32.exeNETSTAT.EXE

description	pid	process	target process
PID 1688 set thread context of 1952	1688	R00127789.exe	AddInProcess32.exe
PID 1952 set thread context of 1396	1952	AddInProcess32.exe	Explorer.EXE
PID 1952 set thread context of 1396	1952	AddInProcess32.exe	Explorer.EXE
PID 1956 set thread context of 1396	1956	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1956 NETSTAT.EXE

pid	process
1956	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

R00127789.exeAddInProcess32.exeNETSTAT.EXE

pid	process
1688	R00127789.exe
1688	R00127789.exe
1952	AddInProcess32.exe
1952	AddInProcess32.exe
1952	AddInProcess32.exe
1956	NETSTAT.EXE
1956	NETSTAT.EXE
1956	NETSTAT.EXE
1956	NETSTAT.EXE
1956	NETSTAT.EXE
1956	NETSTAT.EXE
1956	NETSTAT.EXE
1956	NETSTAT.EXE
1956	NETSTAT.EXE
1956	NETSTAT.EXE
1956	NETSTAT.EXE
1956	NETSTAT.EXE
1956	NETSTAT.EXE
1956	NETSTAT.EXE
1956	NETSTAT.EXE
1956	NETSTAT.EXE
1956	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

AddInProcess32.exeNETSTAT.EXE

pid process

1952 AddInProcess32.exe
1952 AddInProcess32.exe
1952 AddInProcess32.exe
1952 AddInProcess32.exe
1956 NETSTAT.EXE
1956 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

R00127789.exeAddInProcess32.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 1688 R00127789.exe
Token: SeDebugPrivilege 1952 AddInProcess32.exe
Token: SeDebugPrivilege 1956 NETSTAT.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
1396 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
1396 Explorer.EXE

pid	process
1952	AddInProcess32.exe
1952	AddInProcess32.exe
1952	AddInProcess32.exe
1952	AddInProcess32.exe
1956	NETSTAT.EXE
1956	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1688	R00127789.exe
Token: SeDebugPrivilege	1952	AddInProcess32.exe
Token: SeDebugPrivilege	1956	NETSTAT.EXE

pid	process
1396	Explorer.EXE
1396	Explorer.EXE

pid	process
1396	Explorer.EXE
1396	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

R00127789.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1688 wrote to memory of 1952	1688	R00127789.exe	AddInProcess32.exe
PID 1688 wrote to memory of 1952	1688	R00127789.exe	AddInProcess32.exe
PID 1688 wrote to memory of 1952	1688	R00127789.exe	AddInProcess32.exe
PID 1688 wrote to memory of 1952	1688	R00127789.exe	AddInProcess32.exe
PID 1688 wrote to memory of 1952	1688	R00127789.exe	AddInProcess32.exe
PID 1688 wrote to memory of 1952	1688	R00127789.exe	AddInProcess32.exe
PID 1688 wrote to memory of 1952	1688	R00127789.exe	AddInProcess32.exe
PID 1396 wrote to memory of 1956	1396	Explorer.EXE	NETSTAT.EXE
PID 1396 wrote to memory of 1956	1396	Explorer.EXE	NETSTAT.EXE
PID 1396 wrote to memory of 1956	1396	Explorer.EXE	NETSTAT.EXE
PID 1396 wrote to memory of 1956	1396	Explorer.EXE	NETSTAT.EXE
PID 1956 wrote to memory of 1140	1956	NETSTAT.EXE	cmd.exe
PID 1956 wrote to memory of 1140	1956	NETSTAT.EXE	cmd.exe
PID 1956 wrote to memory of 1140	1956	NETSTAT.EXE	cmd.exe
PID 1956 wrote to memory of 1140	1956	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\R00127789.exe
"C:\Users\Admin\AppData\Local\Temp\R00127789.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
memory/1140-78-0x0000000000000000-mapping.dmp

Download
memory/1396-80-0x00000000070F0000-0x0000000007220000-memory.dmp

Filesize
1.2MB

Download
memory/1396-72-0x0000000007880000-0x00000000079F7000-memory.dmp

Filesize
1.5MB

Download
memory/1396-69-0x00000000068C0000-0x00000000069B3000-memory.dmp

Filesize
972KB

Download
memory/1688-54-0x0000000000B50000-0x0000000000C12000-memory.dmp

Filesize
776KB

Download
memory/1688-55-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1688-56-0x0000000000B30000-0x0000000000B4A000-memory.dmp

Filesize
104KB

Download
memory/1688-57-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/1952-68-0x0000000000180000-0x0000000000191000-memory.dmp

Filesize
68KB

Download
memory/1952-67-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/1952-66-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1952-71-0x0000000000210000-0x0000000000221000-memory.dmp

Filesize
68KB

Download
memory/1952-63-0x000000000041DA90-mapping.dmp

Download
memory/1952-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1952-60-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1952-59-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1956-73-0x0000000000000000-mapping.dmp

Download
memory/1956-74-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1956-75-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/1956-76-0x00000000020A0000-0x00000000023A3000-memory.dmp

Filesize
3.0MB

Download
memory/1956-79-0x0000000001F20000-0x0000000001FB0000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads