xloader | d10a6b48293d226a0700a84f7dc756fe50c78a9d167500e3b3c763781c52b006

General

Target

R00127789.exe
Size

754KB
MD5

5ade5905aebb3d0f6cafd3d36c01927b
SHA1

8b5f6901647c9f17114e3092fc2b226c7478121d
SHA256

d10a6b48293d226a0700a84f7dc756fe50c78a9d167500e3b3c763781c52b006
SHA512

c2e324286d7a819f9dc228b51258e888db980fbdd5a05171bd25ba6c742b3ff71d285db095ab7d577f620f8a3e5baba0c863154d4f63df6e5b1e0241362421a4

Score

10^/10

xloader mjup loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mjup

Decoy

cyqcc.com

mynext.guru

clickbuzz.tech

testingsitewp.store

starblast.space

xn--cocola-6wa.com

kathicrafts.com

tiktokshop.cloud

akasa42.com

therosedalefw.com

fabuluxepicnicsatl.com

dtoyer.com

trungtambtx.com

uploaded.space

newgradient.com

micron365.com

driving-ukrainka.com

feretsfreshcutsproduce.com

1781tudor301.info

mecca-services.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/908-137-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral2/memory/3652-147-0x0000000001110000-0x000000000113A000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

67 3652 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

AddInProcess32.exe

pid process

908 AddInProcess32.exe

flow	pid	process
67	3652	cmd.exe

pid	process
908	AddInProcess32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

R00127789.exeAddInProcess32.execmd.exe

description	pid	process	target process
PID 3928 set thread context of 908	3928	R00127789.exe	AddInProcess32.exe
PID 908 set thread context of 3020	908	AddInProcess32.exe	Explorer.EXE
PID 3652 set thread context of 3020	3652	cmd.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

R00127789.exeAddInProcess32.execmd.exe

pid	process
3928	R00127789.exe
3928	R00127789.exe
908	AddInProcess32.exe
908	AddInProcess32.exe
908	AddInProcess32.exe
908	AddInProcess32.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe
3652	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

AddInProcess32.execmd.exe

pid process

908 AddInProcess32.exe
908 AddInProcess32.exe
908 AddInProcess32.exe
3652 cmd.exe
3652 cmd.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

R00127789.exeAddInProcess32.execmd.exe

description pid process

Token: SeDebugPrivilege 3928 R00127789.exe
Token: SeDebugPrivilege 908 AddInProcess32.exe
Token: SeDebugPrivilege 3652 cmd.exe

pid	process
3020	Explorer.EXE

pid	process
908	AddInProcess32.exe
908	AddInProcess32.exe
908	AddInProcess32.exe
3652	cmd.exe
3652	cmd.exe

description	pid	process
Token: SeDebugPrivilege	3928	R00127789.exe
Token: SeDebugPrivilege	908	AddInProcess32.exe
Token: SeDebugPrivilege	3652	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

R00127789.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3928 wrote to memory of 908	3928	R00127789.exe	AddInProcess32.exe
PID 3928 wrote to memory of 908	3928	R00127789.exe	AddInProcess32.exe
PID 3928 wrote to memory of 908	3928	R00127789.exe	AddInProcess32.exe
PID 3928 wrote to memory of 908	3928	R00127789.exe	AddInProcess32.exe
PID 3928 wrote to memory of 908	3928	R00127789.exe	AddInProcess32.exe
PID 3928 wrote to memory of 908	3928	R00127789.exe	AddInProcess32.exe
PID 3020 wrote to memory of 3652	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3652	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3652	3020	Explorer.EXE	cmd.exe
PID 3652 wrote to memory of 3508	3652	cmd.exe	cmd.exe
PID 3652 wrote to memory of 3508	3652	cmd.exe	cmd.exe
PID 3652 wrote to memory of 3508	3652	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\R00127789.exe
"C:\Users\Admin\AppData\Local\Temp\R00127789.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
PID:3508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
memory/908-139-0x00000000012C0000-0x000000000160A000-memory.dmp

Filesize
3.3MB

Download
memory/908-141-0x0000000001610000-0x0000000001621000-memory.dmp

Filesize
68KB

Download
memory/908-136-0x0000000000000000-mapping.dmp

Download
memory/908-137-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3020-150-0x0000000008110000-0x0000000008249000-memory.dmp

Filesize
1.2MB

Download
memory/3020-142-0x0000000003110000-0x0000000003208000-memory.dmp

Filesize
992KB

Download
memory/3508-145-0x0000000000000000-mapping.dmp

Download
memory/3652-146-0x00000000001B0000-0x000000000020A000-memory.dmp

Filesize
360KB

Download
memory/3652-143-0x0000000000000000-mapping.dmp

Download
memory/3652-147-0x0000000001110000-0x000000000113A000-memory.dmp

Filesize
168KB

Download
memory/3652-148-0x0000000001970000-0x0000000001CBA000-memory.dmp

Filesize
3.3MB

Download
memory/3652-149-0x00000000017D0000-0x0000000001860000-memory.dmp

Filesize
576KB

Download
memory/3928-135-0x00000000114B0000-0x00000000114D2000-memory.dmp

Filesize
136KB

Download
memory/3928-134-0x0000000008B50000-0x0000000008B5A000-memory.dmp

Filesize
40KB

Download
memory/3928-133-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/3928-132-0x0000000005A90000-0x0000000006034000-memory.dmp

Filesize
5.6MB

Download
memory/3928-130-0x00000000009B0000-0x0000000000A72000-memory.dmp

Filesize
776KB

Download
memory/3928-131-0x0000000005440000-0x00000000054DC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads