xloader | 0fb2dc0a2ad27a832050c14675e3d816920c0a290bffece8ba6a0245b3eaecc6

General

Target

catzx.exe
Size

851KB
MD5

e1731c2db19a1b2264946e001c26aad5
SHA1

7044f00a4512c634b2aee0efa360f03e1f8a66e3
SHA256

0fb2dc0a2ad27a832050c14675e3d816920c0a290bffece8ba6a0245b3eaecc6
SHA512

556a962b93b34dcb52f69ab9e48412b1643124e1ef3e8ec982ff66ed77f40253f3eb902d4293261301ff10c7761a5f044e0c7ae935a4d423b7252c530004a2d4

Score

10^/10

xloader r007 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

r007

Decoy

trashpandaservice.com

mobileads.network

ascolstore.com

gelsinextra.com

bonestell.net

heitoll.xyz

ceapgis.com

mon-lapin.biz

miq-eva.com

rematedesillas.com

playingonline.xyz

hausense.quest

tnyzw.com

appsdial.com

addcolor.city

hagenoblog.com

michaelwesleyj.com

she-zain.com

lorhsems.com

karmaserena.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2516-139-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral2/memory/2516-141-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral2/memory/4668-147-0x0000000000F10000-0x0000000000F3A000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

catzx.execatzx.exesvchost.exe

description	pid	process	target process
PID 1860 set thread context of 2516	1860	catzx.exe	catzx.exe
PID 2516 set thread context of 796	2516	catzx.exe	Explorer.EXE
PID 4668 set thread context of 796	4668	svchost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

catzx.execatzx.exesvchost.exe

pid	process
1860	catzx.exe
1860	catzx.exe
1860	catzx.exe
1860	catzx.exe
2516	catzx.exe
2516	catzx.exe
2516	catzx.exe
2516	catzx.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe
4668	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

796 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

catzx.exesvchost.exe

pid process

2516 catzx.exe
2516 catzx.exe
2516 catzx.exe
4668 svchost.exe
4668 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

catzx.execatzx.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1860 catzx.exe
Token: SeDebugPrivilege 2516 catzx.exe
Token: SeDebugPrivilege 4668 svchost.exe

pid	process
796	Explorer.EXE

pid	process
2516	catzx.exe
2516	catzx.exe
2516	catzx.exe
4668	svchost.exe
4668	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1860	catzx.exe
Token: SeDebugPrivilege	2516	catzx.exe
Token: SeDebugPrivilege	4668	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

catzx.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 1860 wrote to memory of 2708	1860	catzx.exe	catzx.exe
PID 1860 wrote to memory of 2708	1860	catzx.exe	catzx.exe
PID 1860 wrote to memory of 2708	1860	catzx.exe	catzx.exe
PID 1860 wrote to memory of 3872	1860	catzx.exe	catzx.exe
PID 1860 wrote to memory of 3872	1860	catzx.exe	catzx.exe
PID 1860 wrote to memory of 3872	1860	catzx.exe	catzx.exe
PID 1860 wrote to memory of 2516	1860	catzx.exe	catzx.exe
PID 1860 wrote to memory of 2516	1860	catzx.exe	catzx.exe
PID 1860 wrote to memory of 2516	1860	catzx.exe	catzx.exe
PID 1860 wrote to memory of 2516	1860	catzx.exe	catzx.exe
PID 1860 wrote to memory of 2516	1860	catzx.exe	catzx.exe
PID 1860 wrote to memory of 2516	1860	catzx.exe	catzx.exe
PID 796 wrote to memory of 4668	796	Explorer.EXE	svchost.exe
PID 796 wrote to memory of 4668	796	Explorer.EXE	svchost.exe
PID 796 wrote to memory of 4668	796	Explorer.EXE	svchost.exe
PID 4668 wrote to memory of 2180	4668	svchost.exe	cmd.exe
PID 4668 wrote to memory of 2180	4668	svchost.exe	cmd.exe
PID 4668 wrote to memory of 2180	4668	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\catzx.exe
"C:\Users\Admin\AppData\Local\Temp\catzx.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Local\Temp\catzx.exe
"C:\Users\Admin\AppData\Local\Temp\catzx.exe"
3⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\catzx.exe
"C:\Users\Admin\AppData\Local\Temp\catzx.exe"
3⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\catzx.exe
"C:\Users\Admin\AppData\Local\Temp\catzx.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\catzx.exe"
3⤵
PID:2180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/796-151-0x000000000A2D0000-0x000000000A40C000-memory.dmp

Filesize
1.2MB

Download
memory/796-144-0x0000000008A20000-0x0000000008B67000-memory.dmp

Filesize
1.3MB

Download
memory/1860-130-0x00000000001F0000-0x00000000002CC000-memory.dmp

Filesize
880KB

Download
memory/1860-131-0x0000000005210000-0x00000000057B4000-memory.dmp

Filesize
5.6MB

Download
memory/1860-132-0x0000000004D00000-0x0000000004D92000-memory.dmp

Filesize
584KB

Download
memory/1860-133-0x0000000004C80000-0x0000000004C8A000-memory.dmp

Filesize
40KB

Download
memory/1860-134-0x0000000008890000-0x000000000892C000-memory.dmp

Filesize
624KB

Download
memory/1860-135-0x0000000009010000-0x0000000009076000-memory.dmp

Filesize
408KB

Download
memory/2180-148-0x0000000000000000-mapping.dmp

Download
memory/2516-142-0x0000000001590000-0x00000000015A1000-memory.dmp

Filesize
68KB

Download
memory/2516-139-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2516-141-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2516-143-0x0000000001A30000-0x0000000001D7A000-memory.dmp

Filesize
3.3MB

Download
memory/2516-138-0x0000000000000000-mapping.dmp

Download
memory/2708-136-0x0000000000000000-mapping.dmp

Download
memory/3872-137-0x0000000000000000-mapping.dmp

Download
memory/4668-145-0x0000000000000000-mapping.dmp

Download
memory/4668-146-0x0000000000F00000-0x0000000000F0E000-memory.dmp

Filesize
56KB

Download
memory/4668-147-0x0000000000F10000-0x0000000000F3A000-memory.dmp

Filesize
168KB

Download
memory/4668-149-0x0000000001C00000-0x0000000001F4A000-memory.dmp

Filesize
3.3MB

Download
memory/4668-150-0x0000000001A00000-0x0000000001A90000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads