xloader | 54dd1a6be86907485cb1f716306eb8918116f873a9382e10d92f6632491c1074

General

Target

tmp.exe
Size

331KB
MD5

4a80cec907b418a133ad5d3eea96923f
SHA1

b7772efaa512ed3465b17e07af829fedd9a885df
SHA256

54dd1a6be86907485cb1f716306eb8918116f873a9382e10d92f6632491c1074
SHA512

e8af59e857347c22a0cea3981122018b472482382fe11c642c4a67d182fc6aa78ea257f63630b36358b95304cbd07bc1048b35163af72fbb87329f3f1897bb2c

Score

10^/10

xloader sk8m loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

sk8m

Decoy

cruisinforabluesin.net

elkntordo.quest

mtmoriginal.com

arespermire.quest

maisoulcolor.com

thegreekfarmerstaverna.com

midlife-fitness.com

uniquelyjessica.com

everybunnyeverybirdy.net

tryafaq.com

aandreashopp.com

selfyou.store

healthtradeusa.com

visiency.com

rainbowshopscom.com

raj-spostitve.com

jupiterflightband.com

haigui.ltd

theparentharbour.com

themutualfriend.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/816-135-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/816-141-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1460-143-0x0000000000B10000-0x0000000000B39000-memory.dmp	xloader
behavioral2/memory/1460-147-0x0000000000B10000-0x0000000000B39000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp.execvtres.exeraserver.exe

description	pid	process	target process
PID 384 set thread context of 816	384	tmp.exe	cvtres.exe
PID 816 set thread context of 3004	816	cvtres.exe	Explorer.EXE
PID 1460 set thread context of 3004	1460	raserver.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

tmp.execvtres.exeraserver.exe

pid	process
384	tmp.exe
384	tmp.exe
384	tmp.exe
384	tmp.exe
384	tmp.exe
384	tmp.exe
816	cvtres.exe
816	cvtres.exe
816	cvtres.exe
816	cvtres.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe
1460	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3004 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

cvtres.exeraserver.exe

pid process

816 cvtres.exe
816 cvtres.exe
816 cvtres.exe
1460 raserver.exe
1460 raserver.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tmp.execvtres.exeraserver.exe

description pid process

Token: SeDebugPrivilege 384 tmp.exe
Token: SeDebugPrivilege 816 cvtres.exe
Token: SeDebugPrivilege 1460 raserver.exe

pid	process
3004	Explorer.EXE

pid	process
816	cvtres.exe
816	cvtres.exe
816	cvtres.exe
1460	raserver.exe
1460	raserver.exe

description	pid	process
Token: SeDebugPrivilege	384	tmp.exe
Token: SeDebugPrivilege	816	cvtres.exe
Token: SeDebugPrivilege	1460	raserver.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

tmp.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 384 wrote to memory of 5068	384	tmp.exe	cvtres.exe
PID 384 wrote to memory of 5068	384	tmp.exe	cvtres.exe
PID 384 wrote to memory of 5068	384	tmp.exe	cvtres.exe
PID 384 wrote to memory of 2532	384	tmp.exe	cvtres.exe
PID 384 wrote to memory of 2532	384	tmp.exe	cvtres.exe
PID 384 wrote to memory of 2532	384	tmp.exe	cvtres.exe
PID 384 wrote to memory of 3104	384	tmp.exe	cvtres.exe
PID 384 wrote to memory of 3104	384	tmp.exe	cvtres.exe
PID 384 wrote to memory of 3104	384	tmp.exe	cvtres.exe
PID 384 wrote to memory of 816	384	tmp.exe	cvtres.exe
PID 384 wrote to memory of 816	384	tmp.exe	cvtres.exe
PID 384 wrote to memory of 816	384	tmp.exe	cvtres.exe
PID 384 wrote to memory of 816	384	tmp.exe	cvtres.exe
PID 384 wrote to memory of 816	384	tmp.exe	cvtres.exe
PID 384 wrote to memory of 816	384	tmp.exe	cvtres.exe
PID 3004 wrote to memory of 1460	3004	Explorer.EXE	raserver.exe
PID 3004 wrote to memory of 1460	3004	Explorer.EXE	raserver.exe
PID 3004 wrote to memory of 1460	3004	Explorer.EXE	raserver.exe
PID 1460 wrote to memory of 4316	1460	raserver.exe	cmd.exe
PID 1460 wrote to memory of 4316	1460	raserver.exe	cmd.exe
PID 1460 wrote to memory of 4316	1460	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3004

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
PID:5068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
PID:3104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
PID:4316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/384-130-0x0000000000B70000-0x0000000000BC6000-memory.dmp

Filesize
344KB

Download
memory/816-137-0x0000000001940000-0x0000000001C8A000-memory.dmp

Filesize
3.3MB

Download
memory/816-141-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/816-138-0x00000000018F0000-0x0000000001901000-memory.dmp

Filesize
68KB

Download
memory/816-134-0x0000000000000000-mapping.dmp

Download
memory/816-135-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1460-143-0x0000000000B10000-0x0000000000B39000-memory.dmp

Filesize
164KB

Download
memory/1460-140-0x0000000000000000-mapping.dmp

Download
memory/1460-142-0x0000000000D90000-0x0000000000DAF000-memory.dmp

Filesize
124KB

Download
memory/1460-144-0x0000000002DF0000-0x000000000313A000-memory.dmp

Filesize
3.3MB

Download
memory/1460-146-0x0000000002B20000-0x0000000002BB0000-memory.dmp

Filesize
576KB

Download
memory/1460-147-0x0000000000B10000-0x0000000000B39000-memory.dmp

Filesize
164KB

Download
memory/2532-132-0x0000000000000000-mapping.dmp

Download
memory/3004-139-0x0000000008670000-0x0000000008758000-memory.dmp

Filesize
928KB

Download
memory/3004-148-0x0000000008760000-0x0000000008836000-memory.dmp

Filesize
856KB

Download
memory/3004-149-0x0000000008760000-0x0000000008836000-memory.dmp

Filesize
856KB

Download
memory/3104-133-0x0000000000000000-mapping.dmp

Download
memory/4316-145-0x0000000000000000-mapping.dmp

Download
memory/5068-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads