xloader | 163e4dd4d77797c1b788c03c0f71911d2181573bdf4f048e953563b072a234c6

Analysis

max time kernel
150s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
31-01-2023 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SWhs.exe
Size

160KB
MD5

9b39457703898f689b0e92a03d3408bf
SHA1

12cfebd737b58e1d961f226e087716ff38c420d3
SHA256

163e4dd4d77797c1b788c03c0f71911d2181573bdf4f048e953563b072a234c6
SHA512

73d7983c9582b28fff9044e328d6358c27a00aa687694e695a1f52c74d2eb43cd5674af6ad8c00b54fbdaa1c54896d1d775f529244f749f18c570713c3e24fa9
SSDEEP

3072:EhhrDpv/3jb+Na8dZL9My3BhYpm16G5tKartyetVTeH+QRRnNxm4s:E3gpF9NxhEm1j5tXrYette/nF

Score

10^/10

xloader pzb5 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

pzb5

Decoy

laceez-store.com

fastcobra.icu

adust.site

parcelpunk.com

dabanse.info

themacshisha.com

ketogenic-success.com

simplyrip.com

antoniolima.icu

ruyakeji.net

sysintegrados2.com

triangle-resolute.com

muratkivrak.com

ntwrkrecs.com

gtxhcntq.icu

charlottepromo.com

trygreenbar.com

abbathandhottub.com

sliim-up.com

hoteldeleauvive.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3820-196-0x0000000002390000-0x00000000023B9000-memory.dmp	xloader
behavioral2/memory/3820-201-0x0000000002390000-0x00000000023B9000-memory.dmp	xloader
behavioral2/memory/3820-202-0x0000000003F90000-0x000000000412A000-memory.dmp	xloader

Suspicious use of SetThreadContext 2 IoCs

Processes:

SWhs.exemsiexec.exe

description	pid	process	target process
PID 2692 set thread context of 2068	2692	SWhs.exe	Explorer.EXE
PID 3820 set thread context of 2068	3820	msiexec.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

SWhs.exemsiexec.exe

pid	process
2692	SWhs.exe
2692	SWhs.exe
2692	SWhs.exe
2692	SWhs.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe
3820	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2068 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

SWhs.exemsiexec.exe

pid process

2692 SWhs.exe
2692 SWhs.exe
2692 SWhs.exe
3820 msiexec.exe
3820 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SWhs.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 2692 SWhs.exe
Token: SeDebugPrivilege 3820 msiexec.exe

pid	process
2068	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2692	SWhs.exe
Token: SeDebugPrivilege	3820	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Explorer.EXEmsiexec.exe

description	pid	process	target process
PID 2068 wrote to memory of 3820	2068	Explorer.EXE	msiexec.exe
PID 2068 wrote to memory of 3820	2068	Explorer.EXE	msiexec.exe
PID 2068 wrote to memory of 3820	2068	Explorer.EXE	msiexec.exe
PID 3820 wrote to memory of 4364	3820	msiexec.exe	cmd.exe
PID 3820 wrote to memory of 4364	3820	msiexec.exe	cmd.exe
PID 3820 wrote to memory of 4364	3820	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\SWhs.exe
"C:\Users\Admin\AppData\Local\Temp\SWhs.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\SWhs.exe"
3⤵
PID:4364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2068-144-0x0000000001260000-0x0000000001313000-memory.dmp

Filesize
716KB

Download
memory/2068-200-0x0000000005810000-0x0000000005934000-memory.dmp

Filesize
1.1MB

Download
memory/2068-203-0x0000000005810000-0x0000000005934000-memory.dmp

Filesize
1.1MB

Download
memory/2692-120-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-121-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-122-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-123-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-124-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-125-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-126-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-127-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-128-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-129-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-130-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-131-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-132-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-133-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-134-0x0000000001620000-0x0000000001940000-memory.dmp

Filesize
3.1MB

Download
memory/2692-135-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-136-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-137-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-138-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-139-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-140-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-141-0x0000000001480000-0x000000000161A000-memory.dmp

Filesize
1.6MB

Download
memory/2692-142-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-143-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-158-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-172-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-147-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-148-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-149-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-151-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-152-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-154-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-155-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-156-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-157-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-146-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-159-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-161-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-160-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-162-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-163-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-164-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-165-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-166-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-167-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-168-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-169-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-170-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-171-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-145-0x0000000000000000-mapping.dmp

Download
memory/3820-173-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-174-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-175-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-176-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-177-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-179-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-178-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-180-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-181-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-182-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-183-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-184-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-185-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-186-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-187-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-188-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download
memory/3820-195-0x0000000000100000-0x0000000000112000-memory.dmp

Filesize
72KB

Download
memory/3820-196-0x0000000002390000-0x00000000023B9000-memory.dmp

Filesize
164KB

Download
memory/3820-197-0x00000000042D0000-0x00000000045F0000-memory.dmp

Filesize
3.1MB

Download
memory/3820-199-0x0000000003F90000-0x000000000412A000-memory.dmp

Filesize
1.6MB

Download
memory/3820-201-0x0000000002390000-0x00000000023B9000-memory.dmp

Filesize
164KB

Download
memory/3820-202-0x0000000003F90000-0x000000000412A000-memory.dmp

Filesize
1.6MB

Download
memory/4364-189-0x0000000000000000-mapping.dmp

Download
memory/4364-190-0x0000000077D40000-0x0000000077ECE000-memory.dmp

Filesize
1.6MB

Download