xloader | 2bd56fc7272ef5778feda356b57529bb6e3b4223cfc84bc4084a23984cb9a73e

General

Target

QFL21070864140HQ-pdf.exe
Size

1.0MB
MD5

dc1d2738ba06e1287d61bab41bdb587f
SHA1

29220b1a6efc6eee9e6691fe09c8ab001ecb07c4
SHA256

8d14d34bfe71397c4afe1a39bd68139f0d044f21e4cf5eaa43fc8fc15cb74d82
SHA512

2f056a5ea3adcbf35cca58c820e806718498aadec7bd552c138bb9f4076bc9a959e8412f9a9c5298bff1b9969b675142c52f6f0b4f11c13e6c40e79c8a2d163e
SSDEEP

24576:MAfuE/aqagftlM1vj9L5O5Fx85/drK64JCG4RoyCcbO82QsFKw2L9:MAfuE/aqagftlM1vj7OgK64JxqkcbeK9

Score

10^/10

xloader ipa8 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ipa8

Decoy

royalposhpups.com

univa.world

lanerbo.com

shopbabygo.com

theutahhomestore.com

serialmixer.icu

linfeiya.com

xn--12cg3de5c2eb5cyi.com

am-conseil-communication.com

dailygame168.com

therightmilitia.com

visions-agency.com

mapopi.com

frugallyketo.com

guapandglo.com

54w-x126v.net

your-health-kick.com

blockchainhub360.com

registernowhd.xyz

votekellykitashima.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral2/memory/1004-8-0x0000000005180000-0x0000000005192000-memory.dmp	CustAttr

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4368-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4368-17-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3888-23-0x0000000000A00000-0x0000000000A29000-memory.dmp	xloader
behavioral2/memory/3888-25-0x0000000000A00000-0x0000000000A29000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1004 set thread context of 4368	1004	QFL21070864140HQ-pdf.exe	100
PID 4368 set thread context of 3416	4368	QFL21070864140HQ-pdf.exe	60
PID 3888 set thread context of 3416	3888	msdt.exe	60

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4368	QFL21070864140HQ-pdf.exe
4368	QFL21070864140HQ-pdf.exe
4368	QFL21070864140HQ-pdf.exe
4368	QFL21070864140HQ-pdf.exe
4368	QFL21070864140HQ-pdf.exe
4368	QFL21070864140HQ-pdf.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe
3888	msdt.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4368	QFL21070864140HQ-pdf.exe
4368	QFL21070864140HQ-pdf.exe
4368	QFL21070864140HQ-pdf.exe
3888	msdt.exe
3888	msdt.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	QFL21070864140HQ-pdf.exe
Token: SeShutdownPrivilege	3416	Explorer.EXE
Token: SeCreatePagefilePrivilege	3416	Explorer.EXE
Token: SeDebugPrivilege	3888	msdt.exe
Token: SeShutdownPrivilege	3416	Explorer.EXE
Token: SeCreatePagefilePrivilege	3416	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3416	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 4368	1004	QFL21070864140HQ-pdf.exe	100
PID 1004 wrote to memory of 4368	1004	QFL21070864140HQ-pdf.exe	100
PID 1004 wrote to memory of 4368	1004	QFL21070864140HQ-pdf.exe	100
PID 1004 wrote to memory of 4368	1004	QFL21070864140HQ-pdf.exe	100
PID 1004 wrote to memory of 4368	1004	QFL21070864140HQ-pdf.exe	100
PID 1004 wrote to memory of 4368	1004	QFL21070864140HQ-pdf.exe	100
PID 3416 wrote to memory of 3888	3416	Explorer.EXE	101
PID 3416 wrote to memory of 3888	3416	Explorer.EXE	101
PID 3416 wrote to memory of 3888	3416	Explorer.EXE	101
PID 3888 wrote to memory of 3712	3888	msdt.exe	102
PID 3888 wrote to memory of 3712	3888	msdt.exe	102
PID 3888 wrote to memory of 3712	3888	msdt.exe	102

C:\Users\Admin\AppData\Local\Temp\QFL21070864140HQ-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\QFL21070864140HQ-pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Users\Admin\AppData\Local\Temp\QFL21070864140HQ-pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\QFL21070864140HQ-pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:4368

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\QFL21070864140HQ-pdf.exe"
    3⤵
    PID:3712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1004-8-0x0000000005180000-0x0000000005192000-memory.dmp

Filesize
72KB

Download
memory/1004-10-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/1004-2-0x0000000004EC0000-0x0000000004F5C000-memory.dmp

Filesize
624KB

Download
memory/1004-9-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/1004-4-0x0000000005000000-0x0000000005092000-memory.dmp

Filesize
584KB

Download
memory/1004-5-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/1004-6-0x0000000004F90000-0x0000000004F9A000-memory.dmp

Filesize
40KB

Download
memory/1004-7-0x00000000050A0000-0x00000000050F6000-memory.dmp

Filesize
344KB

Download
memory/1004-1-0x0000000000430000-0x0000000000540000-memory.dmp

Filesize
1.1MB

Download
memory/1004-0-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/1004-3-0x0000000005510000-0x0000000005AB4000-memory.dmp

Filesize
5.6MB

Download
memory/1004-11-0x0000000000BE0000-0x0000000000C58000-memory.dmp

Filesize
480KB

Download
memory/1004-12-0x0000000000CB0000-0x0000000000CE0000-memory.dmp

Filesize
192KB

Download
memory/1004-20-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/3416-32-0x00000000087F0000-0x00000000088E7000-memory.dmp

Filesize
988KB

Download
memory/3416-31-0x00000000087F0000-0x00000000088E7000-memory.dmp

Filesize
988KB

Download
memory/3416-28-0x0000000003610000-0x0000000003722000-memory.dmp

Filesize
1.1MB

Download
memory/3416-19-0x0000000003610000-0x0000000003722000-memory.dmp

Filesize
1.1MB

Download
memory/3416-35-0x00000000087F0000-0x00000000088E7000-memory.dmp

Filesize
988KB

Download
memory/3888-23-0x0000000000A00000-0x0000000000A29000-memory.dmp

Filesize
164KB

Download
memory/3888-22-0x0000000000EF0000-0x0000000000F47000-memory.dmp

Filesize
348KB

Download
memory/3888-21-0x0000000000EF0000-0x0000000000F47000-memory.dmp

Filesize
348KB

Download
memory/3888-24-0x0000000002D50000-0x000000000309A000-memory.dmp

Filesize
3.3MB

Download
memory/3888-25-0x0000000000A00000-0x0000000000A29000-memory.dmp

Filesize
164KB

Download
memory/3888-27-0x0000000002A80000-0x0000000002B0F000-memory.dmp

Filesize
572KB

Download
memory/4368-18-0x0000000000E00000-0x0000000000E10000-memory.dmp

Filesize
64KB

Download
memory/4368-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4368-15-0x0000000001610000-0x000000000195A000-memory.dmp

Filesize
3.3MB

Download
memory/4368-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing