xloader | 90c60c57ce0606d09dbd01751eb2bd5cd86d4344bd69ceb2f5697b1239070cce

General

Target

697603470394ef65a7996011adf0db69.exe
Size

727KB
MD5

697603470394ef65a7996011adf0db69
SHA1

7139f8e802aa6decce3ae28fd49c3d92b5e19823
SHA256

90c60c57ce0606d09dbd01751eb2bd5cd86d4344bd69ceb2f5697b1239070cce
SHA512

15a809d90a56b5b8544b994406ca954b39c3650977809e4531b684d6003b9ed597fd1c89c703d985ea898855d49cfb9b7d24f9c198c6c0d033d794c1e33167f6
SSDEEP

12288:zkFoWfF8i1y7REP6iioYl+4U7+iSxGzQXdCnlb8uYhkOH7zg8/W9tMyDi0+/Frrx:zkFxfFTy7REP6iioYl+4U7+iOdClb85l

Score

10^/10

xloader b8eu agilenet loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b8eu

Decoy

ppslide.com

savorysinsation.com

camilaediego2021.com

rstrunk.net

xianshikanxiyang.club

1borefruit.com

ay-danil.club

xamangxcoax.club

waltonunderwood.com

laurabissell.com

laurawmorrow.com

albamauto.net

usamlb.com

theoyays.com

freeitproject.com

jijiservice.com

ukcarpetclean.com

wc399.com

xn--pskrtmebeton-dlbc.online

exclusivemerchantsolutions.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3476-18-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3476-25-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3672-30-0x0000000000920000-0x0000000000948000-memory.dmp	xloader
behavioral2/memory/3672-33-0x0000000000920000-0x0000000000948000-memory.dmp	xloader

Executes dropped EXE 1 IoCs

Processes:

AddInProcess32.exe

pid process

3476 AddInProcess32.exe

pid	process
3476	AddInProcess32.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/1748-7-0x00000000075C0000-0x00000000075E8000-memory.dmp	agile_net

Suspicious use of SetThreadContext 3 IoCs

Processes:

697603470394ef65a7996011adf0db69.exeAddInProcess32.exeWWAHost.exe

description	pid	process	target process
PID 1748 set thread context of 3476	1748	697603470394ef65a7996011adf0db69.exe	AddInProcess32.exe
PID 3476 set thread context of 3392	3476	AddInProcess32.exe	Explorer.EXE
PID 3672 set thread context of 3392	3672	WWAHost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

697603470394ef65a7996011adf0db69.exeAddInProcess32.exeWWAHost.exe

pid	process
1748	697603470394ef65a7996011adf0db69.exe
1748	697603470394ef65a7996011adf0db69.exe
3476	AddInProcess32.exe
3476	AddInProcess32.exe
3476	AddInProcess32.exe
3476	AddInProcess32.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe
3672	WWAHost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

AddInProcess32.exeWWAHost.exe

pid process

3476 AddInProcess32.exe
3476 AddInProcess32.exe
3476 AddInProcess32.exe
3672 WWAHost.exe
3672 WWAHost.exe

pid	process
3476	AddInProcess32.exe
3476	AddInProcess32.exe
3476	AddInProcess32.exe
3672	WWAHost.exe
3672	WWAHost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

697603470394ef65a7996011adf0db69.exeAddInProcess32.exeWWAHost.exe

description	pid	process
Token: SeDebugPrivilege	1748	697603470394ef65a7996011adf0db69.exe
Token: SeDebugPrivilege	3476	AddInProcess32.exe
Token: SeDebugPrivilege	3672	WWAHost.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3392 Explorer.EXE

pid	process
3392	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

697603470394ef65a7996011adf0db69.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 1748 wrote to memory of 3476	1748	697603470394ef65a7996011adf0db69.exe	AddInProcess32.exe
PID 1748 wrote to memory of 3476	1748	697603470394ef65a7996011adf0db69.exe	AddInProcess32.exe
PID 1748 wrote to memory of 3476	1748	697603470394ef65a7996011adf0db69.exe	AddInProcess32.exe
PID 1748 wrote to memory of 3476	1748	697603470394ef65a7996011adf0db69.exe	AddInProcess32.exe
PID 1748 wrote to memory of 3476	1748	697603470394ef65a7996011adf0db69.exe	AddInProcess32.exe
PID 1748 wrote to memory of 3476	1748	697603470394ef65a7996011adf0db69.exe	AddInProcess32.exe
PID 3392 wrote to memory of 3672	3392	Explorer.EXE	WWAHost.exe
PID 3392 wrote to memory of 3672	3392	Explorer.EXE	WWAHost.exe
PID 3392 wrote to memory of 3672	3392	Explorer.EXE	WWAHost.exe
PID 3672 wrote to memory of 3616	3672	WWAHost.exe	cmd.exe
PID 3672 wrote to memory of 3616	3672	WWAHost.exe	cmd.exe
PID 3672 wrote to memory of 3616	3672	WWAHost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\697603470394ef65a7996011adf0db69.exe
"C:\Users\Admin\AppData\Local\Temp\697603470394ef65a7996011adf0db69.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
PID:3616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
memory/1748-10-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/1748-5-0x0000000005BF0000-0x0000000005F44000-memory.dmp

Filesize
3.3MB

Download
memory/1748-11-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/1748-13-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/1748-12-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/1748-6-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/1748-7-0x00000000075C0000-0x00000000075E8000-memory.dmp

Filesize
160KB

Download
memory/1748-8-0x0000000007670000-0x00000000076D6000-memory.dmp

Filesize
408KB

Download
memory/1748-9-0x0000000007640000-0x0000000007662000-memory.dmp

Filesize
136KB

Download
memory/1748-21-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/1748-3-0x0000000005AB0000-0x0000000005B42000-memory.dmp

Filesize
584KB

Download
memory/1748-1-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/1748-4-0x0000000005B50000-0x0000000005BEC000-memory.dmp

Filesize
624KB

Download
memory/1748-15-0x0000000007970000-0x0000000007984000-memory.dmp

Filesize
80KB

Download
memory/1748-16-0x000000000A410000-0x000000000A416000-memory.dmp

Filesize
24KB

Download
memory/1748-0-0x0000000000FB0000-0x000000000106C000-memory.dmp

Filesize
752KB

Download
memory/1748-2-0x0000000006060000-0x0000000006604000-memory.dmp

Filesize
5.6MB

Download
memory/3392-26-0x0000000008290000-0x0000000008435000-memory.dmp

Filesize
1.6MB

Download
memory/3392-42-0x0000000008750000-0x0000000008890000-memory.dmp

Filesize
1.2MB

Download
memory/3392-39-0x0000000008750000-0x0000000008890000-memory.dmp

Filesize
1.2MB

Download
memory/3392-38-0x0000000008750000-0x0000000008890000-memory.dmp

Filesize
1.2MB

Download
memory/3476-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3476-25-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3476-24-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/3476-22-0x0000000001490000-0x00000000017DA000-memory.dmp

Filesize
3.3MB

Download
memory/3672-27-0x0000000000ED0000-0x0000000000FAC000-memory.dmp

Filesize
880KB

Download
memory/3672-29-0x0000000000ED0000-0x0000000000FAC000-memory.dmp

Filesize
880KB

Download
memory/3672-30-0x0000000000920000-0x0000000000948000-memory.dmp

Filesize
160KB

Download
memory/3672-32-0x0000000001BF0000-0x0000000001F3A000-memory.dmp

Filesize
3.3MB

Download
memory/3672-33-0x0000000000920000-0x0000000000948000-memory.dmp

Filesize
160KB

Download
memory/3672-34-0x0000000001940000-0x00000000019CF000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads