xloader | 74c7003daae4332200908731127b6a5252417bcb89ed610532bf577d503c7465

General

Target

7d00a24f9fab1b955425fb32179eae06.exe
Size

885KB
MD5

7d00a24f9fab1b955425fb32179eae06
SHA1

af244f87ea871bcdadd6a979a492e3fbb32be67a
SHA256

74c7003daae4332200908731127b6a5252417bcb89ed610532bf577d503c7465
SHA512

9bf048bec141665d5ee700ff33f2bac00fc58a7e6e2c319ec7d7d3603339846596b9d0e432dea3e37e5dc8fc66783cf17996c1845cab7d24968644dae37f74f8
SSDEEP

12288:8VMcWx9OELy3tq0WkhFCEgYc5PR2+CQFqrWK0o7nXY1yDF2ltu1jst2NjFPMOH9F:iQxIQ0hp8ZPCWK3IcJ2vWjsMNj1

Score

10^/10

xloader uecu loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

uecu

Decoy

ishtarhotel.com

woodstrends.icu

jalenowens.com

manno.expert

ssg1asia.com

telepathylaw.com

quickoprintnv.com

abrosnm3.com

lumberjackcatering.com

beachujamaica.com

thomasjeffersonbyrd.com

starryfinds.com

shelavish2.com

royalglamempirellc.com

deixandomeuemprego.com

alexgoestech.xyz

opticamn.com

fermanchevybrandon.com

milbodegas.info

adunarsrl.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4992-12-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/4992-17-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/456-22-0x00000000012D0000-0x00000000012F8000-memory.dmp	xloader
behavioral2/memory/456-24-0x00000000012D0000-0x00000000012F8000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 4992	2304	7d00a24f9fab1b955425fb32179eae06.exe	92
PID 4992 set thread context of 3464	4992	RegSvcs.exe	24
PID 456 set thread context of 3464	456	cmstp.exe	24

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4992	RegSvcs.exe
4992	RegSvcs.exe
4992	RegSvcs.exe
4992	RegSvcs.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe
456	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4992	RegSvcs.exe
4992	RegSvcs.exe
4992	RegSvcs.exe
456	cmstp.exe
456	cmstp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4992	RegSvcs.exe
Token: SeDebugPrivilege	456	cmstp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 4992	2304	7d00a24f9fab1b955425fb32179eae06.exe	92
PID 2304 wrote to memory of 4992	2304	7d00a24f9fab1b955425fb32179eae06.exe	92
PID 2304 wrote to memory of 4992	2304	7d00a24f9fab1b955425fb32179eae06.exe	92
PID 2304 wrote to memory of 4992	2304	7d00a24f9fab1b955425fb32179eae06.exe	92
PID 2304 wrote to memory of 4992	2304	7d00a24f9fab1b955425fb32179eae06.exe	92
PID 2304 wrote to memory of 4992	2304	7d00a24f9fab1b955425fb32179eae06.exe	92
PID 3464 wrote to memory of 456	3464	Explorer.EXE	93
PID 3464 wrote to memory of 456	3464	Explorer.EXE	93
PID 3464 wrote to memory of 456	3464	Explorer.EXE	93
PID 456 wrote to memory of 1056	456	cmstp.exe	94
PID 456 wrote to memory of 1056	456	cmstp.exe	94
PID 456 wrote to memory of 1056	456	cmstp.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\Temp\7d00a24f9fab1b955425fb32179eae06.exe
  "C:\Users\Admin\AppData\Local\Temp\7d00a24f9fab1b955425fb32179eae06.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4992
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/456-20-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/456-26-0x0000000003060000-0x00000000030EF000-memory.dmp

Filesize
572KB

Download
memory/456-24-0x00000000012D0000-0x00000000012F8000-memory.dmp

Filesize
160KB

Download
memory/456-23-0x00000000032D0000-0x000000000361A000-memory.dmp

Filesize
3.3MB

Download
memory/456-22-0x00000000012D0000-0x00000000012F8000-memory.dmp

Filesize
160KB

Download
memory/456-21-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/2304-7-0x0000000005360000-0x000000000537A000-memory.dmp

Filesize
104KB

Download
memory/2304-5-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/2304-8-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/2304-9-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/2304-10-0x0000000006BA0000-0x0000000006C3E000-memory.dmp

Filesize
632KB

Download
memory/2304-11-0x00000000091C0000-0x00000000091EE000-memory.dmp

Filesize
184KB

Download
memory/2304-1-0x00000000003A0000-0x0000000000484000-memory.dmp

Filesize
912KB

Download
memory/2304-2-0x00000000053D0000-0x0000000005974000-memory.dmp

Filesize
5.6MB

Download
memory/2304-16-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/2304-3-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/2304-4-0x0000000004F60000-0x0000000004FFC000-memory.dmp

Filesize
624KB

Download
memory/2304-0-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/2304-6-0x0000000004E80000-0x0000000004E8A000-memory.dmp

Filesize
40KB

Download
memory/3464-19-0x0000000008160000-0x000000000829D000-memory.dmp

Filesize
1.2MB

Download
memory/3464-27-0x0000000008160000-0x000000000829D000-memory.dmp

Filesize
1.2MB

Download
memory/3464-30-0x00000000082A0000-0x00000000083D2000-memory.dmp

Filesize
1.2MB

Download
memory/3464-31-0x00000000082A0000-0x00000000083D2000-memory.dmp

Filesize
1.2MB

Download
memory/3464-34-0x00000000082A0000-0x00000000083D2000-memory.dmp

Filesize
1.2MB

Download
memory/4992-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4992-18-0x0000000001480000-0x0000000001490000-memory.dmp

Filesize
64KB

Download
memory/4992-14-0x00000000014B0000-0x00000000017FA000-memory.dmp

Filesize
3.3MB

Download
memory/4992-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing