xloader | 247ddda6e2702472217bec887b6e53bbf355e63d45753b4227956ea3e5a0272e

General

Target

$PLUGINSDIR/bckkx.dll
Size

42KB
MD5

eaddca0182a37dcadc481a26307ad111
SHA1

a7aef3dcbd7fffedc716dc70610a1f0f62fcaf42
SHA256

a62639b271e480d9aa28d50945051ae35577711d95702f270060d809b062bb56
SHA512

9409069ca080c0170a70ec7e5baf7dd4c959362c9f540d525f45644ed95012f87b6818b16085bff2e1ae843281be97183372b8b0721673720bb76e93a5704c3d
SSDEEP

768:Tk9vanYHr7T9FE4FiAGKzgVTpQJTvRTyzFEjuRAkwYY7m6:Tk9uYL7hVG1amFEjuRAFYY7m6

Score

10^/10

xloader dgt9 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dgt9

Decoy

glimpse-media.com

crimsongomidv.xyz

seo-clicks6.com

cloudbreakhq.com

oakabbey.net

findcasinoslots.com

thehelloloveshop.com

havetsuczyli.quest

celestialtransportation.net

nianlun.wiki

valentinaturals.com

808gang.net

tykaa.com

sparoom.store

empregosbr1.online

visaractivateddprocessing.com

industriamadereraargentina.com

ekopressbrake.com

984561.com

oklahomacasinoreviews.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral3/memory/2964-1-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral3/memory/2964-5-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral3/memory/1728-11-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader
behavioral3/memory/1728-13-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2900 set thread context of 2964	2900	rundll32.exe	29
PID 2964 set thread context of 1260	2964	rundll32.exe	21
PID 1728 set thread context of 1260	1728	cmd.exe	21

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2964	rundll32.exe
2964	rundll32.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe
1728	cmd.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2964	rundll32.exe
2964	rundll32.exe
2964	rundll32.exe
1728	cmd.exe
1728	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	rundll32.exe
Token: SeDebugPrivilege	1728	cmd.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2900	2880	rundll32.exe	28
PID 2880 wrote to memory of 2900	2880	rundll32.exe	28
PID 2880 wrote to memory of 2900	2880	rundll32.exe	28
PID 2880 wrote to memory of 2900	2880	rundll32.exe	28
PID 2880 wrote to memory of 2900	2880	rundll32.exe	28
PID 2880 wrote to memory of 2900	2880	rundll32.exe	28
PID 2880 wrote to memory of 2900	2880	rundll32.exe	28
PID 2900 wrote to memory of 2964	2900	rundll32.exe	29
PID 2900 wrote to memory of 2964	2900	rundll32.exe	29
PID 2900 wrote to memory of 2964	2900	rundll32.exe	29
PID 2900 wrote to memory of 2964	2900	rundll32.exe	29
PID 2900 wrote to memory of 2964	2900	rundll32.exe	29
PID 2900 wrote to memory of 2964	2900	rundll32.exe	29
PID 2900 wrote to memory of 2964	2900	rundll32.exe	29
PID 2900 wrote to memory of 2964	2900	rundll32.exe	29
PID 2900 wrote to memory of 2964	2900	rundll32.exe	29
PID 2900 wrote to memory of 2964	2900	rundll32.exe	29
PID 1260 wrote to memory of 1728	1260	Explorer.EXE	30
PID 1260 wrote to memory of 1728	1260	Explorer.EXE	30
PID 1260 wrote to memory of 1728	1260	Explorer.EXE	30
PID 1260 wrote to memory of 1728	1260	Explorer.EXE	30
PID 1728 wrote to memory of 2820	1728	cmd.exe	31
PID 1728 wrote to memory of 2820	1728	cmd.exe	31
PID 1728 wrote to memory of 2820	1728	cmd.exe	31
PID 1728 wrote to memory of 2820	1728	cmd.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bckkx.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bckkx.dll,#1
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\bckkx.dll,#1
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\rundll32.exe"
    3⤵
    PID:2820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1260-16-0x0000000006B80000-0x0000000006CBD000-memory.dmp

Filesize
1.2MB

Download
memory/1260-6-0x0000000002E40000-0x0000000002F40000-memory.dmp

Filesize
1024KB

Download
memory/1260-8-0x0000000006B80000-0x0000000006CBD000-memory.dmp

Filesize
1.2MB

Download
memory/1728-12-0x00000000020C0000-0x00000000023C3000-memory.dmp

Filesize
3.0MB

Download
memory/1728-15-0x0000000000510000-0x00000000005A0000-memory.dmp

Filesize
576KB

Download
memory/1728-13-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1728-9-0x000000004A750000-0x000000004A79C000-memory.dmp

Filesize
304KB

Download
memory/1728-10-0x000000004A750000-0x000000004A79C000-memory.dmp

Filesize
304KB

Download
memory/1728-11-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2900-2-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2900-0-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2964-3-0x00000000020A0000-0x00000000023A3000-memory.dmp

Filesize
3.0MB

Download
memory/2964-7-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/2964-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2964-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing