xloader | f3272e7d0612d36b532d6a99a15fea8fb9c453188847a12b69d539719c0c8c16

General

Target

ef1d8e37a5a4444647750ba386f63653_JaffaCakes118.exe
Size

776KB
MD5

ef1d8e37a5a4444647750ba386f63653
SHA1

246446d7a2fe7c8946b3e001c176f01616efd724
SHA256

f3272e7d0612d36b532d6a99a15fea8fb9c453188847a12b69d539719c0c8c16
SHA512

1b6f17298f99b9e60cbbe435efca347658b6bbd8a1bfe7c65af3a209675a3dc909e0e0eb264c244e74f1ca2d5dcb0e0277d47cc2c66e1cdbbc7ecf72faf66c54
SSDEEP

12288:iIVbU2A+XVxfa7zU2ai6D3h0kaHHMzg8/W9tMyDi0+/Frrs+3ZDJZyH:ZXvFxYai6DbanROa4pDJZyH

Score

10^/10

xloader b8eu agilenet loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b8eu

Decoy

ppslide.com

savorysinsation.com

camilaediego2021.com

rstrunk.net

xianshikanxiyang.club

1borefruit.com

ay-danil.club

xamangxcoax.club

waltonunderwood.com

laurabissell.com

laurawmorrow.com

albamauto.net

usamlb.com

theoyays.com

freeitproject.com

jijiservice.com

ukcarpetclean.com

wc399.com

xn--pskrtmebeton-dlbc.online

exclusivemerchantsolutions.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 5 IoCs

rat

resource	yara_rule
behavioral2/memory/1396-18-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/1396-24-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/1396-28-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3064-33-0x00000000001A0000-0x00000000001C8000-memory.dmp	xloader
behavioral2/memory/3064-36-0x00000000001A0000-0x00000000001C8000-memory.dmp	xloader

Executes dropped EXE 1 IoCs

pid	Process
1396	AddInProcess32.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/4928-7-0x0000000007010000-0x0000000007038000-memory.dmp	agile_net
behavioral2/memory/4928-10-0x0000000005C50000-0x0000000005C60000-memory.dmp	agile_net

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4928 set thread context of 1396	4928	ef1d8e37a5a4444647750ba386f63653_JaffaCakes118.exe	93
PID 1396 set thread context of 3428	1396	AddInProcess32.exe	57
PID 1396 set thread context of 3428	1396	AddInProcess32.exe	57
PID 3064 set thread context of 3428	3064	NETSTAT.EXE	57

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3064	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4928	ef1d8e37a5a4444647750ba386f63653_JaffaCakes118.exe
4928	ef1d8e37a5a4444647750ba386f63653_JaffaCakes118.exe
1396	AddInProcess32.exe
1396	AddInProcess32.exe
1396	AddInProcess32.exe
1396	AddInProcess32.exe
1396	AddInProcess32.exe
1396	AddInProcess32.exe
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE
3064	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1396	AddInProcess32.exe
1396	AddInProcess32.exe
1396	AddInProcess32.exe
1396	AddInProcess32.exe
3064	NETSTAT.EXE
3064	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	ef1d8e37a5a4444647750ba386f63653_JaffaCakes118.exe
Token: SeDebugPrivilege	1396	AddInProcess32.exe
Token: SeDebugPrivilege	3064	NETSTAT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 1396	4928	ef1d8e37a5a4444647750ba386f63653_JaffaCakes118.exe	93
PID 4928 wrote to memory of 1396	4928	ef1d8e37a5a4444647750ba386f63653_JaffaCakes118.exe	93
PID 4928 wrote to memory of 1396	4928	ef1d8e37a5a4444647750ba386f63653_JaffaCakes118.exe	93
PID 4928 wrote to memory of 1396	4928	ef1d8e37a5a4444647750ba386f63653_JaffaCakes118.exe	93
PID 4928 wrote to memory of 1396	4928	ef1d8e37a5a4444647750ba386f63653_JaffaCakes118.exe	93
PID 4928 wrote to memory of 1396	4928	ef1d8e37a5a4444647750ba386f63653_JaffaCakes118.exe	93
PID 3428 wrote to memory of 3064	3428	Explorer.EXE	94
PID 3428 wrote to memory of 3064	3428	Explorer.EXE	94
PID 3428 wrote to memory of 3064	3428	Explorer.EXE	94
PID 3064 wrote to memory of 2812	3064	NETSTAT.EXE	95
PID 3064 wrote to memory of 2812	3064	NETSTAT.EXE	95
PID 3064 wrote to memory of 2812	3064	NETSTAT.EXE	95

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Users\Admin\AppData\Local\Temp\ef1d8e37a5a4444647750ba386f63653_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ef1d8e37a5a4444647750ba386f63653_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
    3⤵
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
memory/1396-29-0x00000000015E0000-0x00000000015F0000-memory.dmp

Filesize
64KB

Download
memory/1396-25-0x0000000001190000-0x00000000011A0000-memory.dmp

Filesize
64KB

Download
memory/1396-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1396-22-0x0000000001650000-0x000000000199A000-memory.dmp

Filesize
3.3MB

Download
memory/1396-24-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1396-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3064-36-0x00000000001A0000-0x00000000001C8000-memory.dmp

Filesize
160KB

Download
memory/3064-33-0x00000000001A0000-0x00000000001C8000-memory.dmp

Filesize
160KB

Download
memory/3064-32-0x0000000000800000-0x000000000080B000-memory.dmp

Filesize
44KB

Download
memory/3064-31-0x0000000000800000-0x000000000080B000-memory.dmp

Filesize
44KB

Download
memory/3064-34-0x0000000000CF0000-0x000000000103A000-memory.dmp

Filesize
3.3MB

Download
memory/3064-37-0x0000000000A10000-0x0000000000A9F000-memory.dmp

Filesize
572KB

Download
memory/3428-39-0x0000000008200000-0x00000000082B7000-memory.dmp

Filesize
732KB

Download
memory/3428-30-0x0000000008200000-0x00000000082B7000-memory.dmp

Filesize
732KB

Download
memory/3428-26-0x00000000030A0000-0x0000000003180000-memory.dmp

Filesize
896KB

Download
memory/3428-41-0x00000000082C0000-0x000000000836C000-memory.dmp

Filesize
688KB

Download
memory/3428-43-0x00000000082C0000-0x000000000836C000-memory.dmp

Filesize
688KB

Download
memory/3428-46-0x00000000082C0000-0x000000000836C000-memory.dmp

Filesize
688KB

Download
memory/4928-9-0x0000000007090000-0x00000000070B2000-memory.dmp

Filesize
136KB

Download
memory/4928-21-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4928-16-0x0000000009E60000-0x0000000009E66000-memory.dmp

Filesize
24KB

Download
memory/4928-15-0x0000000007830000-0x0000000007844000-memory.dmp

Filesize
80KB

Download
memory/4928-13-0x0000000005C50000-0x0000000005C60000-memory.dmp

Filesize
64KB

Download
memory/4928-12-0x0000000005C50000-0x0000000005C60000-memory.dmp

Filesize
64KB

Download
memory/4928-11-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4928-10-0x0000000005C50000-0x0000000005C60000-memory.dmp

Filesize
64KB

Download
memory/4928-0-0x0000000000CB0000-0x0000000000D78000-memory.dmp

Filesize
800KB

Download
memory/4928-8-0x00000000070C0000-0x0000000007126000-memory.dmp

Filesize
408KB

Download
memory/4928-7-0x0000000007010000-0x0000000007038000-memory.dmp

Filesize
160KB

Download
memory/4928-6-0x0000000005C50000-0x0000000005C60000-memory.dmp

Filesize
64KB

Download
memory/4928-5-0x0000000005AB0000-0x0000000005B4C000-memory.dmp

Filesize
624KB

Download
memory/4928-4-0x0000000005750000-0x0000000005AA4000-memory.dmp

Filesize
3.3MB

Download
memory/4928-3-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download
memory/4928-2-0x0000000005C60000-0x0000000006204000-memory.dmp

Filesize
5.6MB

Download
memory/4928-1-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing