xloader | 48f7f3f5ae41bcfefbf47d156939829070a28140c04d7de5c613a20a3415c0e7

General

Target

f20fdb6a62e4769eeaf17d24b9208258_JaffaCakes118.exe
Size

743KB
MD5

f20fdb6a62e4769eeaf17d24b9208258
SHA1

c2876bb0ce1383350085783bb5fe851a9b4dadf1
SHA256

48f7f3f5ae41bcfefbf47d156939829070a28140c04d7de5c613a20a3415c0e7
SHA512

51cbb0513e0d6f39dc2e6d30f940743c7b32433294aa26b1f8af7a979ba95f1f24b80b66c81fd26d327070949597901d2c8ec826b8f20ff3f99dd6d2eae5887e
SSDEEP

12288:TeDs1BVQh8G71a4NQDOYyTjTtmJzOHZ+vuhxCVReS1z+V49qsTll9:9+h88uDJ+ssHguz2eSPqspl9

Score

10^/10

xloader e4nr agilenet loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

e4nr

Decoy

goldtruckclub.com

javshrimp.com

maeskhall.quest

smartlifeblockchain.net

omychiq.com

musclegearshop.com

namicoscorp.com

ncfqxxkj.com

verifique-banca.com

usadocnetwork.com

heartsurgerygroup.com

cbt-nightmares.com

libraprint.com

wh0n16.com

pompanopaintnsip.com

7aomoquzb9.com

cedse.com

karst-shop.com

target-checkbalances.com

infowebp.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/3044-18-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3044-25-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2732-30-0x00000000001A0000-0x00000000001C9000-memory.dmp	xloader
behavioral2/memory/2732-32-0x00000000001A0000-0x00000000001C9000-memory.dmp	xloader

Executes dropped EXE 1 IoCs

pid	Process
3044	mscorsvw.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/2208-7-0x0000000006F30000-0x0000000006F58000-memory.dmp	agile_net
behavioral2/memory/2208-10-0x0000000005D10000-0x0000000005D20000-memory.dmp	agile_net

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 3044	2208	f20fdb6a62e4769eeaf17d24b9208258_JaffaCakes118.exe	93
PID 3044 set thread context of 3548	3044	mscorsvw.exe	56
PID 2732 set thread context of 3548	2732	control.exe	56

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2208	f20fdb6a62e4769eeaf17d24b9208258_JaffaCakes118.exe
2208	f20fdb6a62e4769eeaf17d24b9208258_JaffaCakes118.exe
3044	mscorsvw.exe
3044	mscorsvw.exe
3044	mscorsvw.exe
3044	mscorsvw.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe
2732	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3044	mscorsvw.exe
3044	mscorsvw.exe
3044	mscorsvw.exe
2732	control.exe
2732	control.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	f20fdb6a62e4769eeaf17d24b9208258_JaffaCakes118.exe
Token: SeDebugPrivilege	3044	mscorsvw.exe
Token: SeDebugPrivilege	2732	control.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3548	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 3044	2208	f20fdb6a62e4769eeaf17d24b9208258_JaffaCakes118.exe	93
PID 2208 wrote to memory of 3044	2208	f20fdb6a62e4769eeaf17d24b9208258_JaffaCakes118.exe	93
PID 2208 wrote to memory of 3044	2208	f20fdb6a62e4769eeaf17d24b9208258_JaffaCakes118.exe	93
PID 2208 wrote to memory of 3044	2208	f20fdb6a62e4769eeaf17d24b9208258_JaffaCakes118.exe	93
PID 2208 wrote to memory of 3044	2208	f20fdb6a62e4769eeaf17d24b9208258_JaffaCakes118.exe	93
PID 2208 wrote to memory of 3044	2208	f20fdb6a62e4769eeaf17d24b9208258_JaffaCakes118.exe	93
PID 3548 wrote to memory of 2732	3548	Explorer.EXE	102
PID 3548 wrote to memory of 2732	3548	Explorer.EXE	102
PID 3548 wrote to memory of 2732	3548	Explorer.EXE	102
PID 2732 wrote to memory of 1280	2732	control.exe	103
PID 2732 wrote to memory of 1280	2732	control.exe	103
PID 2732 wrote to memory of 1280	2732	control.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Users\Admin\AppData\Local\Temp\f20fdb6a62e4769eeaf17d24b9208258_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f20fdb6a62e4769eeaf17d24b9208258_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe
    "C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:3284
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4732
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2604
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:5100
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4364
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2528
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2064
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe"
    3⤵
    PID:1280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe

Filesize
131KB

MD5
8ea79e659da869468746abe850d67996

SHA1
c4d483ac89670539592d1b73733c25fb4fe3f574

SHA256
7d8d8696acd1815316174fba563f2e2ad0be3b5e9c6a28e237f9131a41067169

SHA512
f7d62ffa3f0cd1e3e8a163ee2d724854f749ece3169180f573ca683f2641519e8c7fc4308e0e4cc362a78f40640649d2f251ff0e35cd1e1710f810d79b7512b5

Download Submit
memory/2208-8-0x0000000006FE0000-0x0000000007046000-memory.dmp

Filesize
408KB

Download
memory/2208-5-0x0000000005C30000-0x0000000005CCC000-memory.dmp

Filesize
624KB

Download
memory/2208-9-0x0000000006FB0000-0x0000000006FD2000-memory.dmp

Filesize
136KB

Download
memory/2208-4-0x0000000005830000-0x0000000005B84000-memory.dmp

Filesize
3.3MB

Download
memory/2208-10-0x0000000005D10000-0x0000000005D20000-memory.dmp

Filesize
64KB

Download
memory/2208-6-0x0000000005D10000-0x0000000005D20000-memory.dmp

Filesize
64KB

Download
memory/2208-7-0x0000000006F30000-0x0000000006F58000-memory.dmp

Filesize
160KB

Download
memory/2208-11-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/2208-3-0x0000000005740000-0x00000000057D2000-memory.dmp

Filesize
584KB

Download
memory/2208-2-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/2208-22-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/2208-12-0x0000000005D10000-0x0000000005D20000-memory.dmp

Filesize
64KB

Download
memory/2208-13-0x0000000005D10000-0x0000000005D20000-memory.dmp

Filesize
64KB

Download
memory/2208-15-0x0000000007970000-0x0000000007984000-memory.dmp

Filesize
80KB

Download
memory/2208-16-0x0000000009F70000-0x0000000009F76000-memory.dmp

Filesize
24KB

Download
memory/2208-0-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/2208-1-0x0000000000CE0000-0x0000000000DA0000-memory.dmp

Filesize
768KB

Download
memory/2732-29-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/2732-34-0x00000000020F0000-0x0000000002180000-memory.dmp

Filesize
576KB

Download
memory/2732-32-0x00000000001A0000-0x00000000001C9000-memory.dmp

Filesize
164KB

Download
memory/2732-31-0x0000000002390000-0x00000000026DA000-memory.dmp

Filesize
3.3MB

Download
memory/2732-30-0x00000000001A0000-0x00000000001C9000-memory.dmp

Filesize
164KB

Download
memory/2732-28-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/3044-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3044-26-0x0000000000DB0000-0x0000000000DC1000-memory.dmp

Filesize
68KB

Download
memory/3044-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3044-23-0x0000000001290000-0x00000000015DA000-memory.dmp

Filesize
3.3MB

Download
memory/3548-27-0x00000000088E0000-0x0000000008A5E000-memory.dmp

Filesize
1.5MB

Download
memory/3548-35-0x00000000088E0000-0x0000000008A5E000-memory.dmp

Filesize
1.5MB

Download
memory/3548-38-0x0000000008A60000-0x0000000008B1B000-memory.dmp

Filesize
748KB

Download
memory/3548-39-0x0000000008A60000-0x0000000008B1B000-memory.dmp

Filesize
748KB

Download
memory/3548-42-0x0000000008A60000-0x0000000008B1B000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing